Experian Sends Scam Links by Email, Putting Millions at Risk
A 2024 investigation into a ProtectMyID alert email that linked to a scam domain and how identity protection alerts can become a delivery channel for phishing.
Originally published on Medium on June 19, 2024. Republished here as part of the Reverse Everything archive. This article is preserved close to the original version.
What if identity protection services were helping thieves direct users toward scam infrastructure?
That is the question I had to ask after trying the AAA Experian ProtectMyID service and receiving an alert email that contained a clickable link to a suspicious domain.
This post is based on my personal experience, my own checks, public records, web archive snapshots, and the response I received after trying to report the issue.
Why this matters
Experian is one of the major credit bureaus in the United States, alongside Equifax and TransUnion. Experian says it represents 245 million credit-active consumers nationwide.
ProtectMyID is an Experian identity protection service. AAA members may receive ProtectMyID as a complimentary benefit, and AAA says it serves more than 64 million members.
That scale matters. If a trusted identity protection alert includes a link to a scam domain, many people may treat the link as safe because the email came from a company they trust.
The alert that raised the red flag
I receive many breach and identity protection alerts. Most are routine. One alert from April 22, 2024 stood out because it included a clickable domain that I did not recognize.
I did not click the email link. Instead, I checked the email source and confirmed that the alert appeared to come from Experian infrastructure. I then opened the official ProtectMyID login page directly in the browser and found the same alert inside my account.
That confirmed two things.
- The alert was real and tied to my ProtectMyID account.
- The email included a clickable domain that did not belong to any service I recognized.
I also checked the alert in Gmail and confirmed that the link remained clickable there too, not only in Apple Mail.
For more than a decade, I have used a password manager and tracked every domain where I have an account. The domain from the alert was not in that list.
That is the core problem. A user who receives a scary breach alert is already under pressure. If the alert includes a clickable link, many users will click quickly to verify a breach or change a password.
If that link points to a scam domain, the identity protection alert becomes part of the scam delivery path.
Safer alert design
Other identity protection services I tried handled alerts differently. Some told users to manually type the website into a browser. Others included a non-clickable URL or asked users to log into the service directly.
That pattern is safer because it reduces accidental clicks on malicious links.
In my view, security alerts should not include direct clickable links to domains reported by third party breach data. If the user needs more detail, the alert should instruct them to log into the official service directly.
The Ecoin Official domain
The domain in the alert was tied to Ecoin Official.
According to WHOIS records, the domain was created on April 28, 2019. Public history and review sites showed negative reports and scam complaints around the operation.
When I inspected the domain on April 22, 2024, it did not host meaningful content of its own. It redirected visitors to a Telegram channel post.
Archive snapshots showed that this redirect had existed since at least February 5, 2024. The Telegram post itself dated back to November 16, 2023. By the time I inspected it, the post had accumulated nearly half a million views.
That view count suggested that the domain was receiving significant traffic. If Experian alerts were sending users there, even a small click rate could expose many people.
I also saw web analytics and redirect infrastructure associated with Russian domains while following the chain from the Telegram post. That does not prove who operated the scam, but it is a useful clue about the ecosystem around it.
The post and redirects were still being modified, which meant the operators could change destinations and messages over time.
Archive history showed worse redirects
I use archive.org to inspect older versions of suspicious websites.
Archive snapshots showed that from at least April 23, 2023 to August 5, 2023, the same domain redirected to a malicious ZIP file hosted on Discord.
That ZIP contained an executable. VirusTotal reports identified contents of the downloaded archive as Trojan-Downloader.Java.Agent.
From my analysis, the malware package included its own Java Runtime Environment. Bundling a runtime makes the package more likely to run on different systems, even when Java is not installed separately.
I ran the file inside an isolated virtual machine. It displayed what looked like an endless fake installer while activity continued in the background.
As of April 30, 2024, the domain redirected through the cuty.io link shortener to exeo.app. MalwareTips describes Exeo.app redirects as leading to unwanted browser extensions, surveys, adult sites, online games, fake software updates, and unwanted programs.
Later, the same domain redirected to a different Telegram channel. Shortly after that redirect appeared, the linked Telegram post was labeled as a scam.
This pattern showed that the domain was not a static historical artifact. It was reusable infrastructure that could be pointed to different destinations.
Estimating the impact
The traffic estimates in this section are approximate and based on public signals visible at the time.
The Telegram post linked from the domain had about 428,000 views between November 16, 2023 and April 25, 2024. That suggests roughly 80,000 views per month while the domain was actively promoted.
After the domain stopped pointing to that first Telegram post, the post gained only about 10,000 views per month. That drop suggests that a large share of the previous traffic may have come from the domain.
If Experian alerts contributed roughly 70,000 visits per month, then the potential exposure is significant.
The malicious ZIP redirect was visible in archive snapshots for about three and a half months. At that rough traffic level, this could represent around 245,000 potential exposures to a malware download.
If the manipulated breach data entered Experian systems around January 1, 2022 and the scam site remained in circulation, the total reach could have approached 1.5 million views over the active period.
These are estimates, not verified victim counts. The domain could also redirect differently depending on geography, time, device, or referrer. We can analyze archive snapshots, but we cannot fully reconstruct every redirect path between those snapshots.
Even if only a small percentage of users clicked through and trusted the destination, the scale is still serious.
Why trusted alerts are dangerous when they include unsafe links
Phishing emails often have suspicious sender addresses, broken wording, or other signals that mail systems and users can detect.
This case is different. The alert appeared to come from a trusted identity protection service. That means it may bypass user suspicion and automated filtering that would normally apply to a random phishing email.
If a legitimate company sends a clickable scam domain to users, the company unintentionally gives the scam a trust wrapper.
That is why identity protection services should validate domains before showing them to users, and why they should avoid clickable third party domains in alert emails.
My attempt to report it
I contacted Experian support on April 26, 2024.
By May 6, I had not received a meaningful response. When I followed up, I learned that my ticket had been closed without notification. I was told that the request was invalid and was given contact information for a supervisor.
I sent the documented issue to the supervisor on May 6. I did not receive a substantive response.
After I reached out publicly on Twitter on June 6, Experian suggested that I send a direct message. I did. They acknowledged the message and said it had been forwarded to a supervisor.
I still received no confirmation that the report was reviewed, that a fix was being planned, or that the issue was rejected.
What companies should change
Identity protection services should not send clickable third party breach domains inside alert emails.
They should show enough context for the user to understand the alert, but the call to action should be to open the official service directly.
They should also validate domains before showing them to users. A breach database entry can be malicious, manipulated, stale, or intentionally poisoned.
Security alerts should reduce risk. They should not create a new path from a trusted inbox to scam infrastructure.
What users should do
Do not click links inside breach alert emails.
Open the identity protection service directly from a saved bookmark or by typing the known official domain into the browser.
Use a password manager so you can check whether a domain is one where you actually have an account.
Keep unique passwords for every service.
When an alert references a domain you do not recognize, treat it as suspicious until you verify it independently.
Clarification
Receiving a ProtectMyID email with a clickable link to a scam domain is the confirmed fact from my experience.
The domain history, archive snapshots, redirects, and malware observations are based on public records and my own investigation.
The traffic and exposure numbers are estimates based on visible public signals. They should not be read as exact victim counts.
The broader conclusion is still important. If a trusted identity protection service sends clickable domains from untrusted breach data, it can help scammers reach users at scale.
Stay alert and stay safe.