Check out AT&T's Valentine's Day Gift Guide for ideas & deals on the new Samsung Galaxy S23!
christopantz's profile

New Member

 • 

3 Messages

Monday, November 7th, 2022 5:25 AM

Scammy-looking email asking for sensitive information

Hi,

I signed up for internet through AT&T at my new apartment a couple days ago, and today I received an email from [email scrubbed] asking for proof of occupancy at my apartment. It feels fishy—it's got no formatting, there are 50 or so other emails that are being CC'd, and it's asking for sensitive information like a copy of my lease agreement, utility bills, etc. It also doesn't have my AT&T account number like I would expect given this guide from AT&T, and it contains a phone number (1-844-638-6907) that I have not seen on any official AT&T documentation.

Normally, I would disregard this email, but I found this AT&T support forum post, seemingly saying the email is legit. I just don't feel comfortable sending such sensitive information this way though.

Can anyone provide any insight into this?

JefferMC

ACE - Expert

 • 

31K Messages

3 months ago

I would stay away from that phone number, and the e-mail has a bad smell.

What is the actual from address of the e-mail?  And if you know how to look at SMTP headers, where it it come from?

ATTHelp

Community Support

 • 

207.7K Messages

3 months ago

Let us address your concern about this suspicious email, christopantz.

 

As JefferMC mentioned, we recommend not calling the number listed in the email.

 

You can forward the email to us at abuse@att.net, so we can investigate it further. Make sure you include the full header, so we can find out exactly where it came from.

 

If you need to submit proof of residency, you should send it to the email address in the article you referenced.

 

If you have any other questions, let us know.

 

Aminah, AT&T Community Specialist

New Member

 • 

3 Messages

3 months ago

@JefferMC, I'm not sure exactly how to interpret this information, but here's the code for the email, if you'd like to see (I've redacted the email addresses of the recipients).

