A couple of days ago, this email message ended up in my spam folder:
Below the text box you see is a second text box with the same text repeated in Spanish.
Is this a legitimate email from AT&T? There’s ample reason to suspect it:
- I haven’t been a customer of AT&T or any of its affiliated businesses in years. Many years. Many, many years. So many years that I literally cannot remember when I was a customer of AT&T. Why would AT&T think it’s necessary to email people who haven’t been its customers in many, many years? Surely anyone in that category is also being emailed by their bank, credit card company, current service providers, etc?
- The message doesn’t show my email address in the “To” line.
- The message doesn’t show my name anywhere in the email.
- The return address, “email@example.com”, is a big tell for spamming / phishing. It should say “att.com” or “att.net” (note that Equifax made exactly the same clueless error when they put up a web site for people to get information about the breach and it wasn’t underneath the “equifax.com” domain). If this is indeed a valid email domain for AT&T, then I might know that if I were a current or recent AT&T customer, but see above.
- The message failed its DKIM check: Authentication-Results: jik4.kamens.us; dkim=fail reason="signature verification failed" (2048-bit key) header.d=emaildl.att-mail.com firstname.lastname@example.org header.b="qV6Gb7mE"
- The domain “att-mail.com” has no SPF record.
- The links in the email don’t work. Seriously, the body of the email is invalid HTML, and all of the links are broken. This isn’t just a problem with my email client; I copied the HTML body of the email into a separate file and opened it in Chrome, and the links don’t work in Chrome either.
- The copyright notice, “© 2017 AT&T Intellectual Property. All rights reserved. AT&T and Globe logo are registered trademarks of AT&T Intellectual Property,” looks suspicious. WTF is “AT&T Intellectual Property”? Sheesh.
- Almost certainly, the message ended up in my spam folder because of the huge block of Spanish text in Spanish at the bottom. I use an adaptive, Bayesian spam filter, and the vast majority of the emails in foreign languages that I receive are spam, so emails with lots of foreign text tend to get flagged as spam. While I understand AT&T’s desire to communicate with users in languages they understand, if I was their customer then they should have a record of what language I speak, and even if they don’t they could have put one or two sentences in Spanish at the top of the message telling Spanish speakers to click on a link to read the entire message in Spanish, rather than including the entire message in both English and Spanish in the email.
Nevertheless, despite this message being an absolute textbook example of a fake spam / phishing email, it appears that it was, in fact, sent by AT&T.
Here’s why this is a bad thing… One of the things I spend my time at work doing is trying to raise my coworkers’ awareness of phishing emails and the tells they should be looking for to spot them. This email is chock full of such tells, and yet it’s legitimate. Emails like this condition their recipients to ignore or disregard tells, making them more vulnerable to and more likely to be tricked by malicious phishing emails.
This email is a cybersecurity tragedy.