A new phishing campaign identified by Malwarebytes Labs targets AT&T customers with text messages about expiring rewards points. Users are urged to claim their rewards ASAP by clicking the included link, which is actually designed to harvest sensitive personal information.
AT&T rewards scam phishes personal information
Targets for this scam have received texts containing a “Rewards Expiration Notice” urging them to redeem points in their AT&T account before they are scheduled to expire. The message includes a specific points balance and expiration date along with two “recommended redemption methods”:
-
AT&T Rewards Center: [shorturl link]
-
AT&T Mobile App: Rewards section
As Malwarebytes discovered, the short link sends users to a https://att.hgfxp[.]cc/pay/, a spoofed website with AT&T branding, headers, menus, and links out to the real AT&T domain. Users are directed to enter their phone number to verify their account, which leads to a screen warning that their points are set to expire. Further down, you can see redemption options, including an Apple Watch Series 9, Sony WH-1000XM4 Wireless Headphones, and Amazon gift cards.
In order to claim a reward and arrange delivery, victims are then prompted to enter more personal information—which is transmitted directly to the scammers. Malwarebytes notes that the forms have real-time validation and error highlighting so users are less likely to suspect the fraud.
Rewards scam red flags
This scam relies on social engineering tactics —like a sense of urgency and the fear of missing out—to trick targets into engaging. And while it does have a somewhat believable look and feel as well as a multi-step approach to build user trust, it also has some clear red flags. The text originates from a regular phone number rather than a short code, which is often used for automated messages, and the sender doesn’t appear as a recognized AT&T contact. The thread also includes multiple recipients and a generic greeting. (A legitimate message from AT&T will be sent directly to you.)
Then there’s the shortened URL that leads to a website not owned by AT&T. While the page has some realistic branding and working links, it also has a number of typos and grammatical and formatting errors. Malwarebytes found that if you click the link on different days, the expiration date on the site changes.
As always, don’t click links in unsolicited texts. AT&T does have a rewards program, but you should go directly to that portal via the web or app to manage your rewards.
