Phishing site wants your data to pay you for data theft
Worried that your personal information may have been stolen in a data breach? Of course you are. Russian scammers offer just the solution: Free money!
The catch is that to get this free money, labeled as "compensation for the leakage of personal data," you'll have to provide the website of the "U.S. Trading Commission" — there is no such agency — with your name, address, credit-card number and Social Security number. (The site will even sell you a "temporary" SSN for the bargain price of only $9.) Of course, if you do, then your identity will almost certainly be stolen.
This phishing scam, unearthed by Kaspersky researchers, may seem laughably obvious to most. But it will still fool people who may not be tech-savvy or may not understand that U.S. government agencies prefer to do official business via U.S. mail.
In a company blog post, Kaspersky's Tatyana Sidorina explained that this scam resides on a website claiming to represent the aforementioned U.S. Trading Commission and declares itself to be an "Official Personal Data Protection Fund."
The site mimics the color scheme and design of the real website of the Federal Trade Commission, which does take complaints of identity theft but doesn't compensate you in return. The bogus site even uses the FTC seal on some pages.
In her blog post, Sidorina didn't explain how a potential victim might be lured to this phishing page. But there are so many different ways that narrowing it down may not matter.
You could get an email, perhaps even one that seemed to come from a friend, telling you that you could now be paid for past data breaches. You could see a similar post on Facebook, Instagram or Twitter. You could stumble across it in a search result. Or you could even receive spam text messages. In all cases, there would be a link to this fraudulent page.
Sidorina offered a few ways to avoid becoming a victim. First, there's the obvious one: If it sounds too good to be true, it probably is.
Second, she recommended verifying any site that promises undeserved riches. Type the name of the organization into a search engine. Do you get any exact results? If so, then does the website of that organization match the one you've been told is the right one?
Then there's one both she and we thought of: If you want to safely check whether your data has been exposed leaks and breaches, try the HaveIBeenPwned website set up by Australian security researcher Troy Hunt. The site will let you check an email address or a password -- but never both at the same time, for safety's sake.
Last, Kaspersky pitches its own Kaspersky antivirus software as a way to protect yourself from phishing scams. We highly recommend Kaspersky's software, but to be fair, we invite you to check out our full list of the best antivirus software.