Connect with us

Technology

You could be sharing your Social Security number when you don’t need to

Published

on

You could be sharing your Social Security number when you don’t need to

NEWYou can now listen to Fox News articles!

Some Social Security number requests are not optional. Federal reporting systems rely on the SSN as a primary identifier.

Employment offers the clearest example. Employers collect your SSN to report wages and file taxes, including Form W-2 submissions. The Social Security Administration credits your earnings record with it. The IRS uses it to match payroll taxes with reported income. Federal agencies also require your SSN when you apply for certain benefits or meet tax obligations. If you refuse to provide your SSN in these situations, you can delay processing or lose access to services.

However, not every form carries that authority. Landlords, medical offices, schools, gyms and retailers often include an SSN field by default. In those cases, ask why they need it and whether another identifier will work. So how do you tell when your SSN is truly required and when you can push back?

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

Advertisement

Your Social Security number powers tax reporting and federal benefit systems, which is why some requests truly are mandatory. (AP Photo/Jenny Kane, File)

Examples of when you need to share your SSN

Certain U.S. laws and federal regulations require an SSN because it functions as the official taxpayer or benefits identifier.

Federal income tax returns: The IRS requires individuals who qualify for an SSN to use it as their taxpayer identification number on Form 1040 and related filings. The IRS uses the number to match income statements, credits and refunds to the correct taxpayer record.

Form W-2 wage reporting: IRS regulations require employers to include each employee’s SSN on Form W-2. Employers submit the form to both the IRS and the SSA so agencies can record earnings and reconcile payroll taxes.

Social Security retirement and disability benefits: Applications for Social Security benefits require an SSN so the SSA can retrieve the applicant’s earnings history and calculate eligibility and payment amounts.

Advertisement

ILLINOIS DHS DATA BREACH EXPOSES 700K RESIDENTS’ RECORDS

FAFSA for federal student aid: U.S. citizens and eligible noncitizens applying for federal student aid must provide a valid SSN on the Free Application for Federal Student Aid (FAFSA). The number is verified against SSA records during processing.

Interest income reporting: Financial institutions must obtain a taxpayer identification number — usually an SSN for individuals — to report interest income to the IRS on Form 1099-INT.

In each of these cases, the requirement stems from tax administration statutes or federal benefits law. The SSN is used to link records across agencies and systems.

When you don’t need to share your SSN

Beyond tax filings, wage reporting and federal benefits, many SSN requests come from internal company policy rather than statute. Private businesses are generally allowed to ask for your SSN. In most everyday transactions, there is no federal law forcing you to provide it.

Advertisement

Rental applications: Landlords often request an SSN to run credit checks. Federal housing law does not mandate collecting a tenant’s SSN to lease property. Screening is conducted through consumer reporting agencies, and alternative verification methods may be available.

Medical intake forms: Healthcare providers routinely include an SSN field. Federal law does not require patients to disclose an SSN for treatment. Since 2018, Medicare cards have used randomized beneficiary identifiers instead of SSNs. These Medicare Beneficiary Identifiers (MBI) don’t include your SSN.

School enrollment forms: Public schools may request a student’s SSN, but students cannot be denied enrollment for refusing to provide one. Institutions tend to assign their own identification numbers.

TAX SEASON SCAMS 2026: FAKE IRS MESSAGES STEALING IDENTITIES

Utilities and subscription services: Power companies, mobile carriers and gyms sometimes request an SSN to evaluate credit risk or secure payment agreements. This is a risk management choice, not a statutory requirement.

Advertisement

In these cases, the request may feel routine. The legal footing is different from tax or benefits administration. You can ask what authority requires it and whether another form of identification will suffice.

Not every form that asks for your SSN has legal authority behind it. Many requests are simply company policy. (Kurt “CyberGuy” Knutsson)

What to ask before you hand over your SSN

If the request comes from a government agency, look for a Privacy Act disclosure statement. Federal law requires agencies to state whether providing your SSN is mandatory or voluntary, cite the legal authority for the request, and explain how it will be used. If the request comes from a private company, ask direct questions:

Is this required by federal or state law?

