Web users have a hard-enough time picking out phishing emails from scammers, without legitimate companies sending emails baring some of the hallmark signs we’re often told to look out.

Sky has come under criticism from one security expert after sending customers an email informing them their password had been reset than that consumers must choose a new one by first entering their email and username.

Sky didn’t inform users why they needed to perform the password reset or whether the login details had been compromised by a third-party. Sky simply said the change must be made to keep the account safe. That’s poor practice on one hand, but the lack of specifics are also suspicious sign that bad actors may be at work.

Although the email is genuine, and is from Sky, alarm bells were further raised by the company addressing users as “Dear Customer” rather than by their own name. As security blogger Graham Culley points out, there’s no mention of the customer’s Sky ID, nor their account number of postcode in order to offer a greater sense this wasn’t a general phishing email.

Many users were concerned enough to ignore the email and contact the @SkyHelpTeam on Twitter.

There’s also a clickable link taking customers to their sign in page. Although the written link spells out the URL, we all know the hyperlink text can say one thing while taking you to another page. Like this, for example.

After the fact, Sky has explained what was going on in a Q&A on its website. The company writes: “Sky has been informed by the provider of Sky.com email accounts that a number of accounts have been accessed without permission through an attack called ‘credential stuffing’. This is where an intruder has obtained a list of usernames and passwords (“credentials”) from one or more external sources illegitimately. The intruder then runs an automated programme across a range of online services to see if those credentials are still valid. If the credentials match, the intruder can then log in to that account.”

