To help people sign up for its credit monitoring service, Equifax directed some Twitter users to "securityequifax2017.com."
The issue with that? It's not the right website.
Equifax's actual website is "equifaxsecurity2017.com," but the company tweeted out the link to a fake site with a similar URL for nearly two weeks.
Following reports that the links were fake, Equifax deleted the misleading tweets.
The fake website — which is now blocked by Chrome and Firefox — wasn't created to be malicious. It was actually developed to draw attention to the possibility of real phishing schemes, and it worked so well even Equifax fell for it.
Nick Sweeting, the reported developer behind the misleading site, told Gizmodo he only needed $10 and 20 minutes to build his clone. He also said: "I can guarantee there are real malicious phishing versions already out there."
Phishing works when hackers clone trusted websites with reworded — or even misspelled — URLs to deceive users into entering personal information. Because "equifaxsecurity2017" is so long and unofficial-sounding, users may not recognize what's real and what's fake.