I know that 95% of the time the answer to this question is yes but I’m not so sure of this one.
I received a letter from my health insurance (CareFirst Blue Cross) stating that there has been a security leak last year. It gave me the date and exactly what information was compromised. They instructed me to that they had disabled my online access and would require me to establish a new online account with them with a new username and new password if I wanted to continue to access any medical information online. They also informed me that they were paying for 2 years of free credit monitoring via Experian ProtectMyID and gave a code to access the Experian site. They also cautioned that they would not contact people ever by telephone or email and not to give out any information if contacted in those ways.
When I go independently to the CareFirst site, there is identical information there that matches the letter I was sent. I also went independently to Experian which does appear to have a service called ProtectMyID which is usually a paid credit-monitoring service. I did try the code I was given which gives me access to them but they want confirmation of my social security number in order to access my credit account and sign me up.
Normally, I am very nervous about giving out my SS# on the internet but this seems valid. The letter did give a telephone number to call to set up the monitoring if I didn’t want to do it online but I am also suspicious of calling a telephone number given to me and giving them information.
So far, this all seems to check out to be legit but am I missing something? If it is a scam then they seem to have hijacked the main CareFirst site also since as I said, the information there matches what was sent in the letter. Any ideas?
Generally, if you receive a letter or email that invites you to log in to a known-name site, it’s probably legitimate. Most legit requests will give you a specific link to cut and paste, using a recognizable base domain, and not an active link. Nearly all legitimate contacts of this type have stopped giving click-links because people have become rightly wary of them. Smart users will always check the actual link address - by hovering or opening the email source - before clicking even the most expected and official-looking email link.
I suppose an elaborate scam could be set up to mimic what you’re seeing - with DNS hijacking etc. - but if you can go to a clean browser and enter the starting address yourself from a known-good reference, and get to the information or account… it’s probably good.
It is always good to be on alert, though. Sumbitches get slicker every day.
Do you have an ID card or EOB statement that has a phone number on it, which you received before this letter? If so, call that number and see if you can confirm. Hacking a pre-existing phone number is difficult enough that it’s extremely unlikely someone would do it for a SS# phishing scam.
Sending millions of emails is cheap. Sending millions of actual letters is expensive.
So, the information in a real letter is probably right. If it directs you to type in a real url for the insurer, that’s a second level of confidence.
By the way, one can easily identify phishing links by mousing over them and looking at the url in the link.
Instead of company.com, legit, it will be something like company.ripoff.com, not legit.
This is true. I got notices for my Mom and for her second husband. She died in 2012 and he died in 2005. I called to see if they needed to be taken off of some list, but the phone jockey said that they were required by law to send the notice to everyone who had once had the coverage, even if the people were dead.
The fact that Blue Cross, and a ton of other people, have my address as their address because of one forwarding request to the PO, is rantworthy, but another topic. Blue Cross seems to be following a reasonable process.
I declined to sign them up to have their credit checked for two years. I think they’re both judgement proof.
Thanks all. I have been doing some googling and it all seems legit. You can never be too cautious, though. I went ahead and signed up with Experian. Might as well have a free credit monitoring for the next 2 years. It must be costing CareFirst a fortune. I am just imaging how high they’ll raise my insurance rate next year :(.
I was part of the Anthem breach and like you was concerned over the authenticity.
Really the whole mitigation process seems odd to me, the insurance company let my social security number out, so then to monitor any potential damage I’m supposed to give my SSN to yet another company? Counter-intuitive but guess that’s what we gotta do.
As I read OP, the SSN request came from Experian, not the insurance.
Yes, a credit rating agency will want you to confirm who you are before showing you that person’s private info. DUH.
They should then ask you a bunch of Q’s about where you have or haven’t lived, who did your last auto loan, etc - stuff that only the real person could likely answer, at least in the time allotted.