Delivered-To: [REDACTED]
Received: by 2002:a05:7000:4b8f:b0:3cc:492c:57c9 with SMTP id l15csp1647400mam;
        Sun, 6 Nov 2022 19:47:02 -0800 (PST)
X-Google-Smtp-Source: AMsMyM50iYAfsRf/m7VYbqxbihIo7Ml2F3y2lHHFUj/VuzHSMvQ7lvof61eJ2j9FhOZknOVwQy6Y
X-Received: by 2002:a05:6808:1294:b0:35a:500d:878c with SMTP id a20-20020a056808129400b0035a500d878cmr11002598oiw.242.1667792821846;
        Sun, 06 Nov 2022 19:47:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1667792821; cv=none;
        d=google.com; s=arc-20160816;
        b=ZFbyl9rUAWlkZeeS3YFiAs8GLAPV5NX2BukzmFTx/NVxBzjFDuWaqlRJAAnaZ5z6xs
         bB7BXrr5zDXJAGnXoUhFNGXg5FwoZXzEUd8K7RYK8Ty5POeHO6IETf50PnvuB7FtV8Ts
         ggndO2Q/ma0fi3Ts6VznfZ9jrI/q9v+c7KegESThzTKNqF+lreUOuyCpKslYWrZ4Iyg4
         R/uJ9MXA6PNGUMAvz8qD9BnawEozYTPWjbF6kWqYFyiLOhrUsg/ZuA8F/XBSWJ7CYkmv
         3xaUHQwXfuyXEyblmepy7eNfS4vPh7P+EdtlCgeUoSgenaCfBPIUlKB4DQiaLR3dSIKG
         5d6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:subject:message-id:to:from:date:dkim-signature;
        bh=JUINkHY9xYQg2r/29Ewxle2ecHdJwaXiCNTrUzDOKAc=;
        b=fYS3Zm2KFrTIYAFf8OUqpHUaCiSOgnAXQsv+eWNSrMwOkPPSUIEFF4/b60Av7bZjB0
         ZEJkdAWXOlbkQg7uY9hAgxvDWj4S8rQjAB98Sof9OB7nWtEZx3/IMID/kl/wm0vaHg6e
         0D+VmGKcNSwhiuzSIe8vsv2p7agMQ0NFJJc7g3YQSuFjpjvjLiT/aUC3kIpAq5mkAPC6
         qp5AiMZkjhtX7pQUS6Pk6Jy0Ug4mgmvMNHUS7CA6TbI90p2PkqH5PWAaqiThDXaoYNYv
         KD7XjbRw+ie04uCA79GkLf3cRdib522EJSgV0g0l+jiju6AkdQYwLseAFTDeUe7sl0wz
         DKnA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail (test mode) header.i=@amcustomercare.att-mail.com header.s=egs03 header.b=SO1GGP0t;
       spf=pass (google.com: domain of [email scrubbed] designates 144.160.112.13 as permitted sender) smtp.mailfrom=[email scrubbed];
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=att-mail.com
Return-Path: <[email scrubbed]>
Received: from egssmtp04.att.com (egssmtp04.att.com. [144.160.112.13])
        by mx.google.com with ESMTPS id e12-20020a4aaacc000000b00475bbe29c5csi7153135oon.60.2022.11.06.19.47.01
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 06 Nov 2022 19:47:01 -0800 (PST)
Received-SPF: pass (google.com: domain of [email scrubbed] designates 144.160.112.13 as permitted sender) client-ip=144.160.112.13;
Authentication-Results: mx.google.com;
       dkim=fail (test mode) header.i=@amcustomercare.att-mail.com header.s=egs03 header.b=SO1GGP0t;
       spf=pass (google.com: domain of [email scrubbed] designates 144.160.112.13 as permitted sender) smtp.mailfrom=[email scrubbed];
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=att-mail.com
Received: from zlp30491.vci.att.com (zlp30491.vci.att.com [135.47.91.90]) by egssmtp04.att.com (8.15.2 BerkeleyDB.5.2/8.15.2) with ESMTPS id 2A73ks03086362 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 6 Nov 2022 21:46:55 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=amcustomercare.att-mail.com; s=egs03; t=1667792818; bh=QDpwLSJURUXzDa6AU5G77Nvh8QMroCu7ufqY9bhuvKw=; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type; b=SO1GGP0t2dsc1HAe5xOYAF/J2LwS1MQiaHS3JW8BkLYJw+jXB0q4ihmhSVZPw72nL
	 LCDGnrrawf92saHDPGmK66wrKJ9yJqK1fZ+Rd5oL4bZNTxnupX8CDnGfM0V9fNwqAj
	 +N601ikCJGHpnmWPAznai9VSr19dTJMXbiAUVNXFoMOC3fQ2Eqjhj9H4uTiL7FAk1s
	 QSGNhNSRFv6ybYkyIp8umrHPaEYve3vdAaIZ1PoMh5Nv/Pz9yMNHI3Vgo59us7OJKw
	 1HYg15jJAIQMIqO5jMDa1g7tUhyP+NvKXwQKZi3gIc5X83frZVMd0JkOFqeaH5Mf9c
	 fB/ywha4M3ihg==
Received: from zlp30491.vci.att.com (zlp30491.vci.att.com [127.0.0.1]) by zlp30491.vci.att.com (Service) with ESMTP id 7073F4000787; Mon,
  7 Nov 2022 03:46:54 +0000 (GMT)
Received: from zlp13390.vci.att.com (unknown [135.41.198.199]) by zlp30491.vci.att.com (Service) with ESMTP id DDA024000783; Mon,
  7 Nov 2022 03:46:51 +0000 (GMT)
Date: Sun, 6 Nov 2022 21:46:52 -0600 (CST)
From: ATT Address Validation <[email scrubbed]>
To: [REDACTED]
Message-ID: <[email scrubbed]>
Subject: '-Case ID 88125245-'AT&T Proof of Occupancy
  (KMM141768773V92490L0KM)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_557_429321742.1667792812016"
x-mailer: KANA Response 22.1.0.104

------=_Part_557_429321742.1667792812016
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

NOTE: This is an automated email from a system mailbox. Please respond 
to this email with the previously discussed proof of occupancy.
 
Thank you for contacting AT&T! Please provide a valid proof of occupancy
so that we can resolve your ordering issue. Once you submit it the proof
of occupancy your work order will be scheduled. If you have any 
questions, please call us at 1-844-638-6907 with PIN Number 2290
 
Please provide an email of a scanned utility bill with the document 
dated within the last 30 days. This email must include your name and 
address on the email address subject line. An acceptable utility bill is
an electric, water, gas, trash/sewer, or phone bill. If a utility has 
not been rendered at this time, obtain a document from one of your 
utility companies that shows they recently established service. 
Alternately you can scan and email a copy of your rental/lease 
agreement. The agreement must include the rental/lease date and the 
signature page showing yourself and the landlord/lessor have signed the 
agreement. A warranty deed or secured trust are not permissible as proof
of residency. The document must contain your new address, and it must 
match the name and address on the service order. Please do not include 
any personal information on the document such as an account number or 
Social Security number (SSN).
 
