Is Experian flat-out phishing now?
December 5, 2022 10:14 PM Subscribe
I got an email which looked like phishing from Experian, saying "Vehicle detected. Sign in to confirm your car. There is a car that matches the info in your Experian membership. Sign in to confirm it's yours and check out free auto benefits."
I didn't click on anything, and instead logged to my account on the Experian website. But even though an email isn't phishing by a third party, can Experian be doing the phishing as themselves?
After denying the evil upsell (where it conveniently had my credit card payment info all queued up!) I noticed there was an "Auto" link in the main nav, which I clicked. I have a freeze on my credit due to fraud that happened at the beginning of this year, so imagine my surprise when I saw that not only did it have my actual car make and model, it also was showing a car the same make, but different model and year which certainly was not my car. I never had an auto loan for my car, so not sure why Experian is listing my car here at all.
They also gave me an initially convenient way to say "This isn't my vehicle," but no way to leave the modal screen without ALSO confirming that the "correct" vehicle is really mine and agreeing to some fine print:
"I agree to the Experian Terms of Use and authorize Experian to send my information to up to 1 auto refinance partner and authorize these partners to obtain information from my credit profile from one or more consumer reporting agencies to prequalify me for auto refinance options and to share those options with Experian...."
I recognized the UX sorcery that was happening, cancelled out of the modal screen, and have decided that it's much more likely that Experian is evil than that someone registered a car using my identity....but there are still lingering doubts in my mind given that I was the victim of ID theft so recently.
So my question is twofold:
• Do I need to be concerned about this at all regarding my credit and identity?
• Is this technique legal for them to do, given that they are trying to lure responsible people into auto refinances with their own information about their car, plus fake evidence of identity-based fraud?
After denying the evil upsell (where it conveniently had my credit card payment info all queued up!) I noticed there was an "Auto" link in the main nav, which I clicked. I have a freeze on my credit due to fraud that happened at the beginning of this year, so imagine my surprise when I saw that not only did it have my actual car make and model, it also was showing a car the same make, but different model and year which certainly was not my car. I never had an auto loan for my car, so not sure why Experian is listing my car here at all.
They also gave me an initially convenient way to say "This isn't my vehicle," but no way to leave the modal screen without ALSO confirming that the "correct" vehicle is really mine and agreeing to some fine print:
"I agree to the Experian Terms of Use and authorize Experian to send my information to up to 1 auto refinance partner and authorize these partners to obtain information from my credit profile from one or more consumer reporting agencies to prequalify me for auto refinance options and to share those options with Experian...."
I recognized the UX sorcery that was happening, cancelled out of the modal screen, and have decided that it's much more likely that Experian is evil than that someone registered a car using my identity....but there are still lingering doubts in my mind given that I was the victim of ID theft so recently.
So my question is twofold:
• Do I need to be concerned about this at all regarding my credit and identity?
• Is this technique legal for them to do, given that they are trying to lure responsible people into auto refinances with their own information about their car, plus fake evidence of identity-based fraud?
can Experian be doing the phishing as themselves?
Phishing is the act of trying to relieve you of your login credentials to someplace the attacker wants to log into as you. This sounds like crappy junk mail, that's it.
obviously their lawyers are confident this is legal
I wouldn't take it as a blanket rule to live by that a company that literally exists to traffic in people's private, sensitive financial details is necessarily on the up-and-up, or that they aren't playing fast and loose with some creative interpretation of why their probably illegal thing* is totally definitely legal.
* not referring to the thing described here necessarily, just any random thing they do
posted by tubedogg at 1:13 AM on December 6, 2022 [2 favorites]
Phishing is the act of trying to relieve you of your login credentials to someplace the attacker wants to log into as you. This sounds like crappy junk mail, that's it.
obviously their lawyers are confident this is legal
I wouldn't take it as a blanket rule to live by that a company that literally exists to traffic in people's private, sensitive financial details is necessarily on the up-and-up, or that they aren't playing fast and loose with some creative interpretation of why their probably illegal thing* is totally definitely legal.
* not referring to the thing described here necessarily, just any random thing they do
posted by tubedogg at 1:13 AM on December 6, 2022 [2 favorites]
I'm going to add another data point to this.
Many years ago, I signed up for something using a fake name (Misty Waters, thank you very much) and email address.
On Monday, Misty received an Experian email with the subject: "Misty, Vehicle detected."
Now, Ms. Waters might be a lot of things, but a licensed driver isn't one of them.
I think the whole thing isn't phishing, but a call to action from Experian trying to get people to upgrade from their CreditWorks Basic tier to something higher (read: paid).
posted by yellowcandy at 9:32 AM on December 6, 2022 [3 favorites]
Many years ago, I signed up for something using a fake name (Misty Waters, thank you very much) and email address.
On Monday, Misty received an Experian email with the subject: "Misty, Vehicle detected."
Now, Ms. Waters might be a lot of things, but a licensed driver isn't one of them.
I think the whole thing isn't phishing, but a call to action from Experian trying to get people to upgrade from their CreditWorks Basic tier to something higher (read: paid).
posted by yellowcandy at 9:32 AM on December 6, 2022 [3 favorites]
I have also received this email and logged in via Experian to deal with it. The car that was supposedly at my address didn't belong to me or Mr Epigrams, but a recent/previous resident at this address has a very similar name to mine so I wanted to check. It was a real pain to get the car off my record without signing up for additional services.
Experian is trying to upsell you from free to paid services and to get your OK to send your information to auto companies, but it's technically not phishing. Just spammy advertising with dark patterns.
posted by gentlyepigrams at 12:05 PM on December 7, 2022 [1 favorite]
Experian is trying to upsell you from free to paid services and to get your OK to send your information to auto companies, but it's technically not phishing. Just spammy advertising with dark patterns.
posted by gentlyepigrams at 12:05 PM on December 7, 2022 [1 favorite]
This thread is closed to new comments.
The main concern for your credit and identity is that someone could hack into your Experian account and access/change your data. Equifax had a large data breach in 2017 and there are plenty of people trying to breach Experian's security for identity theft purposes. This recent security article describes some issues with Experian's current security policies. There is not much you can do personally about this, other than protecting your password and canceling your online account entirely. This is one reason I have never signed up for accounts with Experian/Equifax, but that makes me vulnerable to other types of identity theft because I am not regularly verifying my information with their tools.
posted by JZig at 1:05 AM on December 6, 2022 [1 favorite]