With phishing, a scammer pretends to be a real person or organization. They try to trick you into sharing personal or financial details. That may include credit card numbers, social security numbers, or passwords.
We never ask for any personal or account info using phone calls, email, or text messages. If you get such a request, report it to AT&T Internet Security at firstname.lastname@example.org
. You can also forward the phishing email to the Anti-Phishing Working Group at email@example.com
or report it to the FTC
Phishing scams can take many forms, such as:
- You get an email or text message that seems to come from your bank. It asks you to confirm your account info by clicking on a link. When you click the link, it may install a malicious program on your device, capturing everything you type, including passwords.
- The link could also take you to a fake website with a homepage set up to look like it’s from your bank. The website asks for details a real site would never ask for, such as your account number, the last eight digits of your debit card number, or your ATM PIN.
- A hacker creates a fake website using a web address with commonly misspelled words. This is called typosquatting. If you mistype a web address, you could land on one of these sites.
Scammers constantly change their attacks to include details which make you believe the scam is real. It’s important you know what to look for. And remember, we never ask for information through phone, email, or text messages.
Recognizing phishing and fake websites
If you aren't sure you’re on a legitimate website or an email sent to you is valid, check for these warning signs:
- Incorrect URL: If your bank uses a certain URL and the site you land on uses a different one, it’s probably a fake site. Always double-check the site address is correct. Hover your mouse pointer over a link in the email to see if the link is directed to the same site the email came from.
- All caps in email subject lines: Scammers often use capital letters to get your attention. This is something we don’t do in our email subject lines, so it's a good sign the email is fake.
- Many undisclosed recipients: Scammers send thousands of phishing emails, hoping someone will bite. If you see an email copied to other recipients, watch out. We consider our customers as individuals, and we treat them that way. Your email is only sent to you.
- Banking information: A real bank won’t ask for your banking account info or debit card and PIN numbers through email. Be careful of emails or sites asking for sensitive details, such as your Social Security number, besides the standard sign-in credentials.
- Confirm sensitive account info: If an email or website asks you to confirm sensitive account info, this is likely a scam.
- Public internet account: Before clicking on any link sent to you by email, look at the sender's email address. If the email has a non-business email address, but claims to be from your bank or another business, don’t trust the email. All myAT&T emails are sent from att-mail.com. So, if you don't see that email address, we didn’t send it.
- Generic customer name: Make sure email claiming to be from your bank includes your given name in the message, such as Dear William Smith, instead of Dear Valued Customer. Real banks address messages to you by name as a way of confirming your relationship.
- Misspelled words: Real companies have staff checking the accuracy of emails and websites. If you see a misspelling or a misuse of the company name, look for other mistakes and clues to support your suspicions. Then, don't enter any personal info on the site.
- Not a secure site: Legitimate e-commerce sites use encryption, or scrambling, to make sure your payment info stays safe. If a site is using encryption, look for a lock symbol in the browser window. You can click the lock symbol to verify the security certificate issued to that site. The lock symbol confirms it's a legitimate, trusted website. You can also see in the web browser that the website address starts with https:// rather than just http://. Don’t enter payment details on any site that isn't secure.
- Low resolution images: Scammers usually create fake sites quickly. This shows in the quality of the sites. If the logo or text appears in poor resolution, it’s an important clue the site could be phony.