A customer support representative for credit reporting firm Equifax sent a potential victim of the recent, massive data breach suffered by the company to a website completely unrelated to Equifax’s own support site, opening the victim up to phishing scams.

The victim contacted Equifax via Twitter, and a representative for the company’s customer support team sent the person a link to visit securityequifax2017.com —a website that is not owned or operated by Equifax.

Following the data breach, which may have exposed the personal information of as many as 143 million consumers in the United States and resulted in more than 200,000 credit card numbers being compromised, Equifax set up a support site designed to help people determine if they were affected by the breach. That site is equifaxsecurity2017.com.

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

The mistake made by the customer service representative was easy enough to make—they simply switched “Equifax” and “security” around in the URL. Unfortunately that simple mistake could have put the consumer at even more risk by directing them to a site that has no affiliation with Equifax.

Since the consumer received the link from an official service representative, they would have little reason to question the legitimacy of the site and would likely enter personal information into forms on the site without giving it a second thought. (Equifax’s real site asks for six digits of a potential victim’s Social Security number and a last name.)

Luckily, both for the consumer and for the representative who sent the link—as well as anyone else who may have found the link while reading through Equifax’s Twitter feed and believed it to be legitimate—the domain was registered by a full-stack developer named Nick Sweeting.

Sweeting intentionally snagged the domain in order to highlight just how little effort Equifax put into setting up its support site. The site looks exactly like the real Equifax support site but scrolling down the page reveals some of the shortcomings in how Equifax built its site, including failing to get a reputable digital certificate to authenticate the site and encrypt data transmitted to it.

All of the links on Sweeting’s page also direct the visitor to a video of Rick Astley’s “Never Gonna Give You Up.”

Sweeting might have no intentions of scamming anyone, but the same cannot be said for others out there. The impact of the Equifax breach is potentially massive and millions of people are seeking help and support in the wake of the incident. There are undoubtedly scam sites out there offering phony services while harvesting personal information directly from people who are just trying to protect against exactly that.

Equifax linking out to a fake site almost certainly wasn’t malicious but it was revealing as to how the company has handled the situation. The credit reporting firm has come under fire for a number of its actions, including charging for credit freezes and attempting to trick users into agreeing not to take part in any class action lawsuit against the company.

The U.S. Federal Trade Commission has also warned against potential scams in the wake of the Equifax breach, including phone calls from spoofed numbers that claim to be representatives from Equifax calling to confirm a person’s information.