Equifax has been accidentally sending hack victims to phishing sites

If you’re feeling lost and confused following news of Equifax’s recent data breach, don’t worry: not even Equifax’s own customer service knows what’s going on. Twitter customer service agents have been redirecting customers to a fake phishing site, not run by Equifax and with zero relation to the company.

Agents are only doing this because Equifax’s site with information about the hack isn’t good to begin with. It made a website at equifaxsecurity2017.com to tell customers about the breach. But that URL isn’t memorable and is easily confused with something else — say, for example, securityequifax2017.com. So a web developer made a lookalike website at that similar address, with the intention of showing Equifax the error of its ways.

It didn’t work out exactly like he imagined.

Rather than recognize the potential security risk, one of Equifax’s Twitter agents has instead spent the last two weeks sending customers to the fake website. Gizmodo found eight tweets with the fake URL, dating back to September 9.

The danger of a fake website is obvious: it could easily ask victims for identifying information, under the guise of working out if they were part of the breach or not. With no easy way to verify that the website is actually made by Equifax, customers are left oblivious. It was a bad idea to use a standalone website to begin with; tweeting out links to a fake website just makes things worse for the company.