Call Don’t Click: Why it’s smarter to order federally mandated free credit reports via telephone, not the Internet: Summary
The World Privacy Forum urges consumers who qualify  to order a federally mandated free annual credit report  to call the toll free number (877-322-8228) instead of ordering their free credit report online. Calling the toll free number exposes consumers to fewer potential hazards than ordering online.  Consumers who try to use the official online site www.annualcreditreport.com may encounter numerous challenges, some of them potentially serious.
By calling the toll free number instead of visiting the online site, consumers are also protected from the potentially confusing sales and marketing information at the official free annual credit report site. 
Beyond issues with the annualcreditreport.com site, there are hazards posed by imposter Web domains. The World Privacy Forum has identified and confirmed 96 domain names that are close misspellings of the official site, annualcreditreport.com. At the time of writing, 50 of these imposter domains were active and luring unsuspecting consumers to questionable sites. Some of these deceptive imposter sites led consumers to official credit bureau sites – where individuals would have to pay a fee instead of being able to access a federally mandated free credit report.
The problem of the misspelled domain names is particularly troubling because the credit bureaus are refusing to allow legitimate news organizations, consumer groups, and other legitimate companies to link to the official free credit site.  Currently, only four sites are able to link to the official free credit report site: the Federal Trade Commission (FTC) and the three credit bureaus, Experian, Equifax, and TransUnion.
Unless consumers are clicking from one of these four sites, they must type in or copy and paste the free credit report site address. Given that numerous deceptive sites are actively misleading consumers by claiming to be the official site, and are typically only one letter or one easy typo away from the “real site,” it is altogether too easy for consumers to get trapped by an imposter domain.
One credit bureau apparently thought about this issue; Experian took out at least 28 known domains of common typos for annualcreditreport.com on July 27, 2004. However, Experian and the other credit bureaus left dozens of potential domain names up for grabs, many of which were picked up by “pay per click” companies. Consumers are now left to weed their way through a jungle of imposter sites whose only purpose is to gather “clicks” for money.
Meanwhile, various companies appear to be actively advertising commercial services through keyword advertising campaigns and or affiliate marketing programs.  The imposter domains can profit from these campaigns and programs. For example, an online ad or affiliate marketing campaign studied for this report included the keywords “free +credit + report + online.” This program sent consumers to Experian and other credit services via the imposter sites.  The Experian, TransUnion, and Equifax credit bureaus all have active affiliate marketing campaigns that encourage domain owners to send visitors to their commercial, for-pay service sites. 
If consumers do manage to find their way to the official annualcreditreport.com site, they still face challenges. TransUnion, for example, automatically selects consumers to receive marketing information through a small, pre-checked box at the bottom of a registration page. If the box is left checked, TransUnion may then share the consumer’s information with its business affiliates and partners.
Consumers also have up to four different privacy policies to read and understand. Additionally, one credit bureau, TransUnion, is requesting consumer email addresses in a way that does not indicate the submission of the information is voluntary and is not necessary for getting a free credit report.
Summary of findings regarding misspelled domains:
- Ninety six (96) total domains with close or nearly identical spellings of annualcreditreport.com have been purchased. Of these, 28 domains are owned by Experian. Sixty eight (68) domains are owned by other individuals.
- There are 50 known imposter domains that are “live.” Many of these 50 known imposter domains label their home pages as the official annualcreditreport.com site, even though they are not in fact the official site. There may be more imposter domains that have not been found yet.
- The “live” imposter domains actively send consumers to commercial credit services and credit bureaus. The imposter domains get paid for doing this via “pay per click” online advertising and affiliate marketing schemes. Some pay per click schemes run through search engines. Pay per click schemes can also operate through affiliate marketing programs.
- Experian, TransUnion, and Equifax are not allowing legitimate news, consumer, and other organizations to link to the official annualcreditreport.com Web site. This means that consumers have even a greater chance of misspelling domains because they must type the name in instead of click on a link. Meanwhile, the credit bureaus are allowing active links to their commercial service sites from affiliate marketing programs.
Summary of Findings from analysis of the actual AnnualCreditReport.com site:
- TransUnion’s implementation of its free credit report system is problematic in several respects. When consumers use the official annualcreditreport.com site to order reports from TransUnion, they are automatically selected to receive marketing information and product offers from subsidiaries and affiliates. This is done via a check box that is already checked.
- TransUnion requests an email address from consumers who want to order a federally mandated free credit report. But TransUnion does not state that submission of the email address is voluntary.
- TransUnion requires consumers to register at its site prior to seeing their federally mandated free credit report. TransUnion is the only credit bureau with this requirement.
