Is your company in the doghouse over a security breach?
Following up by Tweeting links to a phishing site doesn’t help.
Beleaguered data company Equifax is back on the hot seat after it repeatedly tweeted out a link to a bogus website.
— Knol Aust (@knolaust) September 20, 2017
The fake website’s creator, Nick Sweeting, claims he created to site to show how “dangerously easy” it is to impersonate the Equifax site.
“It only took me 20 minutes to build my clone,” [Mr. Sweeting said.] “I can guarantee there are real malicious phishing versions already out there.”
“It’s in everyone’s interest to get Equifax to change this site to a reputable domain,” he added. “I knew it would only cost me $10 to set up a site that would get people to notice, so I just did it.”
Equifax issued a short release stating that all links to the fraudulent site had been deleted from the company’s Twitter feed.
“We apologize for the confusion,” the statement said. “Consumers should be aware of fake websites purporting to be operated by Equifax. Our dedicated website for consumers to learn more about the incident and sign up for free credit monitoring is https://www.equifaxsecurity2017.com, and our company homepage is equifax.com. Please be cautious of visiting other websites claiming to be operated by Equifax that do not originate from these two pages.”
The company did not address why it had created a new website when publishing the “equifaxsecurity2017.com” domain instead of creating a subdomain of equifax.com.
Most egregious for some watchers was how long it took Equifax to realize it was sending consumers to a fake website.
— Kenn White (@kennwhite) September 20, 2017
Here are four takeaways from Equifax’s latest security lapse:
1. Don’t get too clever with the domain.
It seems easy enough to create other websites for your business. You can get creative or specific, looking to address a particular business issue. However, it had better be secure, and that means using a website that customers can immediately recognize and know they can trust.
“I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it” as opposed to hosting it on equifax.com, Nick Sweeting, who created the spoof page, told The Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.”
2. Double-check the links.
Every post gets edited, but who is checking the links? Links are the most essential aspect, yet in scanning for typos and adhering to the 140-character limit, posters and editors can gloss over this crucial component. Click and corroborate.
3. Tweets are forever.
Don’t assume that mistaken posts can be deleted and will just vanish. Equifax’s post was captured in a screenshot and shared by other users on twitter.
— The Hill (@thehill) September 21, 2017
These posts can’t be erased. Deleting the posts does communicate remorse, but it also communicates guilt. The best option? Never to have tweeted them in the first place.
4. When admitting fault, keep it short.
Equifax has responded to this latest misstep with brevity and precision.
“All posts using the wrong link have been taken down. To confirm, the correct website is https://www.equifaxsecurity2017.com. We apologize for the confusion,” Equifax said.
PR Daily readers, what advice might you offer the Equifax social media team and brand managers after this latest blunder?