Some phishing emails are obvious to spot, but some are more difficult until you add up all the warning signs.  If you receive an email from a random person or unknown company claiming you owe them money, you would be instantly suspicious (as seen in our Ransomware Phishing post).  However, what happens when you receive an email that appears to be from a big, legitimate company everyone has heard of?  Also, what happens if you actually do business with that company and the email looks legitimate complete with company logos and privacy statements?  We will go through such an email and point out all the warning signs, so you know what to look for if you receive a similar email.  We will also discuss ways users can determine legitimate emails from fake emails in the future.

Here is the email received:

At first glance, this email looks pretty legitimate.  If you have service with AT&T, it is even more believable at first glance.  However, the email starts to fall apart after taking a closer look.

The first thing we notice is the email address.  The display name is “AT&T Inc. All rights reserved.”  Most companies would not have something of that nature as the display name for their email.  You may also notice it looks more like a sentence than a company name.

Second thing we notice with the email address is it was from a random website, not an email address associated with the company AT&T.  We removed the actual email address, but take our word for it…it was pretty obvious. 

Please Note:  In this case the email address was obviously fake, but there are cases where hackers are more creative.  Hackers could create something close to a legitimate website such as att.com.billing[.]net, attbillingsupport[.]net, etc.  Neither of these are legitimate AT&T websites.  Another trick hackers use is to use numbers resembling letters such as 1’s for L’s like b11ling or even capital letters that resemble lower case letters such as a capital i to look like a lowercase l such as bIIling (looks like billing, but is actually biiling).  You have to be careful when quickly scanning an email address.  If any part of the email looks suspicious, go back to the top and look at the email address again more closely.

Another Note: Hackers can make a display name be anything they want.  So, anyone could make an email address say “AT&T Billing”, so the display name alone is not enough to go by.

This email also has a “call to action.”  A “call to action” is a way for a hacker to get people to do things they wouldn’t normally do; such as click on a suspicious link, open an attachment, or call an unknown phone number.  A “call to action” is a hacker’s way of using human nature against us.  If you do use AT&T, maybe the amount of the bill is much higher than you usually pay.  You would instantly be upset and curious about why the bill is so high.  Your curiosity tells you that you must open the bill and look at it.  If you don’t have an AT&T account, you may be upset they are sending you a bill and would want to “fight back”.  Or maybe you used AT&T in the past, which again being angry and curious would entice you to click on the link and open the bill.  In either of these cases, you need to stop and think before just reacting by clicking on links and wanting to take care of the issue.  You should resist the instant click and continue analyzing the email.

The biggest warning sign, other than the email address issues, was the link for the “View your bill here.” went to a totally random website not related to AT&T.  We did not want to include the actual link, but again trust us it was very obvious it wasn’t for an AT&T website.  Even if the display name and email address looked legitimate, the fact the link to the “bill” wasn’t even close to an AT&T website would have been all we needed to see to determine this was a fake email. 

Another noticeable issue for us is the email ends with “PLEASE DON”T ANSWER BACK TO THIS LETTER”.  Companies may state the email is being sent from an unmonitored email or it’s an automatically generated email and to not reply directly, but most companies would never say to never answer the email.  The wording is not “corporate” enough.  Another reason the statement made us suspicious is just above that, the email said to Email support.  So they are providing the customer with a way to “answer back to the letter”, but also saying do not reply back.  The statement is also in a suspicious looking privacy/copyright statement. 

Speaking of the privacy/copyright statement, it just doesn’t look right to us and if you were an AT&T customer, we would assume it doesn’t match previous statements on their emails.  You can’t trust an email even if the privacy/copyright statement matched, but the fact it is way different is a reason to question the email.

Here are a few other random warning signs:

• The email states your mobile bill is ready and mobile invoice, but later says “AT&T Online Services”.  “Online Services usually relates to internet services not mobile/cellular service. 
• The subject of the email says “cellular bill”, but the body of the email states “mobile”.  The different use in language should always raise suspicions.
• The email mentions to contact “Support”, but normally you would speak with “Billing” if there was an issue with your bill.
• The sentence about contacting support has several noticeable grammar issues such as a lower case q in quick followed by a capital A in and.  The formatting is also off with Email us above Support and the sentence just doesn’t look like it should if it were an email template from a big company (such as AT&T in this example).
• The email states “Your mobile bill isready”.  First, there isn’t a space in “isready” and second, would think most companies wouldn’t have a statement like this in such a big font.  That would be reserved for things related to rewards such as a coupon, not “Here’s your bill!!”.
• The use of “Dear Customer,” looks off to us as well.  A lot of companies now include your name in the email.  If you normally receive emails from AT&T and they address you by name, this would be a warning sign since this time they do not refer to you by name.  It’s not the best warning sign of course since anyone could put your name in the email, but is something to noticed based on everything else we have seen.

BEST PRACTICE:  You may be asking, “If I get an email like this in the future without all these warning signs, what could I do to figure out if the email was legitimate?”   Our recommended procedure, or best practice, is to search for the company’s website or phone number using your favorite search engine.  If you have visited the company’s website many times in the past and have a bookmark for it, using your bookmark would be okay to use as well.  It is best to assume any links or phone numbers in the email are fake, so we would recommend never clicking on any links or calling any phone numbers listed within the email.    If you do have an account with the company the email is claiming to be from, we would suggest logging in to your account to see if you had a balance due, using the search engine best practice we just mentioned.

Another thing you can do if you are a customer for the company the email is claiming to be from is to compare the email to previous emails you have received.  It wouldn’t confirm the email is legitimate, especially when combined with all the other warning signs, but you would quickly see if the email is not to be trusted if it was drastically different from other emails you have received.

The user in this scenario, ignored all the warning signs and clicked on the link in the email to “view the bill”.  They were then presented with the option to download a Word document file.  As soon as that occurred, the user should have been even more suspicious.  Usually a company would link you to your account to see your bill or include the bill as an attachment, but they usually do not link you to a website to download a Word document…especially when the link to the website is not related to the company. 

Also, receipts/bills are usually in pdf format, not a Word document.

After the user in this scenario downloaded the Word document file and attempted to open it, they were asked to enable macros (as seen in the screen shot).

Side Note: You may notice this is the same screen shot used in our previous tutorial.  We didn't have an actual screen shot of this incident, but it was very similar to this one.

As soon as the user was asked to enable macros, they should have seen all the warning signs they needed to see.  Hackers will use macros to hide various malicious activities.  More importantly, a bill/receipt would have no reason to need macros.

If you were like the user above (downloaded and opened the file), you should consider your computer compromised and should follow some of the steps as outlined in our blog post What should I do if my device is lost or stolen....  After reading the post and seeing all of our recommendations, at a minimum we would have someone reimage the computer to ensure no viruses/malware are lingering and capturing your data (passwords, personal information, etc.).