{“lastseen”:”2026-01-27T18:08:20″,”description”:”A coworker shared this suspicious SMS where AT\\u0026T supposedly warns the recipient that their reward points are about to expire.\\n\\nPhishing attacks are growing increasingly sophisticated, likely with help from AI. They’re getting better at mimicking major brands\u2014not just in look, but in behavior. Recently, we uncovered a well-executed phishing campaign targeting AT\\u0026T customers that combines realistic branding, clever social engineering, and layered data theft tactics. \\n\\nIn this post, we\u2019ll walk you through the investigation, screen by screen, explaining how the campaign tricks its victims and where the stolen data ends up.\\n\\nThis is the text message that started the investigation.\\n\\n\\n\\n\u201cDear Customer, \\nYour AT\\u0026T account currently holds 11,430 reward points scheduled to expire on January 26, 2026. \\nRecommended redemption methods: \\n- AT\\u0026T Rewards Center: {Shortened link} \\n- AT\\u0026T Mobile App: Rewards section \\nAT\\u0026T is dedicated to serving you.\u201d\\n\\nThe shortened URL led to `https:\/\/att.hgfxp[.]cc\/pay\/`, a website designed to look like an AT\\u0026T site in name and appearance.\\n\\n\\n\\nAll branding, headers, and menus were copied over, and the page was full of real links out to att.com.\\n\\nBut the \u201cmain event\u201d was a special section explaining how to access your AT\\u0026T reward points.\\n\\nAfter \u201cverifying\u201d their account with a phone number, the victim is shown a dashboard warning that their AT\\u0026T points are due to expire in two days. This short window is a common phishing tactic that exploits urgency and FOMO (fear of missing out).\\n\\n\\n\\nThe rewards on offer\u2014such as Amazon gift cards, headphones, smartwatches, and more\u2014are enticing and reinforce the illusion that the victim is dealing with a legitimate loyalty program.\\n\\nTo add even more credibility, after submitting a phone number, the victim gets to see a list of available gifts, followed by a final confirmation prompt.\\n\\n \\n\\nAt that point, the target is prompted to fill out a \u201cDelivery Information\u201d form requesting sensitive personal information, including name, address, phone number, email, and more. This is where the actual data theft takes place.\\n\\n\\n\\nThe form\u2019s visible submission flow is smooth and professional, with real-time validation and error highlighting\u2014just like you\u2019d expect from a top brand. This is deliberate. The attackers use advanced front-end validation code to maximize the quality and completeness of the stolen information.\\n\\nBehind the slick UI, the form is connected to JavaScript code that, when the victim hits \u201cContinue,\u201d collects everything they\u2019ve entered and transmits it directly to the attackers. In our investigation, we deobfuscated their code and found a large \u201cdata\u201d section.\\n\\n\\n\\nThe stolen data gets sent in JSON format via POST to `https:\/\/att.hgfxp[.]cc\/api\/open\/cvvInterface`.\\n\\nThis endpoint is hosted on the attacker’s domain, giving them immediate access to everything the victim submits.\\n\\n## What makes this campaign effective and dangerous\\n\\n * **Sophisticated mimicry** : Every page is an accurate clone of att.com, complete with working navigation links and logos.\\n * **Layered social engineering** : Victims are lured step by step, each page lowering their guard and increasing trust.\\n * **Quality assurance** : Custom JavaScript form validation reduces errors and increases successful data capture.\\n * **Obfuscated code** : Malicious scripts are wrapped in obfuscation, slowing analysis and takedown.\\n * **Centralized exfiltration** : All harvested data is POSTed directly to the attacker’s command-and-control endpoint.\\n\\n\\n\\n## How to defend yourself\\n\\nA number of red flags could have alerted the target that this was a phishing attempt:\\n\\n * The text was sent to 18 recipients at once.\\n * It used a generic greeting (\u201cDear Customer\u201d) instead of personal identification.\\n * The sender’s number was not a recognized AT\\u0026T contact.\\n * The expiration date changed if the victim visited the fake site on a later date.\\n\\n\\n\\nBeyond avoiding unsolicited links, here are a few ways to stay safe:\\n\\n * Only access your accounts through official apps or by typing the official website (att.com) directly into your browser.\\n * Check URLs carefully. Even if a page looks perfect, hover over links and check the address bar for official domains.\\n * Enable multi-factor authentication for your AT\\u0026T and other critical accounts.\\n * Use an up to date real-time anti-malware solution with a web protection module.\\n\\n\\n\\nPro tip: Malwarebytes Scam Guard recognized this text as a scam.\\n\\n* * *\\n\\n**We don ‘t just report on scams\u2014we help detect them**\\n\\nCybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we\u2019ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!”,”published”:”2026-01-27T17:43:47″,”modified”:”2026-01-27T17:43:47″,”type”:”malwarebytes”,”title”:”Watch out for AT\\u0026amp;T rewards phishing text that wants your personal details”,”source”:””,”references”:””,”id”:”MALWAREBYTES:E6B00B88583A3A5A41BEBA61C113EA16″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/01\/watch-out-for-att-rewards-phishing-text-that-wants-your-personal-details”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-27T18:08:20″,”description”:”A coworker shared this suspicious SMS where AT\\u0026T supposedly warns the recipient that their reward points are about to expire.\\n\\nPhishing attacks are growing increasingly sophisticated,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-37626","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n