Equifax Settlement: Don’t get phished by scammers
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Equifax Settlement: Don’t get phished by scammers

The Equifax Settlement Website is easily spoofed, and it’s already happening.

The Equifax Data Breach resulted in the credit bureau agreeing to a $650-700-million settlement. Those affected had a choice between free credit monitoring or a $125 payment.

Unfortunately, the internet is full of cretins, some of whom have decided to re-target the victims of the Equifax data breach by creating phishing sites that dupe Equifax’s settlement page. And while that’s incredibly repugnant, it’s also – unfortunately – going to be pretty effective, too.

Not that the real website made it too difficult.

So, today we’re going to talk a little bit about the Equifax settlement, how to file your claim and what to look out for.

Let’s hash it out.

Pony up, Equifax

This data breach has been disastrous for Equifax. Not only was it breached, but an expired certificate prevented Equifax from discovering the attack for 76 days. It’s already cost hundreds of millions of dollars – and that figure could balloon into the billions – in addition to causing Equifax to have its credit rating reduced. There’s an irony to that, but the time for dunking on Equifax is probably over. It’s paying handsomely for its mistakes now.

Equifax Settlement

Case in point, that massive settlement Equifax agreed to a couple weeks ago. Customers were given a choice between free credit monitoring or $125. And considering what Equifax does, and who it keeps the closest tabs on, a lot of the victims already know their credit is messed up so that $125 sounds pretty good. Frankly, if my information was ever used for financial fraud my credit score would probably actually improve – so, gimme that check.

Anyway, Equifax has set up a website where people can file their claims and enterprising criminals have already spoofed it, attempting to re-victimize these people. And here’s the problem, people are going to come out of the woodwork to claim their part of this settlement – many of whom are not especially adept at the internet. I’m speaking specifically about the elderly (and troglodytes – there’s likely some overlap there). These people make great marks. And that’s exactly what these criminals are looking for.

Yesterday Indiana Attorney General Curtis Hill warned the Hoosier state about this exact thing:

“Anyone seeking to file claims at the new settlement website must absolutely make certain they are on the correct site,” Attorney General Hill said. “Verify that you have received the proper website address from a trusted source such as the FTC. If you are typing the URL manually, be careful to enter the website address correctly.”

How to avoid getting phished when filing your Equifax claim

Let’s start with first things first. Equifax is making all of its notifications via snail mail. Which is quaint, but also fairly convenient because it means any email you receive from “Equifax” is a phishing scam. Period.


So if you get an email that looks like this (courtesy of the San Diego Consumer Action Network):

It’s fake.

Do not fall for this. Now let’s talk about the page itself, because this is the epitome of how NOT to assert the proper identity – and it couldn’t happen in a more critical situation.

This is what the Equifax settlement page looks like:

Let’s start with the URL, which is descriptive but also feels a little phishy. It really wouldn’t be all that hard to register a similar domain name and fool people. I’m not sure why this wasn’t hosted on Equifax’s actual site or on the FTC website, both of which would assert sufficient identity. Instead, this website is run by the settlement administrator. That might be standard practice (excuse me, I left my JD at home), but it also serves as a potential point of confusion. Who is JND? How do I know they’re ACTUALLY the settlement administrator?

Considering the people visiting this website have just had their data stolen, you’d think they’d put more effort into making sure those people know they’re on the right website.

This would have been a perfect place for Extended Validation SSL

Extended Validation SSL certificates were designed explicitly to assert the maximum amount of identity. Using one adds a layer of assurance. When internet users arrive at a website they see the name of the organization running the website displayed prominently next to their browser’s address bar.

This would have been a perfect place for an EV SSL certificate.

Now, I know you may be saying, “Equifax isn’t running this site, what good would EV do?”

Just by virtue of its presence it adds an air of legitimacy to a website. No phishing website is going to be able to slap an EV certificate on itself. And if someone has questions about who this entity is, EV provides a starting point for that investigation – that’s far easier than being forced to try and find information in the footer or click through a privacy policy. This is information as verified by a CA. That inspires confidence.

This does not:

In fact, this does the opposite of inspiring confidence, it inspires doubt. This website – of all websites – needs to take every possible measure to assert its identity and inspire confidence in a group of people that should already be skeptical after having their data stolen.

So, while there are criminals actively making spoof websites and phishing Equifax victims, the actual Equifax settlement site is making next to zero effort to make the endeavor more difficult for said criminals.

That’s why we’re going to take a minute to show you how you can SAFELY file your Equifax claim.

How to file your Equifax claim and not get phished

Let’s start out with the best way to get to the website, normally they say to just type the URL in yourself, but with a URL like this there’s always the possibility of typo squatters, so let’s go through the FTC:

Step One: Head to the FTC website. Click on the link that says: File a Claim.

The website will warn you on the way out that you’re heading to a new domain, nothing to worry about, it will redirect you in a few seconds.

Step Two: Check your eligibility

Not everyone is eligible to file a claim. As much as you may want to, if you’re not eligible it means your information wasn’t compromised, which is ultimately a good thing. In the header, click on “I would like to…” and select the top option, “See if my information was impacted by the 2017 data breach.” Once there, enter your information.

Step Three: Start your Equifax claim

If you’re eligible, the page will indicate it and display a button that lets you start filing your claim. It will take you to a page where you’ll need to supply:

  • Full name
  • Address
  • Phone Number
  • Email Address
  • Year of Birth

Step Four: Choose between credit monitoring and $125

This part is pretty self-explanatory, it tries to direct you towards the credit monitoring but the decision is really yours.

Step Five: Enter any additional time spent dealing with the Equifax breach

If you spent time dealing with the fallout from the data breach you can collect a lot more than just the $125. You’re allowed to claim you spent up to 20 hours dealing with it at a rate of $25 per hour. For less than 10 hours you simply need to list the measures you took. Over 10 hours requires actual documentation.

Step Six: Enter any expenses incurred as a result of the Equifax Data Breach

Like time spent, you can also recoup money lost as a result of the Equifax breach. This will require full documentation of expenses but you can claim up to $20,000 dollars.

Step Seven: Choose how you’d like to be paid

You can have a check mailed to you or receive a pre-paid card. Personally, I’d have preferred a briefcase full of money but $125 doesn’t look very impressive in, nor would it likely even cover the expense of, the briefcase. So check or card it is.

Step Eight: Submit your claim and save your claim number

Once you’ve finished filling everything out, you may want to double-check that all the information provided is accurate, then click “Submit.” You’ll be taken to a page that notifies you the claim has been processed. It will also include a confirmation number. Save that number. Either print the page or take a screenshot or etch it into your skin like Guy Pearce in Memento. Just make sure you save it, lest you need it later.

You have until January 22, 2020 to file your claim, so there’s time. But, it’s also possible the money could run out before then, too.

Just remember, the longer you wait the more time you give criminals to try to spoof what is already a very spoofable site in order to dupe you.

So be vigilant.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.