UPS and ATT Brand Impersonation Campaign Linked to Terra.com Infrastructure
This scam campaign involves the coordinated impersonation of two major American brands, UPS and AT&T, through a cluster of nine connected entities including one phone number, five domains, and three email addresses. The campaign uses fraudulent email addresses and lookalike domain constructions to deceive consumers into believing they are communicating with legitimate customer service representatives. The central fraudulent email address, customerservices@ups.com, has been reported together with phone number 678-701-8046, the domain ups.com, the email jwatson@terra.com, and the domain terra.com, all at a high confidence level of 1.00, indicating these entities have been consistently co-reported by victims and investigators. A secondary arm of the campaign involves the spoofed domain ordertrack.wireless.att-mail.com and the associated email attorderstatus@ordertrack.wireless.att-mail.com, which mimic AT&T's order tracking communications to add a layer of false legitimacy.
The infrastructure backbone of this campaign connects to terra.com, a domain registered on February 18, 1999, through Spanish registrar Acens Technologies, S.L.U. The email jwatson@terra.com has been reported alongside customerservices@ups.com and phone number 678-701-8046 at full confidence, suggesting this terra.com account is used by an operator coordinating multiple impersonation threads simultaneously. The use of an aged, established domain like terra.com may be a deliberate tactic to reduce suspicion from spam filters and email security tools. The domain wwwapps.ups.com and the legitimate domains ups.com and www.att.com appear in the cluster as reported-together entities, likely because victims received communications referencing or spoofing these real domains alongside the fraudulent infrastructure, creating confusion between legitimate and malicious assets.
Community reporting has confirmed active social engineering attempts tied to this cluster. Multiple reports, each receiving five upvotes on community fraud-tracking platforms, describe a scammer baiting scenario originating from www.terra.com in which the operator sent emails impersonating UPS Customer Services. Victims reported the activity to Western Union, UPS, and law enforcement authorities. The mention of Western Union in community reports is significant, as it strongly suggests the campaign's end goal involves fraudulent payment collection through wire transfer, a hallmark of advance-fee and parcel delivery scams. Despite the confirmed community reports and cross-entity relationships, the phone number 678-701-8046, which carries a Georgia area code, currently shows zero formal FTC complaints, suggesting underreporting or that the number is used sparingly to avoid triggering automated complaint thresholds.
Consumers who receive emails from addresses such as customerservices@ups.com or attorderstatus@ordertrack.wireless.att-mail.com, or who are contacted by phone number 678-701-8046 in connection with package delivery or account order status claims, should take the following steps immediately. Do not click any links in unsolicited emails, do not call back numbers provided in unexpected messages, and do not send money through Western Union, wire transfer, gift cards, or any other payment method requested by someone claiming to be a shipping or telecom company. Legitimate companies like UPS and AT&T will never demand payment through these channels. To verify whether a communication is genuine, go directly to ups.com or att.com by typing the address into your browser rather than clicking any provided link. Check suspicious phone numbers and domains using tools such as the FTC's fraud reporting database at reportfraud.ftc.gov, the FCC's complaint portal at fcc.gov/consumers/guides/filing-informal-complaint, and community lookup tools such as WhoCalledMe or ScamNumbers. Report any contact from these entities to the FTC at reportfraud.ftc.gov and to the FCC if the contact was by phone.
This campaign represents a moderate to elevated threat level due to its multi-brand impersonation strategy, confirmed social engineering activity, cross-channel coordination across email and phone, and the use of aged third-party domain infrastructure to evade detection. Recommended next steps include flagging the domain ordertrack.wireless.att-mail.com for takedown review, reporting jwatson@terra.com to Acens Technologies S.L.U. for abuse investigation, and submitting phone number 678-701-8046 to the FTC and relevant carrier for call-blocking review. Consumers who have already engaged with this campaign and provided personal or financial information should contact their bank immediately and place a fraud alert with the major credit bureaus.