“The security of your account is important to us” says the subject of an email message sent to one of our customers by AT&T|Universal Card.
It came to our attention because it’s so fiendishly difficult to determine whether or not it’s a phishing attempt.
Subject: The security of your account is important to us
From: AT&T Universal Card <email@example.com>
Rather than bore you with the details of how we decided this message was legitimate we thought we’d apply some of the suggestions found on the Anti-Phishing Council’s Phishing Page and see if we should trust this email.
First, here’s what the suspicious email looks like:
Let’s see, the first suggestion from antiphishing.org is:
- Don’t trust links in email.
The orange “View Account” button above is a link therefore we shouldn’t trust it. Good advice. The button could easily be linked to a phishing site.
- Never give out personal information upon email request.
They’re asking us to click on a link and then give our personal “User ID” and “Password” to the form that shows up when we click the link.
The next two items are:
- Look carefully at the web address.
- Type in the real website address into a web browser.
We searched for “AT&T Universal Card” and found what is probably their web site. Turns out it’s “www.accountonline.com”. The problem with this is that the domain name “accountonline.com” is totally generic so unless we already know it’s their domain it’s hard to be sure. (Of course we wouldn’t trust a domain that sounded like it was theirs either. Anybody could register “universal-card.com”.)
We’ll call this one a foul.
Clicking on the “View Account” link took us to this URL:
Having done our due diligence by looking up the real website this looks okay. Wouldn’t take much to send one out that links to “account-online.com” or “accountonline.net” though.
- Don’t call company phone numbers in emails or instant messages. Check a reliable source such as a phone book or credit card statement.
The message says “please call us immediately at 1-877-215-2648”. When you call they’ll ask for the secret “personal message code”. The thing is, whoever sent the message will probably be manning the phone so if it was a phish the code would do exactly what it does for AT&T — help them identify you — it doesn’t help your security at all.
We checked the “www.accountonline.com” web site for contact phone numbers and did not find 1-877-215-2648 listed among their numbers.
For the sake of education, we’ll let them keep on swinging.
The Anti Phishing Working Group also has a section entitled “How Phishers Trick You Into Giving Out Personal Information” which lists the following as one of it’s bullet points:
- He provokes the computer user with an urgent request
Probably something just like the Citibank email:
We have been unable to reach you by phone and would like to verify recent activity on your account.
Based on routine account monitoring, we discovered that your AT&T Universal Card Platinum MasterCard account has suspicious purchases.
So that you are aware, if you attempt to use your card prior to calling us, merchants may ask you to provide information to verify your identity before they approve transactions. This is for the protection of your account.
If you have already spoken to us regarding this matter, please disregard this email. Otherwise, please call us immediately at 1-877-215-2648 by 6/14/2010.
If we were looking for some good examples of red flags contained in the typical phishing email then this one is a treasure trove!
Finally, in the course of looking checking the contact info for the phone number we ran across this gem:
Suspicious Emails? Report them to firstname.lastname@example.org
We would definitely report this email if we received it and can’t help but point out that such sloppy and irresponsible practices by Citibank are directly responsible for confusing and jeopardizing consumers security while making the job of con artists and Phishing scammers so much easier.
If we had an ATT Universal card here we would cancel it on principal alone.
OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.
Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."
OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.