Equifax has suffered a critical decline in public trust over the last few weeks after security breaches exposed the private data of about 143 million people. The company’s Twitter account is only making matters worse.
Equifax has set up a website, www.equifaxsecurity2017.com, to help customers learn whether they were affected by the breach. The site requires users to enter personal information. But since Sept. 9, a customer service representative, apparently named Tim, has responded to disgruntled customers on Twitter by pointing them to a fake site: www.securityequifax2017.com.
The company’s verified Twitter account sent out at least seven tweets with the bogus address. The tweets were finally deleted Wednesday afternoon, likely spurred by Twitter users like security researcher Tarah M. Wheeler discovering the gaffe.
Archiving this win for historical purposes pic.twitter.com/OSOU8a9I1p— SwiftOnSecurity (@SwiftOnSecurity) September 20, 2017
(Update, Sept. 20, 8 p.m.: Equifax told Slate in an emailed statement: "All posts using the wrong link have been taken down. To confirm, the correct website is https://www.equifaxsecurity2017.com. We apologize for the confusion.")
Luckily for customers, and the company itself, the fake website isn’t actually a phishing attempt. If you go to securityequifax2017.com, you’ll be greeted by a mock Equifax page that lampoons the company for choosing “an easily impersonated domain” for their website. Phishing scams often use slight misspellings and reordering of words in web addresses to snare potential victims.
Compare this to the actual site:
Nick Sweeting, the web developer who created the dummy website Sept. 8, messaged me over Twitter that it only took him 20 minutes to make the clone. “It's in everyone's interest to get Equifax to change this site to a reputable domain. … I can guarantee there are real malicious phishing versions already out there.”
Sweeting only found out Wednesday morning that Equifax had been tweeting out his site, which he claims has been visited 78,653 times as of noon Eastern on Wednesday.
Asked about his reaction to the blunder, he responded, “Honestly I'm not really surprised.”