Before you click on that data breach alert, verify it’s from a reliable source.Before you click on that data breach alert, verify it’s from a reliable source. Before you click on that data breach alert, verify it’s from a reliable source.
You could be doing all the right things to protect your personal data — but despite your best efforts, you receive a dreaded data breach notice.
A data breach notice is correspondence mailed by a company to customers that informs them of a cyberattack. They’re a common form of communication that alerts customers that criminals likely have their sensitive data, such as their name and Social Security number.
The problem is criminals know this, too. So they create scams that take advantage of it.
It’s a clever and timely scam, especially since data breaches aren’t rare. They happen almost every day. Here’s how to spot fraudulent data breach notices from the real ones.
How does a data breach alert scam work?
Data breach scams often work this way: You’ll receive a seemingly official letter, email, text message or phone call from a person that tells you about a data breach and information on how to protect your personal data.
The scammer may ask you to download software to protect yourself. Instead, it turns out to be malware that infects your computer. A legitimate data breach notice won’t ask you to download anything.
A scammer may also suggest you “click on this link to verify your identity.” But in reality, it’s a phishing tactic to get you to divulge your sensitive information. A legitimate data breach notice will also not do this.
In general, official correspondence is formulaic, and will include your personal information that was compromised as well as steps on how to freeze or place a fraud alert on your credit reports and an activation code to set up free identity theft protection services.
Red flags to look for on your data breach alert
If you notice any of these on a data breach notice, it could be fake:
- It’s a suspicious text or email. If you’re alerted to a data breach via your email or text, pay extra attention to the email address and number it comes from. Search for a verified email or phone number from the company before clicking any links or providing any information.
- There are spelling errors. Or maybe the communication you received has language that just seems a little off.
- Check the links before you click on them. As with any links sent to you via email or text, carefully inspect the URL before you click them. If they look off — like having unnecessary letters hidden in the company’s name or there’s a different name altogether after the actual company name — don’t click it.
- There’s a clear sense of urgency in the correspondence. You should take action if you receive a data breach notice, but the tone used in a real notice doesn’t push or scare you into acting now.
How to avoid these scams and report them
It’s best to not reply to any unsolicited message you receive, especially if it’s the first time you’re hearing of your personal data being compromised in a data breach. You also shouldn’t stay on the phone with a person claiming to be a company representative. Instead, hang up and reach out to the company directly and ask if a data breach alert was sent.
If you learn it’s a scam, then you’ll want to report it. Even if you weren’t conned out of any money, you’re doing a good thing by reporting it, since it’ll make law enforcement aware of what’s going on, and they can warn other consumers who aren’t as on the ball as you were.
You can report the scam to the Federal Trade Commission at ReportFraud.ftc.gov or call them at 877-382-4357. Just make sure you’re using the correct number and site, as even the FTC has imposters. If it’s a cyber crime, consider reporting the scam to the FBI’s Internet Crime Complaint Center.