“With little effort, a scammer could send you alerts that look just like the real thing. Click on a link and the hacker will grab your login credentials — or fool you into giving up your credit card too,” Pagliery reports. “It’s yet another phishing scheme. But instead of email, hackers can target you with texts.” “The problem stems from AT&T not making its real alerts look legitimate enough,” said Dani Grant, the computer programmer who noticed the flaw. ‘If the official texts look like phishing, it’s impossible for the customer to distinguish between what’s phishing and what’s not,’ she added” The main problem is that AT&T doesnt have a standard and uniform short code number. Some of the messages come from a weird four digit short code which can be bought anywhere and AT&T sends the text messages from different numbers each time. Second problem is that the links in the text also are weird at times. Some links point to att.com while others take you to dl.mymobilelocate.com. Third AT&T doesnt maintain a uniformity in the header title and the text messages dont have a consistent format. Some of the messages start with capital “AT&T FREE MSG,” while others are in lower case, “AT&T Free Msg.” This looks like a open invitation for cybercriminals to carryout phishing campaigns against the AT&T customers. To test her theory, Grant set up her own shortcode, bought a legitimate-looking website address and sent a message. Can you tell the difference?
AT&T declined to comment on this topic. Grant said she reported it to the company as a security flaw but hasn’t heard back from them. To be fair, though, AT&T isn’t the only one. Verizon sends out text messages from a 12-digit number that changes depending on the customer, and it sends links to vzwmobile.com or vzw.com. T-Mobile sends alerts from a three-digit short code (also different for every user) and links to t-mo.co. SMS text messages are convenient, because they’re reliable. You can get them anywhere, anytime on any phone. But Grant thinks these companies should opt for email instead, or communicate through a dedicated app. It’s easier for a company to make emails look official. And an app would, in most cases, keep out the bad guys. Next time you get a SMS from any of these companies do watch out for phishing links.