It’s inevitable that in any widespread crisis-response, thieves and scammers will come out of the woodwork to take advantage of the publicity—and the emotions—surrounding the situation.
Just as scammers began launching schemes to defraud honest, concerned citizens within hours of the attacks on September 11th or the hurricane relief efforts in Haiti or the aftermath of Hurricane Sandy, unscrupulous (dare we say, evil) people will also try to take advantage of a large-scale data breach to bilk citizens out of their money.
How? By sending out phony messages known as phishing emails in relation to the data breach. Whether it’s the infamous Target data breach in 2013 or the more recent hacking of the federal government’s Office of Personnel Management, emails have circulated blindly that claim to not only inform the recipient that his information was compromised, but also to provide them with “instructions” on how to handle it. It’s not necessary to even put any effort into sending these phishing emails to specific people; with millions of victims available to choose from there’s a good chance that one recipient out of a hundred might have been a victim.
In the case of the recent OPM data breach, an estimated four million government employees had all of their information, even Social Security numbers, exposed to hackers. Unfortunately, some experts have warned that the danger is even more widespread since those employees who were given a security clearance had to apply using a one-hundred-plus page form that called for highly detailed contact information on other people the applicant knew who could vouch for them. This included former schoolmates, teachers, landlords, employers and colleagues, family members, and friends.
Individuals who were known to have been affected by the OPM data breach have been informed, and the official designation for all legitimate correspondence is from an identity theft firm known as CSID. The government elected to work with CSID on this matter, so any message that doesn’t come from CSID (or even that claims to be from the government itself) is not real. Now that the scammers know that, they’ll obviously attempt to masquerade as CSID, so it’s important that you check the email domain name by hovering your mouse over the sender’s name in your inbox before opening and responding to any message.
Anytime a large-scale data breach occurs, it’s vital that consumers are proactive about how they respond. Save all mailed correspondence about the event and follow the instructions in the mailed letters in order to protect yourself. Any time you receive an unsolicited email that tells you to click the link, DON’T DO IT. Instead, type the link into a separate browser window. Clicking the link (which may very well be false) could install malicious software on your computer that lets the scammers steal your identity and your financial information. If you are offered credit monitoring, credit repair, free credit reports, or other options, make sure you only work with the ID theft firm that the victims of the breach have contracted with. Going through any unsolicited email offers could mean you’re unintentionally handing your information over to scammers.