Worried that your personal information may have been stolen in a data breach? Of course you are. Russian scammers offer just the solution: Free money!
The catch is that to get this free money, labeled as "compensation for the leakage of personal data," you'll have to provide the website of the "U.S. Trading Commission" — there is no such agency — with your name, address, credit-card number and Social Security number. (The site will even sell you a "temporary" SSN for the bargain price of only $9.) Of course, if you do, then your identity will almost certainly be stolen.
This phishing scam, unearthed by Kaspersky researchers, may seem laughably obvious to longtime readers of Tom's Guide. But it will still fool people who may not be tech-savvy or may not understand that U.S. government agencies prefer to do official business via U.S. mail.
And with the Equifax data-breach settlement currently in the news — your last day to sign up for a payment or an identity-protection subscription is next week — this scam is just on the edge of plausible.
Money for something
In a company blog post, Kaspersky's Tatyana Sidorina (opens in new tab) explained that this scam resides on a website claiming to represent the aforementioned U.S. Trading Commission and declares itself to be an "Official Personal Data Protection Fund."
The site mimics the color scheme and design of the real website of the Federal Trade Commission, which does take complaints of identity theft (opens in new tab) but doesn't compensate you in return. The bogus site even uses the FTC seal on some pages.
The most important part of the page, which does look better than many scam sites, is a big button labeled "CHECK MY DATA FOR LEAKS." If you click that, you'll be asked for your name and mobile phone number. (One field is labeled "lastname," a hint that native English speakers may not be behind this.)
The site doesn't really check anything at all. The Kaspersky researchers typed in the name "fghfgh fghfgh" and got data-breach "results" that were "prepared specifically for fghfgh fghfgh" and "verified by the executive officer Jamie Raskin."
In real life, Jamie Raskin (opens in new tab) is a Democratic congressman from the Eighth District of Maryland and a former law professor. The site seems to have stolen an image of Raskin's actual signature; underneath it is the abbreviation "(MD-08)".
Even better, the U.S. Trading Commission lists its address as "60-0 Pennsylvania Avenue, NW Washington, D.C." Google Maps tells us that's at the edge of the reflecting pool in front of the U.S. Capitol (opens in new tab).
But at the bottom of the page is what you've been waiting for: a number that tells you how much you're entitled to get in compensation for your data-breach woes. In the example Kaspersky provided, that figure was $2,567.
Do you want that money? Then you've got to pony up your SSN, to, um, verify your identity. To get the cash, you need to enter a valid credit-card number, along with the expiration date and CVV number printed on the card, plus your full name (again) and email address.
(We're not sure payment-card issuers actually can accept reverse charges from random sources. But again, this scam is aiming for people who might not know any better.)
How to avoid falling for this scam
In her blog post, Sidorina didn't explain how a potential victim might be lured to this phishing page. But there are so many different ways that narrowing it down may not matter.
You could get an email, perhaps even one that seemed to come from a friend, telling you that you could now be paid for past data breaches. You could see a similar post on Facebook, Instagram or Twitter. You could stumble across it in a search result. Or you could even receive spam text messages. In all cases, there would be a link to this fraudulent page.
Sidorina offered a few ways to avoid becoming a victim. First, there's the obvious one: If it sounds too good to be true, it probably is.
Second, she recommended verifying any site that promises undeserved riches. Type the name of the organization into a search engine. Do you get any exact results? If so, then does the website of that organization match the one you've been told is the right one?
Then there's one both she and we thought of: If you want to safely check whether your data has been exposed leaks and breaches, try the HaveIBeenPwned (opens in new tab) website set up by Australian security researcher Troy Hunt. The site will let you check an email address or a password -- but never both at the same time, for safety's sake.
Last, Kaspersky pitches its own Kaspersky antivirus software as a way to protect yourself from phishing scams. We highly recommend Kaspersky's software, but to be fair, we invite you to check out our full list of the best antivirus software.