Captain Obvious Alert: If a stranger contacts you asking for personal information...
2019 OPEN ENROLLMENT ENDS (most states)
Time: D H M S
...it's almost certainly a scam unless you're expecting the call and have verified their identity otherwise.
Yes, I know I'm violating my own earlier notice that I'm off the grid for a couple of days, but this development seems to warrant a quick post.
Earlier this evening I received the following email. I'm not including the sender's identifying information for obvious reasons:
Someone from this website contacted me to help with enrolling in health insurance. They created an account on healthcare.gov with an id of XXXXXXXX@acasignup.net instead of my email address and did not give me the password. I am trying to make some changes to my healthcare coverage and update my information.
I am very concerned with the safety of my information. I thought they were from the health insurance marketplace.
If you could change my id to my email and give me the password I would very much appreciate it.
If not I will assume you are an identity thief and contact the FBI.
Needless to say, I've already written this person back to assure them that a) No, I'm not an identity thief; b) No, I'm not the one who contacted them (and there's no one else "at" ACASignups.net to do so anyway); c) No, neither my server nor my site has has been hacked, and there's no email account or forwarder at the address they provided; and d) They absolutely should contact the appropriate authorities, although my recommendation would be to contact the fraud department at HC.gov first before going to the FBI.
My guess is that the "@acasignups.net" email address was pulled out of the scammer's butt in an attempt to get this person to provide sensitive personal info over the phone. I don't know whether the sender actually fell for it; I certainly hope not.
Anyway, this is an interesting development, and one which I'm actually surprised hasn't popped up before.
The obvious lesson: Don't trust strangers asking for sensitive information over the phone, especially if they're claiming to be a Nigerian Prince...
UPDATE: Thanks to the commentor below who points out that the phony email address in question appears to be @acasignup.net, not @acasignupS.net (no "s" before the ".net").