CALL DON'T CLICK: Why it’s smarter to order federally mandated free credit reports via telephone, not the Internet
Pam Dixon, Principal Investigator *
Released February 25, 2005
Report Updated March 8, 2005
Important Update Notes:
It is unusual to update a research report just one week after its release. However, after the publication of Call Don't Click a number of changes took place very quickly. First, the Weblinking problem this report documented was addressed by a policy change at the three credit bureaus. Second, one of the issues this report documented with the TransUnion credit bureau was addressed by a policy change from TransUnion. With the exception of these two changes, the remaining issues documented in the report are as stated. For example, issues with affiliate marketing campaigns, typo domains, and confusing menu bars remain.
More details on the updates:
Weblinking: As of noon February 28, 2005, the credit bureaus changed the no-linking policy described in this report and began allowing news organizations and other sites to link directly to the Annualcreditreport.com site.
TransUnion pre-selection of consumers to receive marketing information: Confirmed as of March 4, 2005, TransUnion changed its preselection policy described in this report and no longer automatically opts consumers in to receive marketing offers through a checkbox at the bottom of its registration page. However, TransUnion still asks for an email address.
Shift in imposter domains: As soon as this report was published, the imposter "typo"domains began shifting and moving. We are tracking those changes and will publish an update to the imposter list in the coming weeks.
We have noted updated information in the text by an asterisk and corresponding endnotes to preserve the flow and integrity of the original text. We will continue to monitor changes and update as needed.
Experian typo domains: It is also important to note that a number of press reports are quoting this report as finding that Experian is diverting consumers via its 28 typo domains. This is not the finding of this report. To reiterate the report findings, the Experian typo domains are not live domains, and are not available online.
The World Privacy Forum urges consumers who qualify  to order a federally mandated free annual credit report  to call the toll free number (877-322-8228) instead of ordering their free credit report online. Calling the toll free number exposes consumers to fewer potential hazards than ordering online.  Consumers who try to use the official online site www.annualcreditreport.com may encounter numerous challenges, some of them potentially serious.
By calling the toll free number instead of visiting the online site, consumers are also protected from the potentially confusing sales and marketing information at the official free annual credit report site. 
Beyond issues with the annualcreditreport.com site, there are hazards posed by imposter Web domains. The World Privacy Forum has identified and confirmed 96 domain names that are close misspellings of the official site, annualcreditreport.com. At the time of writing, 50 of these imposter domains were active and luring unsuspecting consumers to questionable sites. Some of these deceptive imposter sites led consumers to official credit bureau sites where individuals would have to pay a fee instead of being able to access a federally mandated free credit report.
The problem of the misspelled domain names is particularly troubling because the credit bureaus are refusing to allow legitimate news organizations, consumer groups, and other legitimate companies to link to the official free credit site.  Currently, only four sites are able to link to the official free credit report site: the Federal Trade Commission (FTC) and the three credit bureaus, Experian, Equifax, and TransUnion. * [See update 1]
Unless consumers are clicking from one of these four sites, they must type in or copy and paste the free credit report site address. Given that numerous deceptive sites are actively misleading consumers by claiming to be the official site, and are typically only one letter or one easy typo away from the “real site,” it is altogether too easy for consumers to get trapped by an imposter domain.
One credit bureau apparently thought about this issue; Experian took out at least 28 known domains of common typos for annualcreditreport.com on July 27, 2004. However, Experian and the other credit bureaus left dozens of potential domain names up for grabs, many of which were picked up by “pay per click” companies. Consumers are now left to weed their way through a jungle of imposter sites whose only purpose is to gather “clicks” for money.
Meanwhile, various companies appear to be actively advertising commercial services through keyword advertising campaigns and or affiliate marketing programs.  The imposter domains can profit from these campaigns and programs. For example, an online ad or affiliate marketing campaign studied for this report included the keywords “free +credit + report + online.” This program sent consumers to Experian and other credit services via the imposter sites.  The Experian, TransUnion, and Equifax credit bureaus all have active affiliate marketing campaigns that encourage domain owners to send visitors to their commercial, for-pay service sites. 
If consumers do manage to find their way to the official annualcreditreport.com site, they still face challenges. TransUnion, for example, automatically selects consumers to receive marketing information through a small, pre-checked box at the bottom of a registration page. * [See update 2]. If the box is left checked, TransUnion may then share the consumer’s information with its business affiliates and partners.
Consumers also have up to four different privacy policies to read and understand. Additionally, one credit bureau, TransUnion, is requesting consumer email addresses in a way that does not indicate the submission of the information is voluntary and is not necessary for getting a free credit report.
