Microsoft Warns of Amex Phishing Email

American Express Phishing Email Attempts to Hack Amex Credit Card Accounts

Microsoft’s Office 365 Threat Research uncovered an active American Express (Amex) email phishing campaign that emerged over the weekend. The Amex phishing campaign is especially dangerous as it prompts the recipient for their credit card numbers, account logins, as well as other common password reset questions.

The new American Express phishing emails use a generic subject line that reads, “Notice Concerning your Card Member Account.” The email prompts the recipient for personal information and credit card details. Weirdly enough it also asks the email recipient for their email address and password.

The body of the email [Figure 1] addresses the recipient as “Hello Primary Card Member.” This is a format that the real American Express never uses in their email communications. The body of the document contains images that are not shown for security reasons. The text explains that the Amex cardholder’s profile needs to be verified and instructs them to download the email attachment and answer some questions.

American Express Phishing Email
American Express Phishing Email

Figure 1 Image credit: Windows Defender Security Intelligence Twitter

The attachment page [Figure 2] requests that the recipient enter extensive details about their Amex credit card as well as other personal information. Credit account details such as the account holder’s Amex web login and password, credit card number, security code, and expiration. The phishing email also prompts the recipient to enter their mother’s birthdate and maiden name as well as the recipient’s place of birth. These are common passowrd reset questions and a strong clue that this is indeed a phishing email.

American Express Phishing Email Attachment
American Express Phishing Email Attachment

Figure 2 Image credit: Windows Defender Security Intelligence Twitter

In 2018, email phishing attempts increased by 250% according to Microsoft. From January 2018 to September 2018, Office 365 experiences over 300,000 phishing emails with over eight million attempts to compromise business email accounts. A worrisome 20% of the recipients clicked on the email within the first five minutes.

Earlier this year I wrote about how to spot another American Express themed phishing email. In that phishing attempt the emails were a little more polished, but still obvious fakes. Figuring out what email is real and what is a phishing email, remains the same. Take a hard look at the sender’s email address, not the friendly name as this is easy to spoof. Look for misspellings in the email body. A professional company will not send out an email with spelling and grammatical errors. Email content that is threatening is most likely phishing or spam. If you owe someone money, the creditor will likely use postal mail to send you a notice.

Ways to Spot a Fake Email
Ways to Spot a Fake Email

Amex Phishing Emails – What Should You Do?

  1. When in doubt call American Express and ask if this is their email
  2. Do not click on any links in the email
  3. Never download any attachments from suspicious emails
  4. Do not reply to the email
  5. Mark the email as SPAM so it moves to your junk folder, then delete it permanently
  6. Be skeptical about messages asking for sensitive information including passwords, credit card numbers, birthdate, or answers to common password reset questions
  7. Report any American Express spam emails to Amex’s spoof reporting email

Most importantly, think about the contents of the email. Does it make sense that your credit card issuer is asking you for the card number and expiration date? No. They already know this information. The only time a credit card company prompts for this is when they issue a new card and you need to activate it.

If you are web savvy, then set your email client (in this case it’s Outlook) to not download email images from untrusted sources. Images in an email may live on the spamming server, rather than in the email itself. That way, even if a phishing email recipient does not click on the link, the hacker still knows that the email was successfully sent to an active email box because the images were downloaded by the email client. No other action is necessary. No harm is done except that the hacker now knows that the email address is active and monitored. They will continue to spam that email address.