What will the SSN be used for?

Advertisement

Can you accept the last four digits instead?

Is there an alternative way to verify identity?

You can also ask how the number will be stored, whether it is encrypted and who has access to it. Collecting only what is necessary is a recognized security practice, but not every organization follows it.

What actually happens when your SSN is leaked

A leaked or stolen SSN can be used anywhere that number is treated as proof of identity.

In tax administration, the IRS processes returns based on the SSN attached to them. If a fraudulent return is filed first, the legitimate taxpayer’s electronic filing may be rejected because the number has already been used. Fixing it means paper filing and identity verification while the IRS reviews the case. The agency’s Identity Protection PIN program was introduced after years of SSN-based tax fraud.

Advertisement

Credit reporting works the same way. Under the Fair Credit Reporting Act framework, credit bureaus use the SSN to build and match consumer files. If credit is issued using your SSN, that account can attach to your report until you dispute it. It stays there while bureaus and lenders investigate.

Federal benefit systems also depend on the number. The SSA warns that criminals use stolen SSNs to impersonate beneficiaries and create fraudulent online accounts. An SSN does not expire or reset. Once exposed, it can continue appearing in tax filings, credit applications, or benefit records until you flag it.

How identity monitoring services help you respond faster

Identity monitoring services attempt to detect suspicious activity tied to your personal information as early as possible. Many services track credit activity across all three major U.S. bureaus and alert you to new inquiries, accounts and report changes. Some also scan known data breach datasets for exposed identifiers, including Social Security numbers.

Certain plans include identity theft insurance to cover eligible recovery costs, along with fraud resolution support to guide you through disputes and paperwork if something goes wrong.

No service can prevent every type of identity theft. The real value is early warning, knowing when and where your SSN is being used so you can act quickly before damage spreads.

Advertisement

How to check if your personal information was exposed

If you are unsure whether your personal information has been compromised, take action. Start with a reputable breach scan to see whether your email or other identifiers appear in known leaks. Early detection gives you more control and helps you respond before fraud escalates.

See my tips and best picks on Best Identity Theft Protection at Cyberguy.com.

Before handing it over, ask how your SSN will be used, stored and protected. That simple pause can reduce your risk.  (Kurt “CyberGuy” Knutsson)

Kurt’s key takeaways

Lawmakers created the Social Security number to track earnings and administer benefits, not to unlock every part of your life. Yet today, many companies treat it like a universal key. In some situations, you must provide your SSN. Taxes, employment and federal benefits depend on it. However, many everyday requests come from internal company policies, not federal law. That distinction matters. Before you share your number, pause and ask why the business needs it. Ask how they store it. Ask whether another form of identification will work. Small questions can prevent big problems. If someone has exposed your SSN, act quickly. Monitor your credit. Set up alerts. Report suspicious activity right away. Early action limits damage and protects your identity. Your Social Security number does not change. But you control when, where and how you share it.

Have you ever been asked for your Social Security number in a situation that didn’t feel necessary, and did you push back? Let us know by writing to us at Cyberguy.com.

Advertisement

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

Copyright 2026 CyberGuy.com. All rights reserved.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Technology

Google is open-sourcing its 3D emoji

Published

on

Google is open-sourcing its 3D emoji

Now, if you want to, you can use Google’s 3D emoji in your own creations. The company shared some details about how it went about designing the little pictograms and why, as part of World Emoji Day on Friday. Things you might not necessarily worry about in a 2D illustration suddenly become very important when you’re talking about a 3D model. Is a smiley face a sphere? A mask? A flat disc?

In addition to offering a behind-the-scenes look at Google’s design process, it also announced that it would be completely open-sourcing the emoji set:

We’re handing over raw .OBJ files to the community so they can use them to build immersive VR worlds, indie apps or weird memes.