- Two credit bureaus, Experian and Equifax, have employed potentially confusing menu formatting in their implementation of their free credit report offerings.
- Consumers who use the official annualcreditreport.com site to order all three of their credit reports will be subject to a total of four different privacy policies.
- The FTC needs to take down the misspelled domains that deceptively state on their home pages that they are annualcreditreport.com.
- Those Web sites that state in their source code that they are referring consumers from a domain other than the actual domain should be held accountable for deceptive practices. This would apply especially to questionable sites that redirect consumers to legitimate businesses by altering the domain referrer information.
- The FTC should require all three credit bureaus to cease and desist immediately from participating in any online keyword advertising or affiliate marketing campaign that contains the words “free credit report” or “annual credit report” if the campaign sends consumers to their for-pay commercial services. Additionally, the credit bureaus should be required to police their affiliates more closely for abuses.
- The FTC needs to require the credit bureaus to immediately stop “blacklisting” legitimate non-profit organizations, news outlets, and other entities from linking to the official annualcreditreport.com site. Due to the 68 known imposter sites, there is a clear risk in not allowing Web linking to the official site from legitimate organizations.
- Menu options at the credit bureau subsections of annualcreditreport.com need to be labeled conspicuously as either specifically for the federally mandated free credit report or for a commercial service unrelated to the free credit report.
- TransUnion should not be allowed to automatically select consumers to receive marketing material and have their information shared with affiliates and partners. Further, TransUnion should not be requesting an email address to send marketing information to via a site designed primarily to allow consumers to get their federally mandated free credit report. If TransUnion is going to continue to request email addresses from consumers — information that is not required for receiving a free credit report — then the email address request should be clearly labeled as a voluntary submission at the time it is requested. Currently, it is not labeled as a voluntary submission.
- Some attention needs to be paid to the fact that consumers will have to read four privacy policies in order to understand their rights at the official online site. If this process can be simplified or made clearer, then it should be.
 Residents in Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, and Wyoming can order a free report beginning December 1, 2004. Residents in Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, South Dakota, and Wisconsin can order a report beginning March 1, 2005. Residents in Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi, Oklahoma, South Carolina, Tennessee, and Texas can order a free report starting June 1, and residents in Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, Pennsylvania, Rhode Island, Vermont, Virginia, and West Virginia, the District of Columbia, Puerto Rico, and all U.S. territories can order their free reports beginning September 1, 2005. Source: < http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm>.
 For more information about why free credit reports have been mandated by the Federal government, see the discussion at the FTC pages. < http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm>.
 Michigan Attorney General Mike Cox has suggested in a February 2005 consumer alert several tips for consumers who phone in for their reports. First, request that only the last four digits of the SSN are shown on the mailed report, and send the report to a secured mail box. For the complete consumer alert, please see <http://www.michigan.gov/printerFriendly/0,1687,7-164-34391-111010– ,00.html>.
 Federally mandated credit reports may also be ordered by mail. See the Resources section of this report for directions on how to do this.
 See Figure 2 in this report. Also see EPIC’s letter to the FTC asking the agency to unblock Web links. “Free Annual Credit Report Site is Blocking Web Links,” December 7, 2004. < http://www.epic.org/privacy/fcra/freereportltr.html>
 Affiliate marketing programs are a common feature of the Internet at this point. The issue with affiliate marketing programs is that because they typically pay a commission to sites that bring in visitors through active links, some domain owners have abused the programs by creating thousands of phony or “typo” sites to bring in visitors for certain keywords. Some affiliate marketing programs are well-policed for abuses, others less so. For additional information about this subject, see Wired, “Shady Web of Affiliate Marketing,” Feb. 10, 2005, Ryan Singel. See< http://www.wired.com/news/privacy/0,1848,66556,00.html >.
 Online ad campaigns based on keywords and search engines can be dynamic and complex. For more on this, see Google AdSense and Overture as two examples of how these kinds of campaigns generally operate. Sites: < http://www.google.com/ads/> and < http://www.content.overture.com/d/USm/ays/ps.jhtml>.
 TransUnion’s TrueLink affiliate program is at:< http://www.truelink.com/affiliate/faq.html#1>; Equifax’s Link Partner Program is at < http://www.equifax.com/link_partners/ > ; Experian’s CreditExpert affiliate program is available at: <https://www.creditexpert.com/CE_site/Message.aspx?PageTypeID=Affiliate Program_CE>.
Roadmap: Call, Don’t Click – Why it’s smarter to order federally mandated free credit reports via telephone, not the Internet: Summary