The scammers behind a new fake AMEX phishing attack, distributed this afternoon, enlist a sneaky new tactic to boost their click-rate.
The email says suspicious activity has occurred on the user’s credit card, and that “corrective action” needs to be taken. However, it’s just a ploy to steal valuable credit card information such as account numbers and passwords.
The email tells the recipient their credit card was recently used in Texas to make purchases. It explains that for security purposes, those new charges may be declined.
It urges the cardholder to click a link to “safeguard” their account.
To support the scam, the criminals have created a fake American Express website that mirrors the real one. It is set up on a brand new domain – onlinebanking-americanexpress.com.
Users are then prompted to hand over their sensitive information.
To boost their scam, the perpetrators use an increasingly-popular new tactic. They use a free SSL certificate provider to add a false sense of security to the site. This adds a green padlock to the URL bar in an effort to convince viewers that it’s the official American Express website.
However, the green padlock simply means the site uses encryption, meaning the communication between the user’s web browser and the fake website cannot be viewed.
MailGuard has noticed an increase in the number of scammers configuring their fake websites with SSL encryption since the inception of free SSL certificates.
This particular Amex scam is sent from a number of compromised mailboxes – which may have been taken over in a past phishing scam.
Once the recipient takes the bait and hands over their credit card information, they are redirected to the real American Express website.
None of 68 popular antivirus vendors were detecting either of the links as suspicious when MailGuard uncovered the email today.
Tips from AMEX on spotting a phishing scam
According to AMEX, fake emails can often be identified in these ways:
- The sender’s email address is different from the real organisation’s website address.
- The email is sent from a completely different address or a free webmail address.
- The email does not use your proper name, but uses a non-specific greeting such as “Dear customer”.
- They want you to act urgently – ie that unless you do something right away, your account may be closed or suspended.
- The email contains a request for personal information such as username, password or bank details.
For a few dollars per staff member per month, add MailGuard's cloud-based email and web filtering solution to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network.
Need to know more?
Interested in discussing your company’s security? Contact one of MailGuard’s cybersecurity experts: expert@mailguard.com.au.
For media inquiries, or to interview a cybersecurity expert, contact Jaclyn McRae: jaclynm@mailguard.com.au.
Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.
