Amex users hit with phishing email offering anti-phishing protection

American Express users are being actively targeted with phishing emails impersonating the company and advising users to create an “American Express Personal Safe Key” to improve the security of their accounts.

amex phishing

Users who fall for the scheme are directed to a bogus Amex login page (at ). Once they enter their user ID and password, they are taken to a bogus page that ostensibly leads them trough the SafeKey setup process.

The victims are asked to input their Social Security number, date of birth, mother’s maiden name, mother’s date of birth, their email address, the Amex card info and identification number, and the card’s expiration date and 3-digit code on the back of the card.

Credible design of the phishing site

The victims will be taken through the setup process even if they enter incorrect login credentials. And, after they finish entering all the information asked of them, they are redirected to the legitimate Amex website, making them believe they were using it the whole time.

“SafeKey isn’t new, it’s Amex’s name for 3-D Secure technology, which is an XML-based added layer of security for payment cards designed to reduce online fraud. What’s clever about the scam is that it plays upon deep-seated identity theft concerns to actually perpetrate large scale identity theft,” Comodo explained.

“Another notable aspect is the amount of care and design that the hackers employed to make it look, feel and seem as legitimate as possible, starting with logos, fonts and color schemes, and going deep into URL addresses, etc. In this way, the scam is representative of a trend towards increasingly realistic, well-designed, highly sophisticated and deeply-researched schemes that are harder and harder to spot with the naked eye.”

This isn’t the first time that scammers have been sending out similar emails and set up similar sites. Phishing campaigns using the same lure have been spotted in 2014 and earlier this year.

“All that’s needed is a few tweaks and a small investment in a new domain name,” the company points out. “In other words, the hard work has already been done in the painstaking design and implementation of the scam. And it doesn’t cost the hackers much to power up the scam again and grab a few thousand more unwitting new victims.”

Don't miss