Summary of findings regarding misspelled domains:
Summary of Findings from analysis of the actual annualcreditreport.com site
Discussion of Findings
The report findings are divided into two sections: findings on fraudulent domains, and findings relating directly to the actual annualcreditreport.com site. Findings on Fraudulent, deceptive, or misspelled domains.
To date, 96 known misspelled domains are registered;  28 of these domains belong to Experian, 68 of these domains belong to other individuals who are exploiting the misspellings with deceptive “pretender” domains and pay per click marketing schemes that lead consumers to for-pay services at Experian and other credit services such as “MyFico” at FairIsaac. Of the total number of typo domains, 50 are currently online and some of these domains are highly deceptive. Of the 50 active imposter domains, there are two primary methods by which consumers are misled.
In the graphic below (Figure 1) is an example of an imposter domain. Here, annualceditreport.com is claiming on its home page to be annualcreditreport.com, and boasting that it is “Your Access to Free Credit Reports.”
Figure 1. An imposter domain. Note the misspelling of the URL in the address bar.
Misspelled domains owned by Experian
Experian purchased at least 28 domains on July 27, 2004.  Each domain is comprised of a close misspelling of annualcreditreport.com, the official free credit report site.
The Experian-owned misspelled domains are:
The Experian domains have name servers of ns03consumerinfo.com/ns04 consumerinfo.com. This is important, because even though these domains were registered to GoDaddy via Domains by Proxy, nameservers are unlikely to lie.
ConsumerInfo.com is an Experian company, and is an active domain. Its nameservers are ns03/ns04 consumerinfo.com, the same as the domains above.
Qspace.com, a domain receiving numerous “pay per click” flows from the parked domains mentioned in this report, is also registered to ConsumerInfo.com, and uses the ns03/ns04 consumerinfo name servers.
As of the report date, the 28 Experian domain names listed above did not have active Web sites.
Misspelled Domains Owned by Other Companies
Researchers found 68 misspelled domains owned by a variety of companies and individuals. The total known number of the misspelled domains known to be owned or hosted by pay per click companies is 68. Fifty (50) of the domains are live, 18 have been taken out but were not online as of the time of writing. 
During research for this report, a number of the domains changed status. For example, one domain that was live in December still exists, but has been taken offline. Other domains that were not online now are.
There is a high possibility that more misspelled domains already exist, or will be taken out in the future. There is also the possibility that the live and non-live domains will continue to shift. * [See update 3].
50 “live” imposter domains:
18 purchased imposter domains not currently online:
Other Problematic Domains to be aware of
The domain annualcreditservice.com is associated with pay-per-click schemes and sends consumers to various for-pay services. It is included here because the site also uses the annualcreditreportinfo.org name deceptively. Annualcreditreportinfo.org is a domain owned by the three credit bureaus, not by annualcreditservice.com.
How the Owners of the Misspelled Domains are Making Money on Consumer Confusion
The deceptive and misspelled domains that are hosted at or owned by “pay per click” companies are highly problematic on a number of levels.
First, the misspelled sites are sending consumers to for-pay services at the credit reporting bureaus, and the owners of the misspelled imposter sites are getting paid to do this. They are getting paid because someone somewhere paid for a keyword or Internet marketing campaign. There is a possibility that the credit bureaus themselves are paying the misspelled sites or their partners because the imposter sites or their partners have joined one or more of the credit bureaus’ “affiliate” programs. 
What is most troubling is that the keyword phrase “free online credit report” is being used to target and send consumers to for-pay services at Experian and other sites instead of to the federally mandated free credit report site, annualcreditreport.com.
How the scheme works: the specifics
This is a simplified explanation of what is happening to consumers. For more details and examples of how the source code looks and operates, please see Appendix A.
1.An individual types in official annualcreditreport.com domain name with a misspelling. In this example the typo domain is annualcresitreport.com.
2. The annualcresitreport.com domain name is parked at or managed by a “pay per click” domain company, in this example, the annualcresitreport.com Web site is parked at DomainSponsor.com.
3. The annualcresitreport.com home page contains links to Free Credit Reports and similar topics. (PDF of home page).
4. Consumers who click on the “Free Credit Report Online” links will be taken to a page of “sponsored links.” The four sponsored links on the site in this example are “Free Credit Report Now,” Instant Credit Report, Online Credit Report, and Free Credit Report. (PDF of Sponsored Links page).
