Can AT&T texts be faked to trick you?

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

By Jose Pagliery

NEW YORK (CNNMoney – Jan. 23, 2015) — There’s a problem with the way AT&T sends out customer alerts via text message: They’re too easy to mimic.

With little effort, a scammer could send you alerts that look just like the real thing. Click on a link and the hacker will grab your login credentials — or fool you into giving up your credit card too.

It’s yet another phishing scheme. But instead of email, hackers can target you with texts.

The problem stems from AT&T not making its real alerts look legitimate enough, said Dani Grant, the computer programmer who noticed the flaw.

“If the official texts look like phishing, it’s impossible for the customer to distinguish between what’s phishing and what’s not,” she said.

First, AT&T’s alerts come from a weird, four-digit “short code” number. Anyone can buy a short code (charities do it all the time). And even more confusing, different AT&T customers see different short codes.

Second, some of AT&T’s real links are funky. Some point to while others take you to

Third, the text messages don’t even have a consistent format. Sometimes they start in all capital letters: “AT&T FREE MSG.” At other times they’re lowercase: “AT&T Free Msg.”

To test her theory, Grant set up her own short code, bought a legitimate-looking website address and sent a message. Can you tell the difference?

AT&T declined to comment on this topic. Grant said she reported it to the company as a security flaw but hasn’t heard back.

To be fair, though, AT&T isn’t the only one. Verizon sends out text messages from a 12-digit number that changes depending on the customer, and it sends links to or

T-Mobile sends alerts from a three-digit short code (also different for every user) and links to

SMS text messages are convenient, because they’re reliable. You can get them anywhere, anytime on any phone.

But Grant thinks these companies should opt for email instead, or communicate through a dedicated app. It’s easier for a company to make emails look official. And an app would, in most cases, keep out the bad guys.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.