Exactly what kind of “immersive VR worlds” someone might want to build with a bunch of emojis is a bit of a mystery to me. But if the Emoji Movie is any indication, it won’t be good. Google’s Noto Emoji 3D made their debut in May and were met with 😬 reactions.

Continue Reading

Technology

HalluSquatting AI attack could hijack your computer

Published

on

HalluSquatting AI attack could hijack your computer

NEWYou can now listen to Fox News articles!

You ask an artificial intelligence assistant to download a popular software tool. It confidently finds the project, retrieves the files and starts setting everything up. There is one problem. The AI found the wrong project. That mistake may sound like another frustrating AI hallucination. However, researchers have shown how an attacker could turn that wrong answer into a malware delivery system.

The technique is called HalluSquatting. It targets AI tools that can browse the internet, retrieve software and run commands on your computer. An attacker could use it to steal sensitive information or quietly recruit your device into a botnet, a network of infected devices controlled remotely.

In a recent research paper, researchers from Tel Aviv University, Technion and Intuit detailed HalluSquatting and tested it against popular AI coding tools and personal assistants. Here is how the attack works and what you can do before an AI assistant downloads the wrong file.

Free live CyberGuy class: Sick of Spam? Join us July 22.

Advertisement

Join us Wednesday, July 22, at 1 p.m. ET for a free CyberGuy Live class that will help you cut down on robocalls, spam texts, junk email and other unwanted messages. Kurt “CyberGuy” Knutsson will walk you step by step through simple ways to filter spam, clean up your inbox and recognize the messages that could put your personal information at risk. No technical experience is needed. You’ll also receive our spam-stopping checklist, and every registrant will get a link to the class recording afterward.

Reserve your free spot today at CyberGuyLive.com.

HACKERS THREATEN TO LEAK DATA FROM 275M USERS AFTER BREACHING MAJOR COLLEGE PLATFORM USED NATIONWIDE

An AI assistant can invent a convincing software address and lead you straight to an attacker-controlled repository. (Photo by Donato Fasano/Getty Images)

What is the HalluSquatting AI attack?

AI hallucinations happen when a model invents information and presents it as accurate. That could be a fake statistic or a software project that never existed. HalluSquatting focuses on fake software resources.

Advertisement

AI coding assistants sometimes need the full online address of a software repository. However, you may only give the assistant a project name. The AI must then determine who owns the project and where the official files live. When it does not know the answer, it may guess.

An attacker can repeatedly ask AI models to locate a popular or trending project. That process may reveal fake repository names the models invent regularly. The attacker can then register one of those names before someone else does. As a result, the AI’s imaginary project becomes a real online trap.

How the HalluSquatting AI attack works

First, the attacker identifies a software project or AI skill that is gaining attention. Newer resources may create a larger opportunity because an AI model may have little reliable information about them. Next, the attacker studies how different AI models respond when asked to locate that resource. The researchers found that models can repeat the same fake names across different prompts.

The attacker then creates a repository, software package or AI skill using one of those hallucinated names. Malicious instructions can be placed inside its files, setup scripts or documentation. Later, you ask your AI assistant to retrieve the real project. Instead, the assistant invents the attacker-controlled name and downloads those files.

The assistant may then read the hidden instructions as part of its assigned task. If the assistant has access to a terminal, it could also run the attacker’s commands. Those commands may download more software or search files stored on the computer. The unsettling part is that you may never enter the wrong name. The AI creates the mistake and then acts on it.

