Watch out for phishing attacks after the latest credit breach

Experian, one of the biggest consumer credit reporting bureaus, likely put your full credit history into the hands of identity thieves last year. On Monday, news broke of a major flaw in the company’s website, which allowed anyone with your name, address, birthdate, and Social Security number to bypass a security check and get to your report. 

First discovered by security researcher Jenya Kushnir, the exploit had an unknown duration and was only patched in late December 2022—seemingly after Brian Krebs of Krebs on Security, having been notified by Kushnir about the issue, brought it to Experian’s attention. (You can read the full details in Kreb’s post about the matter.) 

Given how many data breaches have leaked all the information needed by identity thieves (including the massive 2017 Equifax hack), you can now assume your private financial info is out on the web. Accordingly, you’ll want to be on guard against even more clever phishing scams in the future—the kind meant to disarm you with info you might assume only a legitimate source would have.

The good news is that your existing protective measures against phishing still apply here—you can look over our guide to the important basics if you need a refresher. But in the wake of this Experian leak, you should pay extra attention in a few specific situations:

• Receiving calls or messages from so-called Experian representatives. You could receive a phone call, text message, or email from someone who says they represent Experian, claiming you must respond to a matter or verify personal information. It’s likely a scam. Don’t click on any links, and don’t respond directly—follow up by reaching out to Experian via the company’s official contact methods.
• Getting alerts about your credit accounts. Legitimate messages about your credit card, car loan, mortgage, or other debt often include info like the first or last few digits of your account. That information isn’t private anymore. If you receive any warnings about your accounts, treat them with caution and don’t click any links. Call or message your lender through the phone number or portal available on its website.
• Getting alerts about your bank accounts. The credit bureaus don’t track checking and savings accounts, but many people use just one or two institutions for all their financial needs. An unexpected phone call, text message, or email could be a ploy to suss out info on your savings. Don’t immediately trust anyone asking about these kinds of accounts, no matter how legitimate they sound.

In the end, avoiding phishing attacks still boils down to the same defense: Have guards in place, like a trusted password manager and antivirus software on your PC to help with basic URL screening. Then, when unexpected communication arrives, always take a little time to think over the call or message. Nowadays, self-protection is the only line of defense between you and a massive headache—or worse.