Is that really your bank texting you with an urgent message about suspicious account activity? Is it truly a relative in a money jam who’s calling?
Consumers have even more reason for a dose of caution when their phones light up after news of a data breach that siphoned nearly all the phone numbers of AT&T’s cellular customers over an approximately six-month span, cybersecurity experts said.
Most Read from MarketWatch
To be clear, the illegally downloaded phone-call and text-message records do not include the content of those texts and calls, AT&T T said Friday.
But the telecommunications giant noted that the stolen information revealed other phone numbers with which these numbers interacted, including phone numbers associated with other cellphone carriers, according to an SEC filing.
The exposed records covered a May 2022 to October 2022 time frame, plus Jan. 2, 2023, AT&T said.
The data doesn’t reveal customer names, yet AT&T said in an SEC filing that it’s possible to match a name to a number with “publicly available online tools.” AT&T does not believe the data is publicly available “at this time.”
In March, AT&T said it found Social Security numbers and passcodes for 7.6 million current account holders, as well as 65.4 million former account holders, on the “dark web.”
Phone numbers and Social Security numbers are two different things. Still, the heaps of phone numbers and associated data exposed in the latest breach could offer scammers a treasure trove of information on the calling patterns and relationships of the people and businesses using those numbers, experts told MarketWatch.
In the wrong hands, that information could be pieced together to create more believable scams where fraudsters trick their victim by mentioning a person’s supposed friend or relative — or their bank. It’s not a certainty that the AT&T breach will lead directly to new scams, but it doesn’t hurt for affected customers to be extra vigilant going forward, experts said.
“You can’t have unwavering trust in any sort of digital communication, even if it’s coming from someone you trust,” said John Dwyer, director of security research for Binary Defense.
It’s tough to predict exactly how — and if — the latest AT&T breach plays into the array of cyber scams that Americans face already, experts told MarketWatch.
But the breach is another reminder of the threat of imposter scams where Americans are collectively bilked out of billions by scammers masquerading as a trusted person or business.
Americans lost $2.7 billion to imposter scams last year, according to the Federal Trade Commission. And we’re still just at the dawn of deepfakes and AI-powered trickery, experts noted.
“This trend is not going to stop and we are going have to verify, even with the people we know and trust,” Dwyer said. “It’s not going to get any better. It’s only going to get more and more convincing.”
How do I find out if my phone number was exposed in the AT&T data breach?
AT&T says it will notify customers through text, email or mail. The notifications have already started, a company spokesperson said. First, be on the lookout for an email, and if that’s not successfully delivered, look out for a letter in the mail, the representative said. Cricket customers are getting text messages and physical mail if needed.
Users can also log into their AT&T account to see if their number was involved. They also can ask for a report offering “a more user-friendly version of technical information that was compromised,” the spokesperson said.
AT&T has more information for customers available here.
After the March breach, AT&T offered to pay for credit monitoring. It is not offering that in this instance.
Should I change my cellphone number?
People can take that step if they really, really want to — but experts said there are other ways to protect themselves short of discarding the phone number that’s embedded in their personal and financial lives.
“What is the cost-benefit analysis on that?” Dwyer said of a number change. Instead, affected customers “can do things with extra vigilance.”
“They can’t do anything with the information they have right now, beyond tricking you,” said Greg Schaffer, principal at cybersecurity firm vCISO Services, referring to how scammers might use your phone number.
What’s next for people who had their cellphone information exposed in the data breach?
As “a general rule,” people should be on guard about unfamiliar senders and suspicious texts, AT&T said. People should only open texts and emails from people they know and trust, the company said.
Common scams to be aware of include “phishing,” where fraudsters masquerade as a trusted source and send an email asking the recipient to provide information, log into an account, click on a link or take some other action in order to exploit the recipient. There’s also “smishing,” which tries to trick victims via text messages.
It’s difficult to know exactly which, if any, scams could result from the AT&T breach. The company is working with law-enforcement authorities and said at least one person has been apprehended.
Here’s where cybersecurity experts say consumers should be even more vigilant — even with the people, businesses and financial institutions they think they know.
Theoretically, cyber thieves could determine a person’s relatives or where they bank by analyzing the cellphone numbers exposed in the data breach, experts said. By spoofing a number to manipulate the caller ID or how it appears in a text message, the crook could then ask the target to click a link, call a number, or start the process of a multifactor authentication.
Do n ot click the link, call the number presented, or perform the requested action.
“The first thing I tell people is to breathe and slow down,” said Schaffer. If you receive a text asking for money or asking you to click on a link, call the person directly or find the business’s number yourself. A call back is powerful because a person spoofing a call or text can’t receive one, he noted.
For crooks, the goal is to create a false sense of urgency, said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, a nonprofit organization.
“If it’s a bank saying there’s something wrong you need confirm, don’t call the number you’re given,” he said. “It’s slowing down and going out of the current bounds of that conversation which is crucial to verifying the sender of the message and the legitimacy.”
The rule applies for supposed bank messages and ones from relatives. So, suppose a person’s mom text them with a request to click on a link or pass along some money, Dwyer said. In that case, it’s time to call your mother.
“It’s just part of existing in the digital world of 2024,” he said.
What personal-finance issues would you like to see covered in MarketWatch? We would like to hear from readers about their financial decisions and money-related questions. You can fill out or write to us at . A reporter may be in touch to learn more. MarketWatch will not attribute your answers to you by name without your permission.
Most Read from MarketWatch
Source Agencies
