You're doing all the right things to protect your personal data -- but despite your best efforts, you receive a dreaded data breach notice.
A data breach notice is correspondence mailed by a company to customers that informs them of a cyberattack. It's a common form of communication that alerts customers that criminals likely have their sensitive data, such as their name, address and Social Security number.Â
The problem is that criminals know about these notices. So they create scams that take advantage of them.Â
They're clever and timely scams, especially since data breaches aren't rare. They happen almost every day. Here's how to distinguish fraudulent data breach notices from the real ones.Â
How do these data breach scams work?
Such scams often run like this: You receive a seemingly official letter, email, text message or phone call that tells you about a data breach and gives you information about how to protect your personal data.
The scammer may ask you to download software to protect yourself. Instead, it turns out to be malware that infects your computer. A legitimate data breach notice won't ask you to download anything.
A scammer may also suggest you "click on this link to verify your identity." But in reality, it's a phishing tactic to get you to divulge your sensitive information. A legitimate data breach notice also won't do this.
In general, official correspondence is formulaic and will include information on your personal data that was compromised; steps you can take to freeze or place a fraud alert on your credit reports; and an activation code to set up free identity theft protection services.
Red flags to look for in a data breach alert
If you pick up on any of the following with a data breach notice, the correspondence could be a scam:
- The sender's email address or phone number is suspicious. If you're alerted to a data breach via email or text, pay extra attention to the email address or the phone number it comes from. Search for a verified address or number from the company before clicking any links or providing any information.
- The spelling is wrong. Look for misspelled words and/or language that seems a little off.
- The links look odd. As with any links sent to you via email or text, carefully inspect URLs before clicking. If they look funny -- for instance, unnecessary letters are hidden in the company's name, or there's a different name altogether after the actual company name -- don't click.
- There's a clear sense of urgency in the correspondence. You should take action if you receive a data breach notice, but the tone used in a real notice doesn't push or scare you into acting now.
How to avoid these scams and report them
It's best not to reply to any unsolicited message you receive, especially if it's the first time you're hearing of your personal data being compromised in a data breach. You also shouldn't stay on the phone with a person claiming to be a company representative. Instead, hang up and reach out to the company directly and ask if a data breach alert was sent.
If you discover it's a scam, you'll want to report it. Even if you weren't conned out of any money, you're doing a good thing by reporting the scam, since that'll make law enforcement aware of what's going on, and officials can warn other consumers who aren't as on the ball as you were.
You can report the scam to the Federal Trade Commission at ReportFraud.ftc.gov or call the agency at 877-382-4357. Just make sure you're using the correct number and site, because scammers even masquerade as the FTC. If it's a cybercrime, consider reporting the scam to the FBI's Internet Crime Complaint Center.