Advertisement

AI CHATBOTS TAKE HEAT OVER LEFT-WING BIAS: ‘NO LONGER BE CONSIDERED NEUTRAL’

HalluSquatting becomes more dangerous when an AI agent can download files and run terminal commands without close supervision. (Kurt “CyberGuy” Knutsson)

Why AI agents make HalluSquatting more dangerous

Unlike a basic chatbot, an autonomous AI agent can take actions on your behalf, including browsing websites and running commands. A regular chatbot may give you a broken link. You click it, discover that it goes nowhere and close the page. An AI agent can go much further. Agentic AI tools can download files, install software and operate a computer terminal. Those abilities make the tools useful.

However, they also give prompt injection attacks more power when an agent follows malicious instructions. The researchers showed that malicious instructions inside a squatted resource could trigger remote tool execution or remote code execution. In other words, the AI assistant could run an attacker’s commands on the computer where the assistant operates.

The potential damage depends heavily on the assistant’s permissions. An agent with broad file access creates a much larger risk. The danger also grows when the agent can run commands without asking for approval.

Advertisement

HalluSquatting tests found high AI hallucination rates

The researchers examined Cursor, Cursor CLI, Windsurf, GitHub Copilot, Cline and Gemini CLI. They also tested OpenClaw and related personal AI assistants. Hallucination rates reached as high as 85% during repository-cloning scenarios. Some skill-installation tests reached 100%.

The researchers also found that hallucinated names could transfer across different foundation models. In other words, several AI systems might invent the same fake resource. The team successfully demonstrated remote tool execution and remote code execution against production AI applications with integrated terminals.

However, the researchers used controlled resources and harmless test payloads. The study did not document a widespread criminal HalluSquatting campaign. Still, the research shows that the attack path can work.

Why web searches can reduce HalluSquatting risk

One finding offers a clear clue about how AI companies could reduce the danger. An AI assistant should search for a repository or package before downloading it. That search can help confirm whether the resource exists and who owns it. However, AI tools do not always perform that search.

The assistant may rely on its training data instead. If the project is unfamiliar, the model may generate a convincing but incorrect answer. Researchers and security experts recommend requiring AI agents to perform live lookups before they clone, fetch or install outside resources.

Advertisement

Even a search cannot guarantee safety. An attacker may have already registered the hallucinated name. Therefore, the assistant must also verify the resource’s owner, history and connection to the official developer.

Could HalluSquatting create an AI botnet?

A botnet is a collection of compromised devices controlled by an attacker. Criminals can use botnets to spread malware, mine cryptocurrency or overwhelm online services. Traditional botnets often spread through software flaws or weak passwords. They may also target large groups of similar connected devices. HalluSquatting proposes another delivery route.

An attacker could plant one malicious resource and wait for AI agents to pull it onto unrelated computers. Those computers could run different operating systems and sit on separate networks. The common weakness would be the AI agent’s willingness to trust a hallucinated resource.

The researchers describe how this setup could support an “agentic botnet.” The AI would deliver the malicious instructions and run the commands needed to install the botnet malware. However, the team did not release a real botnet. Researchers also withheld attack details that criminals could directly reuse.

Verifying every software source, limiting permissions and using strong antivirus protection can help stop a malicious download before it spreads. (Kurt “CyberGuy” Knutsson)

Advertisement

How AI companies can reduce HalluSquatting attacks

AI companies can make searches mandatory before agents retrieve outside resources. They can also require human approval before an agent runs downloaded code. Stronger warnings should appear when a resource has little history or comes from an unverified owner.

Meanwhile, software platforms could identify frequently hallucinated names before attackers register them. Platforms may also restrict the reuse of well-known project names under unrelated accounts. Security layers that inspect downloaded instructions could reduce exposure. However, researchers warn that no single control can remove the entire risk.

The HalluSquatting researchers notified affected vendors before publishing their work. They also withheld details that they believed attackers could reuse. The paper does not claim that every tested application has released a complete fix. HalluSquatting reflects a broader weakness in how AI agents generate and trust resource names.

Ways to stay safe from HalluSquatting

HalluSquatting depends on an AI assistant trusting an unverified resource and acting with little supervision. These steps can interrupt that chain before an attacker gains access to your computer.