5. After clicking one of these sponsored links, individuals will be redirected through a series of Web sites. This will happen so quickly that most will never see the information flashing across the address bar. For example, say a consumer clicks on the sponsored link “Free Credit Report.” In this example, that link will take the consumer first to Information.com then to Google.com, then finally, the consumer will land on an Equifax credit bureau site that lets consumers check their credit -- for a fee. All of this redirection will happen in the blink of an eye and will not be obvious to most consumers.
The reason this redirection happens is so that keywords or search terms can be passed along to advertising partners. This ensures that everyone in the chain gets a commission from the click. Meanwhile, ConsumerInfo.com/Experian gets customers. And the owner of the annualcresitreport.com domain gets a potential financial payout from the click-through. Everyone makes money or gets a benefit, except for the consumer who did not make it to the real annualcreditreport.com site. For the record, the annualcresitreport.com imposter site in this example had four “sponsored links” leading to the following sites:
Specific Pay Per Click Companies Involved in AnnualCreditReport.com misspellings
As previously stated, 68 of the 96 misspelled domains are registered to or somehow connected to pay-per-click companies. These companies specialize in creating hundreds and sometimes thousands of domains for the sole purpose of making money from keyword or search engine ad sales. Usually the only way these imposter sites make money in the context of the misspelled domains is when an individual misspells a domain and clicks all the way through to a final destination page, which in some cases only takes two or three exploratory clicks.
Many of the imposter domains are redirected by DomainSponsor, a “pay per click” domain parking engine. This is revealed by the name servers of nsproredirect1/nsproredirect2, which are the well-known name servers Domain Sponsor allows domain parkers to use. The domains parked at Domain Sponsor make extensive use of iFrames to disguise what is happening to consumers. Imposter domains that were “live” at the time of writing were hosted by the following companies on the following name servers:
Note: One misspelled domain that was live in December 2004 was hosted by Fabulous at Fabulous.com name servers, however, this domain was taken down and no other Fabulous hosted domains were found.
Consumers who mistype in annualcreditreport.com and land at one of these active imposter domains will be besieged by pop-ups, pop-unders, and persistent advertisement windows. Researchers documented pop-up advertisements for Phoenix University, virus scanning software, a host of “free” items, and credit report advertisements.
Consumers who land on these domains should simply close their browsers and start over, or simply call the toll free number for their credit report.
Based on the WHOIS registry information and information on Information.com and DomainSponsor, it is possible to go one step further. DomainSponsor.com is registered by Oversee.net, and Information.com is also registered by Oversee.net. Information.com states on its Web site that it is an Oversee.net company. It appears that Information.com uses its apparent DomainSponsor product to set up imposter domains and feeds the keywords and ad campaigns into its own search engine.
Findings on Official Site AnnualCreditReport.com
Blacklisting, or not allowing active Web linking to the annualcreditreport.com site is an ongoing issue. But those consumers who do manage to land at the official annualcreditreport.com site have further challenges to contend with.
Namely, there are issues regarding automatic selection for marketing and information sharing, menu confusion, and up to four different privacy policies to read and understand. Additionally, one credit bureau, TransUnion, is requesting consumer email addresses in a way that does not indicate the submission of the information is voluntary and is not required for receiving a free credit report.
Blacklisting for those who link to annualcreditreport.com * [See update 1]
As of December 1, 2004, this is the message consumers saw when they clicked a link to annualcreditreport.com from all sites but the FTC and the three credit bureaus:
Figure 2. Original Black List Message from the official annualcreditreport.com site .
It is intriguing that the credit bureaus are allowing imposter domains to help send them business via online ad links and affiliate marketing, while at the same time they are blocking legitimate organizations from sending consumers to the official free credit report site via online links.
The most current blocking message the credit bureaus are putting on the annualcreditreport.com site is as follows:
Again, it should be pointed out that the three credit bureaus allow affiliate marketing sites to actively link to the bureaus’ credit services. It is unknown how security risks are mitigated in the instances of affiliate marketing linking to credit bureaus’ commercial sites.
TransUnion Marketing to Consumers and Email Collection
If consumers use annualcreditreport.com to collect their federally mandated free credit report from the TransUnion credit bureau, consumers will run into two immediate issues. First, TransUnion pre-selects a checkbox that gives it permission to send consumers marketing and affiliate offers. Secondly, unlike the other two credit bureaus., TransUnion requests consumer email addresses at its registration page.
A third general issue to note is that TransUnion, unlike the other two credit bureaus, requires consumers to register at the TransUnion site in order to view their federally mandated free credit report. Registration requires consumers to provide more information than would otherwise be necessary.
