I typed my social security # on a fraudulent website
December 22, 2019 11:54 AM   Subscribe

I meant to file a tax-related form, and didn't notice I was on a .com, not IRS.gov. I typed in my private info. I didn't hit 'Submit.' How bad is this, and what do I need to do?

Here's exactly what happened:
- I googled "file for an ein," and went to the first result. I've indicated the site at the end of this post.
- There, I typed in my name, address, and social security number and then noticed that it wasn't the IRS site.
- I did not hit 'Submit' (or 'Continue,' or whatever button is at the bottom of the page -- I'm avoiding re-opening the page to look). I closed the tab.
- Still using Chrome, I chose 'Reopen Closed Tab.' The info I'd typed in was still populated in the fields. I typed different numbers over my real social security number and closed the tab again.

Does it matter that I didn't hit 'Submit'? I think some webpages store info as you type, and others only after a pressing a button. Does the fact that the fields were still populated when I closed and reopened the tab mean this is the kind that stored it anyway?

Is that site meant to harvest private info? It looks fraudulent, but maybe their fraud is just that they're charging money for free processes (like EIN filing)? Or is it pretty likely that the SS# is what they wanted? What do sites like this tend to do with this info?

This was all a few days ago. I happen to already be enrolled in ID Notify (because of an old data breach), and haven't seen anything new pop up yet. I don't want to overreact and cause myself more headaches than called for, and I haven't read up on credit freezes, etc., so I don't know which are no-brainers that I should just do and which are major hassles. What's called for in my situation?

The site in question -- don't visit unless you know what you're doing , so I'm breaking up the link -- is ein- forms- gov, but without the spaces, and preceded by www. and followed by .com/‎.
posted by anonymous to Computers & Internet (6 answers total)
 
So, just because the info you typed in was still stored in Chrome, doesn't mean that it was more likely to be sent to them. It sounds like Chrome probably just kept track of filled form fields in your closed tab on your computer as a convenience to you.

I went and looked at their website and opened the "network" tab in my browser (Firefox)'s developer tools -- you can do this by hitting F12 to open up the tools. When you have that tab open, it will put an entry in the list every time your browser sends or receives information over the network. When I visit their website, I see there are many entries when I load the website representing the initial download of all of the contents of the site. But when I type into the SSN field, there is no further network activity. So in my case, I can be pretty confident that it didn't send anything I typed.

Of course, it could be that they have done something unreasonably sneaky, like show you a different version of the website than they showed me, or only sent the SSN sometimes and not other times. But I don't see any reason to expect them to do such a thing. So I think you are fine with 99% certainty.
posted by value of information at 12:14 PM on December 22, 2019 [14 favorites]


Even if there's been no exposure, it's a "no-brainer" (i.e. free, easy, and harmless) to get a credit Fraud Alert; here's how and more info: https://www.consumer.ftc.gov/articles/0275-place-fraud-alert

Note that this is not the same as a credit Freeze which is more secure and more involved. If you decide a Fraud Alert is inadequate in your situation, you may want a Freeze. But there's no harm in getting the Fraud Alert in the mean time.
posted by splitpeasoup at 2:10 PM on December 22, 2019 [3 favorites]


Some websites definitely send info as you type - I had a shopping cart that I backed out of without submitting anything, but had already entered my email and phone number (and they used both to contact me). I think this is definitely a "better safe than sorry" and recommend the fraud alert as splitpeasoup mentioned.

It doesn't really mean anything that your SSN hasn't popped up on IDNotify - if all these hackers used the info right away then it would be way easier to trace.
posted by getawaysticks at 2:35 PM on December 22, 2019


Since credit freezes can be done for free these days, I'd personally recommend them even if you didn't have any reason to believe your SSN was at large.
posted by Aleyn at 9:29 PM on December 22, 2019


The Better Business Bureau has an entry for this company, indicating a number of complaints. However, the complaints all appear to be related to the company misrepresenting itself as a government website and charging for a service the IRS provides directly for free, rather than for identity theft. But the company certainly looks sketchy to me.

It shouldn't be too hard for someone with the proper skills to determine whether their website sends the information entered into the form even before the submit button is clicked. I would guess that since this company seems to be focused on scamming people by charging them for something they can get for free, which is skeevy but legal, they are probably not also going out of their way to scam people by stealing their identity, which is definitely not legal and therefore a lot riskier for them. Since it would take more work for them to design a page that captures the information you enter into their forms before you submit, they probably didn't bother to do this if stealing your identity isn't an explicit goal.

From my non-expert perspective, I would look at it as this. Maybe this company has your SSN based on you having entered it into the form even without submitting it. But they are probably not actively trying to steal your identity, based on the totally different scam they are clearly running. However, they are also probably not particularly concerned with providing adequate security for any personal information of yours they have collected, should a third party whose primary goal is to steal identities target them.

All that said, the safest thing would be to assume that your SSN has been compromised and act accordingly. Making the risk-vs-hassle assessment is up to you, though. If placing a fraud alert is low hassle like splitpeasoup suggests, maybe it's worth it even if you decide the risk is low.
posted by biogeo at 2:00 AM on December 23, 2019 [1 favorite]


In your tax prep in whatever month you file or in the office of your tax preparer let them know you plan to keep a tab on your social so instead of simply signing your tax documents sign with a 5 digit pin that is unique to you (and not your house number or last 5 of phone number) Usually social security numbers can only be used fraudulently to open credit or file taxes and a quick credit check will let the receiver know your name and address is not what matches a fraud attempt. Keep using the pin or change it every year for good measure. If you're super concerned have an alert issued to your bank for any activity related to your social security number.
posted by The_imp_inimpossible at 4:32 AM on December 23, 2019 [1 favorite]


« Older Quotation about early nuclear physics research   |   Soy Milk Maker - I have questions Newer »
This thread is closed to new comments.