1) Verify the official repository before downloading it

Do not rely on an AI-generated repository name alone. Visit the developer’s official website. Then, follow its link to the correct repository or software download page. Check the account owner as well as the project name. An attacker may use a familiar project name under an unrelated account. You should also review the repository’s history. A newly created account with little activity deserves extra scrutiny.

Advertisement

2) Make the AI search before installing anything

Tell the assistant to perform a live web search before cloning, fetching or installing a resource. Ask it to show you the official owner and full address before it takes action. Then, compare that information with the developer’s website. This step can reduce the chance that an AI model will rely on an invented name. Still, you should review the result yourself before approving a download.

3) Turn off automatic command approval

Avoid modes that allow an AI agent to run terminal commands without asking you first. Some coding tools call these auto-run, skip-permissions or unrestricted modes. The exact wording depends on the application. Require approval for each command, especially when the AI downloads an outside file. Also stop the process when the assistant cannot clearly explain what a command will do.

4) Review every terminal command

Read the full command before approving it. Be cautious when a command connects to an unfamiliar website or downloads an additional script. Commands that change security settings also deserve close attention. Do not approve a command because the AI says it is safe. Verify unfamiliar commands through official documentation.

5) Limit the AI agent’s permissions

Avoid running an AI coding assistant with administrator access unless the task requires it. Only give the agent access to the files needed for the current project. Keep tax records, personal documents and private photos outside its working folders. In addition, remove integrations the agent no longer needs. Those may include cloud storage accounts or workplace systems. An attacker can cause less damage when the compromised agent has fewer permissions.

6) Use a sandbox or virtual machine

Test unfamiliar AI-generated code inside an isolated environment. A virtual machine, development container or sandbox can separate the code from the rest of your computer. If something goes wrong, the malicious activity may remain contained. Security researchers also recommend isolated installation environments for AI-generated package commands.

Advertisement

7) Use strong antivirus software

Strong antivirus software can add another layer of protection. It may detect a malicious download, suspicious script or unexpected attempt to change your system. Some security tools can also block connections to known dangerous websites. However, antivirus software cannot guarantee that an AI assistant will select the correct repository. You still need to verify the source and review commands. Keep real-time protection enabled. In addition, allow the software to update its threat definitions automatically. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android and iOS devices at Cyberguy.com

8) Protect passwords and API keys

AI coding tools may work with passwords, access tokens or API keys. Those credentials can give an attacker access to valuable accounts. Do not store sensitive credentials in plaintext project files. Instead, use secure environment variables or a trusted secrets manager. Use strong and unique passwords for important accounts. A password manager can create and store them. Also turn on two-factor authentication wherever it is available. That can make a stolen password harder to use.

9) Keep your computer and AI tools updated

Install updates for your operating system, browser and AI applications. Updates may fix security problems or add stronger approval controls. They may also improve how an AI tool verifies outside resources. However, HalluSquatting relies partly on AI hallucinations. Therefore, software updates alone may not remove the risk.

10) Use trusted package and dependency controls

Businesses and development teams should limit which software sources AI agents can access. Teams can create allowlists for trusted publishers. They can also pin package versions and verify cryptographic hashes. Automated dependency scanners may flag known vulnerabilities before software reaches a live system. Software bills of materials can help teams track where each component came from. They also make it easier to identify affected projects after a security problem appears.

11) Watch for signs that an AI agent went off course

Review the agent’s activity history when the application provides one. Look for unexpected downloads or commands you do not remember approving. New software, unusual pop-ups or unexplained computer slowdowns may also warrant a closer look. If you suspect that an AI agent ran malicious code, disconnect the computer from the internet. Then, run a full antivirus scan. Change important passwords from a different trusted device. You should also revoke exposed API keys or access tokens.

