Signs it may be real
A legitimate notice usually
- 1.It identifies the organization and provides a clear explanation of the incident.
- 2.It describes what personal information may have been involved.
- 3.It gives you a way to verify the notice using the organization’s official website or phone number.
- 4.It does not demand immediate payment, passwords, or your full Social Security number.
- 5.It may mention your state’s attorney general filing process or the organization’s regulatory obligations.
- 6.It provides practical protective steps rather than creating panic.
- 7.It contains a privacy notice or a contact method you can independently confirm.
Warning signs
A scam often
- 1.A surprise text or email pressures you to act within minutes.
- 2.It asks you to pay a fee to “secure” your identity or receive a settlement.
- 3.It asks for a password, verification code, bank login, or full Social Security number.
- 4.The sender address is slightly misspelled or unrelated to the company.
- 5.A link sends you to a page that does not use the organization’s legitimate domain.
- 6.It uses threats or unusually urgent language instead of explaining the incident.
- 7.It asks you to install software or give remote access to your device.
How to verify a letter safely
- 01
Do not use the letter’s link or phone number as your first step.
- 02
Type the organization’s website into your browser yourself, or use a customer-service number from a statement or card you already have.
- 03
Search the organization’s official newsroom or security notice page for the incident.
- 04
For many incidents, your state attorney general’s website may publish a copy of the notice or a summary of the filing.
- 05
If you still are not sure, call the organization through a verified channel and ask whether a notice was sent to you.
If you already clicked something
Change any password you entered, especially if you reuse it elsewhere. Contact your financial institution if you shared account details. You can report suspicious messages to the Federal Trade Commission at ReportFraud.ftc.gov. A real breach is stressful enough—no legitimate company should pressure you to hand over more sensitive information.