Equifax continues its troubled response to its recent data breach affecting 143 million people.
Following the compromise, the credit bureau registered a website for people to visit, www.equifaxsecurity2017.com, where they can determine whether their personal information including names, birth dates, and Social Security numbers was exposed. In the weeks since, scammers have tried to dupe consumers into revealing more information about themselves by using ruses related to Equifax.
To make matters worse, Equifax has been inadvertently spreading at least one knockoff scam. The company has been directing people to a fake, copycat version of its own hacking help page instead of the real one for the past couple of weeks. (Thankfully, it was a benign one created by a concerned citizen.)
Equifax’s official Twitter account has pointed people to securityequifax2017.com rather than equifaxsecurity2017.com in as many as eight public tweets. Below is a screenshot of the most recent post. (Equifax has since deleted the tweets, but you can view an archived version here.)
Notice the difference? In the counterfeit, “security” precedes “equifax.” It’s easy to miss—so much so that the company’s own customer support team (specifically, someone named Tim, it seems) fell for it.
This particular knockoff site was created by Nick Sweeting, a software developer who has made it his cause to raise awareness about the dangers of phishing. (Sweeting’s version of the site notes in its headline that it is “Totally Fake.”)
Get Data Sheet, Fortune’s technology newsletter
“As it stands, their site is dangerously easy to impersonate, it only took me 20 minutes to build my clone,” Sweeting wrote to Fortune in a direct message on Twitter. “I can guarantee there are real malicious phishing versions already out there.”
Equifax just linked customers to my fake phishing version of their site by accident. 😱😱😱 https://t.co/kXQdwKys71
— Nick Sweeting (@thesquashSH) September 20, 2017
Other examples of Equifax pointing to the fake site have surfaced, dating back to Sept. 9.
https://twitter.com/MadcapOcelot/status/910533555494760449
“I just hope the employee who posted the tweet doesn’t get fired, they probably just Google’d for the URL and ended up finding the fake one instead,” Sweeting said. “The real blame lies with the people who originally decided to set the site up badly.”
In a statement to Fortune, Equifax apologized for the mishap. “All posts using the wrong link have been taken down. To confirm, the correct website is https://www.equifaxsecurity2017.com. We apologize for the confusion,” a spokesperson wrote.
If you plan to check whether your data was compromised, sign up for a year of free credit monitoring, or implement a credit freeze, make sure you’re visiting the correct site.
