FTC Warns of Equifax Scams: How to Spot Them

Don't fall for Equifax scams, the Federal Trade Commission (FTC) warned in an online posting yesterday (Sept. 14).

FTC headquarters in Washington, D.C. Credit: Carol M. Highsmith, Library of Congress/public domain

(Image credit: FTC headquarters in Washington, D.C. Credit: Carol M. Highsmith, Library of Congress/public domain)

"Stop. Don’t tell them anything," the FTC says to do if you get a call purporting to be from Equifax regarding the credit-reporting agency's recently disclosed data breach. "It’s a scam. Equifax will not call you out of the blue."

We can add that Equifax won't email you either without prior action on your part, so don't respond to emailed messages that seem to come from the company. They may be phishing attempts or contain malware.

Scammers reaching out to you via phone or email regarding the Equifax breach will probably be after your financial accounts or personal information.

The real Equifax site to check whether you were affected by the breach (https://www.equifaxsecurity2017.com/potential-impact/) asks for your last name and the last six digits of your Social Security number, which would be valuable information for an identity thief, but not as much as he or she might want.

Scammers would probably ask for your full name, address, date of birth and full Social Security number, as well as credit-card numbers or driver's-license numbers. Put together, that's a highly valuable set of information, and no one should be asking for all of that, especially your Social Security number, either over the phone or online.

MORE: Equifax Breach: Follow These Steps to Protect Yourself

The scammers could have a caller ID or email address that appears to come from Equifax. Don't trust it. Both caller IDs and email addresses can easily be spoofed.

Some emailed messages pertaining to the Equifax breach may contain embedded files, such as Word documents, Excel spreadsheets, images or PDFs. Don't click on them, as they might be Trojan-horse files that secretly contain malware.

You could also get robocalls pertaining to the Equifax breach, notes the FTC. The agency's advice is to just hang up, and not to press a key to speak to an operator or have your name taken off a call list.

"If you respond by pressing any number," the FTC says, "it will probably just lead to more robocalls."

Equifax says it is sending snail-mail notifications to the 200,000 or so people who had their credit-card numbers stolen during the breach, as well as the 182,000 people whose information was part of stolen disputed-charges records.

All the other 143 million U.S. residents affected by the breach need to go to Equifax's dedicated breach website to check their status. Earlier this week, that site was delivering unreliable results. (Meanwhile, British and Canadian residents still have no way of knowing how many of them were affected by the breach.)

When you do check your breach status, make sure the website address really is https://www.equifaxsecurity2017.com/. Any other address may indicate a scam.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.