Another day, another shocker for Equifax after it has emerged that the company has been mistakenly sending customers to a fake phishing site to check if their data was breached in the recent hack, which has exposed data belonging to 143 million people.
In response to the hack, Equifax made great play of the fact that it had created a website, equifaxsecurity2017.com, which would enable concerned customer to check if their data had been compromised by entering personal details into a form.
However, the company’s customer service team has been directing Twitter users to a different site, securityequifax2017.com, which was set up by security researcher Nick Sweeting to draw attention to the vulnerability of Equifax’s official site.
When accessing the fake website – which looks exactly like the official one – a warning appears saying “deceptive site ahead”.
Sweeting said he wanted to highlight the fact that security site should have been equifax.com as it “makes it ridiculously easy for scammers to come in and build clones”.
Ken Munro from the security firm Pen Test Partners told the BBC: “Clearly, the social media team has not been thoroughly briefed. That’s a massive faux-pas, they should not be pointing people to a website that is not the real one. They are lucky the person behind it was a well-intentioned security researcher, it could easily have been somebody harvesting credentials.”
Equifax admits that 400,000 Brits hit by US breach
Flaw on Equifax system was exposed over 6 months ago
44m Brits could be affected by Equifax US data breach
Equifax rocked as mega hack exposes 143m consumers