Advertisement

Kurt’s key takeaways

We already know AI can confidently make things up. HalluSquatting shows what can happen when an AI tool acts on its own bad answer. An assistant may invent a software address and download files controlled by an attacker. If the agent has terminal access, it may also run malicious instructions using your permissions. The research does not show that HalluSquatting attacks are suddenly infecting computers everywhere. However, it exposes a security gap that AI companies need to address as agents gain more control. For now, do not give an AI assistant unlimited freedom to install software or run commands. Verify every source, keep approval controls turned on and use strong security software as a backup layer.

How much control would you feel comfortable giving an AI assistant over your computer before it has to stop and ask for permission? Let us know by writing to us at Cyberguy.com

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report

  • Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
  • For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – rusted by millions who watch CyberGuy on TV daily.
  • Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.

Copyright 2026 CyberGuy.com. All rights reserved.

Advertisement
Continue Reading

Technology

Taylor Farms pulls iceberg lettuce from the US market after cyclosporiasis outbreak

Published

on

Taylor Farms pulls iceberg lettuce from the US market after cyclosporiasis outbreak

Food producer Taylor Farms released a statement on the Cyclospora outbreak Friday, confirming that it’s “voluntarily removing all iceberg lettuce sourced from central Mexico from the US market.” Reuters reports that, according to a source, Taylor Farms told customers like Yum Brands owner Taco Bell and the food distributor Sysco on Thursday to pull shredded lettuce that had been produced initially as 5-pound bags at a facility in Guanajuato, Mexico, from distribution.

Taco Bell said on Thursday that “The affected ingredient from our supplier is being indefinitely removed from our supply chain nationwide and will be replaced within 24 hours in select states.”

The Cyclospora parasite infects humans’ small intestine, can take up to one to two weeks to incubate, and causes symptoms including “watery diarrhea, with frequent bowel movements… vomiting, body aches, headache, low-grade fever, and other flu-like symptoms,” that may seem to go away and then come back more than once.

As The Verge reported this week, not all of the reported cases have been linked to Taco Bell, and Taylor Farms is a giant, which has said it sells more than $7 billion in produce every year and makes two out of every five of the salad kits sold in grocery stores. However, its name doesn’t appear on most of those items, and while the extent of the outbreak is still under investigation, the CDC has said it’s also looking into illnesses and outbreaks in other states that are unrelated.

Based on information provided yesterday by the FDA, Taylor Farms de Mexico is voluntarily removing all iceberg lettuce sourced from central Mexico from the U.S. market.

While the FDA traceback is indicating a specific independent farm that represents less than 1% of the U.S.’s iceberg lettuce supply as the potential source of the outbreak, we have removed all iceberg lettuce from the region indefinitely.

Advertisement

It hasn’t identified other companies or products to avoid yet. ProPublica’s Annie Waldman reports that the tracing effort is working without more than 240 consumer safety specialists who left as the Trump administration cut funding to federal health agencies, and the CDC scaled back its Foodborne Diseases Active Surveillance Network (FoodNet) that worked with 10 states.

The Washington Post also mentions that a few months ago, the FDA pushed back the compliance deadline on implementing its Requirements for Additional Traceability Records for Certain Foods (Food Traceability Final Rule) from January 20th, 2026, until July 20th, 2028. Its requirement for standardized record-keeping about goods and shipments could’ve made finding the “specific independent farm” tied to the outbreak easier and faster.

This all follows statements from the CDC and FDA saying the “explosive diarrhea parasite” outbreak has been linked to shredded iceberg lettuce served at Taco Bell locations across five states: Indiana, Kentucky, Michigan, Ohio, and West Virginia. In Michigan alone, there are over 5,000 reported cases, with 102 reports of hospitalization.

According to the FDA, “FDA and state partners are actively investigating the source and scope of the contamination. Because the investigation remains ongoing, additional implicated brands, restaurants, retailers, or distribution channels may be identified as the investigation continues.”

Advertisement
Continue Reading
Advertisement

Trending