PhotoAT&T customers beware: you're far more vulnerable to phishing scams than customers of other companies, thanks to AT&T's text protocols – or the lack thereof.

“Phishing” scams are those where scammers trick their victims into revealing personal or financial information by sending email or text messages that appear to be from legitimate companies. For example, you might get a text message which at first glance appears to be from your bank, warning you of non-existent problems with your account – problems which can supposedly be solved if you give your passwords, account numbers or other important information to the scammer who sent you the text.

The one good thing about phishing scams is that usually, those scammy come-on texts or emails are pretty easy to spot, if you know what to look for. But you can't necessarily do that with AT&T because, as computer programmer Dani Grant discovered this week: “Texts from AT&T are easy to spoof.”

Basically, text messages that legitimately come from AT&T look disturbingly like fake phishing messages – and at the same time, hackers can very easily create fake AT&T texts that look disturbingly like the real thing. Grant herself could do so with ease.

Phishing attempts

Most “protect yourself from scams” articles (including those you'll see here at ConsumerAffairs) will tell you that one way to distinguish between a genuine company missive and a phishing attempt is by looking at web addresses. Last month, for example, we got a fantastically bad email allegedly from FedEx, though it was easy to see that (among other things) the message did not come from @FedEx.com, but a Yahoo webmail address.

Here's a brief quiz, to test your scam-protection savvy: suppose you get a text message allegedly from your phone company, asking you to click on the linked web address dl.mymobilelocate.com in order to set up your phone's mobile-location feature. Do you click on this link, or not?

If you've paid attention to any of the last n thousand “Beware of phishing” articles you've read, you probably answered “Heck no, I wouldn't click on that scammy-looking link! A real link would actually have my mobile carrier's name in it somewhere, right? Verizon.com, ATT.com, something like that.”

That's a good answer! Except it's also the wrong answer, because dl.mymobilelocate.com is AT&T's actual Mobile Locate address.

Nor can you identify a genuine AT&T text from a piece of phishing bait by looking at the address it came from, as Grant explained:

One problem is that AT&T uses a plethora of short codes to send messages so customers have no way to know if messages are actually coming from an AT&T number. They have no way to distinguish which text messages are genuinely from AT&T and which are from phishers. … Customers of AT&T don’t have a good way to know what texts are actually from their cell carrier, making AT&T an easy target to spoof.

Different codes

When Jose Pagliary wrote about Grant's discovery for CNN Money, he pointed out that AT&T isn't the only company to confusingly use different short codes to send out legitimate texts:

Verizon (VZ, Tech30) sends out text messages from a 12-digit number that changes depending on the customer, and it sends links to vzwmobile.com or vzw.com.

T-Mobile sends alerts from a three-digit short code (also different for every user) and links to t-mo.co.

Is there a quick and easy way for mobile customers to distinguish between legitimate texts and phishing bait?

Not really, though Grant does offer a time-consuming option: if you get a text message urging you to call a phone number, you can type it into RetroSleuth to see who owns it – does that “AT&T” number actually belong to AT&T?

But for the most part, fixing this problem lies with the companies who send easy-to-spoof texts. Grant offers them three fix-it suggestions:

The easiest solution is for AT&T to only use URLs that are subdomains or extensions of att.com.

Another possible fix is for AT&T to preload their short codes as phone contacts for AT&T sold devices. That way, customers will know what numbers actually belong to AT&T and which do not.

A third option is for AT&T to communicate through other methods besides text messages. While there is certainly the tradeoff of convenience, emails from @att.com addresses or push notifications through AT&T’s app are alternatives.

Company emails are much, much harder for scammers to convincingly spoof, and an app obviously couldn't be spoofed at all.


Share your Comments