TransUnion “Auto-Opt In” * [See update 2]
On the TransUnion subsection of the official annualcreditreport.com site, consumers are automatically selected to receive marketing emails and have their information potentially shared with affiliates and partners. TransUnion accomplishes this by displaying a checked box on the bottom of the page on its site. If consumers do nothing, they will be effectively choosing to receive marketing and affiliate offers.
The text of the TransUnion pre-checked offer states:
This pre-selection is problematic on a number of fronts. First, consumers should not be forced to de-select themselves from marketing and affiliate offers when they are going to the site specifically for collecting a federally mandated free credit report. It is important to note that in order to get those product offers from subsidiaries and partners, TransUnion may share consumers’ relevant information.
Secondly, the checked box is at the very bottom of the page, and may easily be overlooked by consumers.
Because TransUnion requires consumers to register in order to access federally mandated free credit reports, then this statement about name and email address sharing with third parties will very likely apply to consumers who neglect to uncheck the box and who provide email addresses.
It is unknown if TransUnion’s auto-selection of consumers at annualcreditreport.com will override previous opt-outs consumers have made. For example, if a consumer has previously called to stop affiliate information sharing, will keeping the TransUnion checkbox checked reverse this choice? This is a question the FTC needs to address with TransUnion.
Neither Equifax or Experian are automatically selecting consumers to receive marketing information and affiliate offers.
TransUnion Email Address Requests
On the same page where TransUnion automatically selects consumers to receive marketing offers, TransUnion also requests consumers’ email addresses. The email address is requested in the same space that requests information such as name and address and SSN. (Click here to see TransUnion email request PDF)
TransUnion does not specifically disclose that giving an email address is voluntary. If an individual clicks on a link under the email address request, a box pops up with an explanation of why TransUnion is asking for it.
This is the text of the TransUnion email explanation:
In order to view a federally mandated free credit report online, there is no need for an individual to give a credit bureau an email address. The report displays online through the Web browser, and is not sent via email. The other two credit bureaus do not request email addresses from consumers as a prerequisite to viewing the free credit report.
Consumers’ email addresses are an additional and optional piece of information that TransUnion does not need to have.
It should be noted that Experian in its implementation of the federally mandated free credit report does give consumers an opportunity to provide an email address much later in the reporting process. This is done only if a consumer chooses to dispute an item in the credit report. The notification of why the email is requested is very clear, and it is made very clear that the submission of the email address is voluntary.
Potentially Confusing Menu Bars at the annualcreditreport.com Site
The three credit bureaus have been allowed by the FTC to advertise for their commercial services at the annualcreditreport.com site. Generally speaking, because of this, the menu design of the individual credit bureaus’ aspect of the annualcreditreport.com site is not optimal.
For example, when an individual is viewing their free credit report online via the annualcreditreport.com site, menu items for the free credit report show up. But menu items for commercial items also show up, and sometimes in a way that makes it look as if those commercial items are part of the free credit report. For example, the Equifax menu bar is all one color, and it is very difficult to differentiate between items that are part of the free credit report and items that are not.
Experian’s menu bar is a little better, but not perfect. The Experian menu bar at the time of researchers’ visits were color-coded to differentiate the free materials from the for-pay materials, but there was still room for consumer confusion.
The menu bar issue could be easily remedied by the credit bureaus by clearly labeling the for-pay menu items as “commercial services” and separating the for-pay menu items clearly from the free credit report menu items.
Privacy Policies at annualcreditreport.com
An individual who goes to annualcreditreport.com and orders credit reports from all three credit bureaus will be subject to four different privacy policies: the annualcreditreport.com policy, and the policies of all three credit bureaus. These policies will be in effect at different times of consumers’ visit and generally do not overlap.
Archive of relevant annualcreditreport.com privacy policies:
Toll Free number for accessing federally mandated free credit report:
For mailing, complete the Annual Credit Report Request Form and mail it to:
Annual Credit Report Request Service
P.O. Box 105281
Atlanta, GA 30348-5281
The Annual Credit Report Request Form is available online at:
Federal Trade Commission page on Free Annual Credit Reports:
Dave Del Torto of Cryptorights.org was instrumental in the early stages of this research.
Daniel Brandt of Namebase.org provided information on the details of online ad campaigns and how the click flows work with affiliate marketing programs.
Gary Mittman of Nami Media provided information about the “pay per click” business model and world.
