Consumer credit reporting agency Equifax has been in deep crisis mode after news broke earlier this month that the company was hacked, exposing personal information and social security numbers of 143 million people.

It seemed as though what happened was the worst possible crisis Equifax could face. That is until the agency made matters even worse by accidentally tweeting posts that referred potential breach victims to a phishing site, which was not affiliated with Equifax itself.

The confusion occurred after the company created an emergency website – equifaxsecurity2017.com – where customers could verify whether they have been affected by the breach. However, when sharing the link on Twitter, an Equifax employee misspelled the URL as securityequifax2017.com. The misspelled link directed visitors to a website that looked like an exact copy of the original, but had nothing to do with Equifax.

You can’t make this up. @Equifax just linked to a known phishing site. The phish link has been up for over 45 minutes. pic.twitter.com/6rquMysICE

— Knol Aust (@knolaust) September 20, 2017

Fortunately, the fake version doesn’t appear to be malicious. In fact, it was created by full-stack developer Nick Sweeting, who claims that he simply wanted to show that “Equifax made a huge mistake” by not hosting the emergency page on their own domain at equifax.com.

“I knew it would only cost me $10 to set up a site that would get people to notice, so I just did it,” Sweeting said to The New York Times.

Equifax has since deleted all tweets linking off to the fake website, some of which dated back as far as September 9.

The agency has also issued a short statement yesterday in response to the incident:

“We apologize for the confusion,” the statement said. “Consumers should be aware of fake websites purporting to be operated by Equifax. Our dedicated website for consumers to learn more about the incident and sign up for free credit monitoring is https://www.equifaxsecurity2017.com, and our company homepage is equifax.com. Please be cautious of visiting other websites claiming to be operated by Equifax that do not originate from these two pages.”

Becoming a victim of a hacking attack is one of the worst crisis scenarios a company can face. Partly, because there is little organizations can do to prevent it from happening. What they can do, however, is to prepare themselves for an effective and coordinated response to such crises.

Unfortunately, in the case of Equifax, several key mistakes have been made. Here’s what other businesses can learn from this incident:

  • Use your organization’s main domain to set up emergency pages.

What Equifax’s latest PR crisis demonstrates is how easy it is for criminals to mock websites that are not well known to consumers. If the agency created the new page under Equifax.com, it would have become much more obvious if someone tried to duplicate it under a slightly different URL.

  • Double- and triple-check all of your social media posts, including links.

Equifax’s mistake could be avoided, if only the employee responsible for the post made sure that the included link was the one provided by management rather than Google search results.

  • Always be vigilant

No matter how careful you may be, mistakes will occur every once in a while. In such scenarios, what becomes important is how fast you can identify and fix those mistakes. Unfortunately, Equifax’s social media team not only made the same mistake multiple times by tweeting the incorrect URL, but also failed to notice it for weeks. Always pay attention to what is going on in your organization’s social media news feed and monitor all activity surrounding your own posts.