A couple of days ago, this email message ended up in my spam folder:
Below the text box you see is a second text box with the same text repeated in Spanish.
Is this a legitimate email from AT&T? There’s ample reason to suspect it:
- I haven’t been a customer of AT&T or any of its affiliated businesses in years. Many years. Many, many years. So many years that I literally cannot remember when I was a customer of AT&T. Why would AT&T think it’s necessary to email people who haven’t been its customers in many, many years? Surely anyone in that category is also being emailed by their bank, credit card company, current service providers, etc?
- The message doesn’t show my email address in the “To” line.
- The message doesn’t show my name anywhere in the email.
- The return address, “att-support@emaildl.att-mail.com”, is a big tell for spamming / phishing. It should say “att.com” or “att.net” (note that Equifax made exactly the same clueless error when they put up a web site for people to get information about the breach and it wasn’t underneath the “equifax.com” domain). If this is indeed a valid email domain for AT&T, then I might know that if I were a current or recent AT&T customer, but see above.
- The message failed its DKIM check: Authentication-Results: jik4.kamens.us; dkim=fail reason="signature verification failed" (2048-bit key) header.d=emaildl.att-mail.com header.i=@emaildl.att-mail.com header.b="qV6Gb7mE"
- The domain “att-mail.com” has no SPF record.
- The links in the email don’t work. Seriously, the body of the email is invalid HTML, and all of the links are broken. This isn’t just a problem with my email client; I copied the HTML body of the email into a separate file and opened it in Chrome, and the links don’t work in Chrome either.
- The copyright notice, “© 2017 AT&T Intellectual Property. All rights reserved. AT&T and Globe logo are registered trademarks of AT&T Intellectual Property,” looks suspicious. WTF is “AT&T Intellectual Property”? Sheesh.
- Almost certainly, the message ended up in my spam folder because of the huge block of Spanish text in Spanish at the bottom. I use an adaptive, Bayesian spam filter, and the vast majority of the emails in foreign languages that I receive are spam, so emails with lots of foreign text tend to get flagged as spam. While I understand AT&T’s desire to communicate with users in languages they understand, if I was their customer then they should have a record of what language I speak, and even if they don’t they could have put one or two sentences in Spanish at the top of the message telling Spanish speakers to click on a link to read the entire message in Spanish, rather than including the entire message in both English and Spanish in the email.
Nevertheless, despite this message being an absolute textbook example of a fake spam / phishing email, it appears that it was, in fact, sent by AT&T.
Here’s why this is a bad thing… One of the things I spend my time at work doing is trying to raise my coworkers’ awareness of phishing emails and the tells they should be looking for to spot them. This email is chock full of such tells, and yet it’s legitimate. Emails like this condition their recipients to ignore or disregard tells, making them more vulnerable to and more likely to be tricked by malicious phishing emails.
This email is a cybersecurity tragedy.
I just received an email from that same email address saying I recently updated my email address or enrolled in paperless billing, and it was so convincing I actually called AT&T. I knew it had been over 10 years since I have had service with them, but wanted to make sure nobody had fraudulently opened something in my name, or something like that. The representative confirmed that I did not have service with them, and that the update[at]emaildl.att-mail[dot]com email address (not sure if the full email would get flagged) is NOT a valid email address. That’s weird because you said yours ended up being legit, but that’s what he said.
Edit: just noticed that yours was actually “att-support,” not “update,” but the rest of it was the same, and point being he said the domain should simply be att.com.
2022 Checking in, still in use. Mind boggling. Getting similar text messages now too.
they still use this email address too…