Daryl Swensson, Technology Research Fellow at the World Privacy Forum, assisted in the proofing of the early report drafts.
L.K. Davidson provided editorial proofing.
John Boak, Webmaster of World Privacy Forum, created the design for the report.
Jordana Beebe of Privacy Rights Clearinghouse and Daniel Brandt of Namebase.org provided particularly important feedback during the peer review process.
Tips provided by the Attorney General of Michigan’s February 2005 consumer alert were indispensable in thinking through the consumer information in the report.
Update 2: TransUnion has halted its practice of pre-selecting consumers. However, if consumers choose to receive the newsletter, consumers will still have their credit and other information shared. Please note that TransUnion still requires consumers to register at its site to get a free credit report, and still asks for an email address.
 Residents in Alaska, Arizona, California, Colorado, Hawaii, Idaho, Montana, Nevada, New Mexico, Oregon, Utah, Washington, and Wyoming can order a free report beginning December 1, 2004. Residents in Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, South Dakota, and Wisconsin can order a report beginning March 1, 2005. Residents in Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi, Oklahoma, South Carolina, Tennessee, and Texas can order a free report starting June 1, and residents in Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, Pennsylvania, Rhode Island, Vermont, Virginia, and West Virginia, the District of Columbia, Puerto Rico, and all U.S. territories can order their free reports beginning September 1, 2005. Source: < http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm>.
 For more information about why free credit reports have been mandated by the Federal government, see the discussion at the FTC pages. < http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm>.
 Michigan Attorney General Mike Cox has suggested in a February 2005 consumer alert several tips for consumers who phone in for their reports. First, request that only the last four digits of the SSN are shown on the mailed report, and send the report to a secured mail box. For the complete consumer alert, please see <http://www.michigan.gov/printerFriendly/0,1687,7-164-34391-111010--,00.html>.
 See Figure 2 in this report. Also see EPIC’s letter to the FTC asking the agency to unblock Web links. “Free Annual Credit Report Site is Blocking Web Links,” December 7, 2004. < http://www.epic.org/privacy/fcra/freereportltr.html>
Affiliate marketing programs are a common feature of the Internet at this point. The issue with affiliate marketing programs is that because they typically pay a commission to sites that bring in visitors through active links, some domain owners have abused the programs by creating thousands of phony or “typo” sites to bring in visitors for certain keywords. Some affiliate marketing programs are well-policed for abuses, others less so. For additional information about this subject, see Wired, “Shady Web of Affiliate Marketing,” Feb. 10, 2005, Ryan Singel. See< http://www.wired.com/news/privacy/0,1848,66556,00.html >.
 Online ad campaigns based on keywords and search engines can be dynamic and complex. For more on this, see Google AdSense and Overture as two examples of how these kinds of campaigns generally operate. Sites: < http://www.google.com/ads/> and < http://www.content.overture.com/d/USm/ays/ps.jhtml>.
 TransUnion’s TrueLink affiliate program is at:< http://www.truelink.com/affiliate/faq.html#1>; Equifax’s Link Partner Program is at < http://www.equifax.com/link_partners/ > ; Experian’s CreditExpert affiliate program is available at: <https://www.creditexpert.com/CE_site/Message.aspx?PageTypeID=Affiliate Program_CE>.
 For date, nameserver, and registration details on each of the registered domans, see Appendix B.
 This figure was determined by conducting DiG lookups and checking WHOIS registry information for the domains and then comparing the domain nameserver information with nameservers used to host other known Experian domains.
 Last check of the live domain names was conducted on February 21, 2005.
 For general information about how affiliate sharing can work, Wired Magazine has a good article on this subject. Wired, “Shady Web of Affiliate Marketing,” Feb. 10, 2005, Ryan Singel. See< http://www.wired.com/news/privacy/0,1848,66556,00.html >.
 A confirmation of this is the DiG lookup of proredirect.com: proredirect.com name servers are ns2.oversee.net and ns1.oversee.net. Oversee.net is the parent company for DomainSponsor.
 DomainSponsor, in its FAQ page, discusses the benefits of using pop-ups at sites parked at its service. See < http://www.domainsponsor.com/faq.html>.
 The Electronic Privacy Information Center complained to the FTC about this practice December 7, 2004. To date, the credit bureaus are still blocking active Web links to the official annualcreditreport.com site.
 Source: < www.annualcreditreport.com >. Last accessed February 24, 2005.
 Text confirmed in December 2004.
|© 2003 - 2006 WORLD PRIVACY FORUM | CONTACT | RESOURCES|