This email and any attachments are confidential AT&T property intended 
solely for the recipients. If you received this message in error, please
notify AT&T and immediately delete this message from your computer. Any 
retention, distribution or other use of this email is strictly 
prohibited.
------=_Part_557_429321742.1667792812016
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

<html dir="LTR">
  <head>

  </head>
  <body>
    <div style="font-family:Dialog;font-size:14pt;">
      
      
      
      
      

      <p style="margin-margin-">
 

      </p>

      

      <p style="margin:0in;">
NOTE: This is an automated email from a system mailbox. Please respond to this email with the previously discussed proof of occupancy.

      </p>

      <p style="margin:0in;">
 

      </p>

      <p style="margin:0in;">
Thank you for contacting AT&T! Please provide a valid proof of occupancy so that we can resolve your ordering issue. Once you submit it the proof of occupancy your work order will be scheduled. If you have any questions, please call us at 1-844-638-6907 with PIN Number 2290

      </p>

      <p style="margin:0in;">
 

      </p>

      <p style="margin:0in;">
Please provide an email of a scanned utility bill with the document dated within the last 30 days. This email must include your name and address on the email address subject line. An acceptable utility bill is an electric, water, gas, trash/sewer, or phone bill. If a utility has not been rendered at this time, obtain a document from one of your utility companies that shows they recently established service. Alternately you can scan and email a copy of your rental/lease agreement. The agreement must include the rental/lease date and the signature page showing yourself and the landlord/lessor have signed the agreement. A warranty deed or secured trust are not permissible as proof of residency. The document must contain your new address, and it must match the name and address on the service order. Please do not include any personal information on the document such as an account number or Social Security number (SSN).

      </p>

      <p style="margin:0in;">
 

      </p>

      <p style="margin:0in;">
This email and any attachments are confidential AT&T property intended solely for the recipients. If you received this message in error, please notify AT&T and immediately delete this message from your computer. Any retention, distribution or other use of this email is strictly prohibited.

      </p>

      <p style="margin-margin-">
 

      </p>

      
      
      
      
      
      
      
      
      
      

      <div>

      </div>
    </div>
</body>
</html>
------=_Part_557_429321742.1667792812016--

(edited)

JefferMC

ACE - Expert

 • 

31K Messages

3 months ago

My reading of [what's left of] those headers [after the forum filter that removes e-mail addresses has processed it] tells me that this appears to have actually come from AT&T and is likely a legitimate request, at least in the opinion of someone at AT&T.

Given that, the number is likely okay.  I would try to call 800-288-2020 to see if you can reach the same department through a well-known number, but if that fails...

I'm going to refer this conversation to an AT&T Manager to feed up the chain how this e-mail looks, the "strange" phone number and the fact that ATThelp can't validate it and tells you to forward it to the abuse at att.com black hole and to see if the process can be improved.  I'm not holding my breath, however.

New Member

 • 

3 Messages

3 months ago

Here's an update on this:

I tried to finally set up my equipment today, but was having troubles. I called AT&T's tech support (via the number listed in the documentation for the equipment they sent), and they said the reason I was having trouble was because they needed to confirm my address. The man on the phone told me to send proof of address to the email that sent the suspicious-looking email to me initially.

So it turns out this wasn't a scam. Absolutely all the appreciation in the world to the non-AT&T employee on this forum who tried to help, but the fact that an actual AT&T representative on here couldn't tell me that their own email was legit is pretty frustrating. Now I need to wait 5-7 days for them to validate my address, which is completely problematic as I need internet by this Monday, as I work from home—I'm going to end up spending a bunch of money setting up a mobile hotspot because I tried to be diligent and not fall for a scam.

I won't vent on here too much about this, but I wish AT&T could just send that email from a much more official looking source, like, an actual @att.com/net/etc domain ate very least, or even have some sort of notification within their own web interface to reflect that I need to send a proof of address. If I hadn't thought this was a scam, I wouldn't be scrambling to get internet at my new place!

tl;dr: The email was legit, and since I assumed it was a scam (because someone who works at AT&T led me to believe so), I now am going to be without internet for 5-7 days and need to figure out another (costly) solution during that time.

Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.