14 DAY TRIAL // Fraudulent emails carrying links to credential-harvesting websites have been spotted recently to target American Express customers.
The message is well-crafted and has a good chance of tricking unsuspecting recipients into following the URL and disclosing sensitive information about their banking account.
Bait looks good enough to trick some people
The lure is quite simple, but efficient, as it masquerades as a notification about a recent transaction that raised suspicions to the financial institution regarding the legitimacy of the activity.
To protect the customer, the “bank representative” says that the new charges may be declined and urges the recipient to log into their account through a provided link.
“If applicable, you should advise any Additional Card Member(s) on your account that their new charges may also be declined,” the email continues.
Following the URL leads the potential victim to a phishing website that asks them to authenticate into the American Express account by providing credentials, as well as financial and personal information, Online Threat Alerts says.
Request for too much info is suspicious
Users should be aware that if suspicious activity is detected on their account, banks would never ask for sensitive data to be delivered by inputting it in an online form.
In the most fortunate cases, cybercriminals unintentionally leave hints in the fraudulent message, which often consist in spelling mistakes and grammar errors. However, this one is crafted in a way that it looks borderline genuine.
On the other hand, the simple fact that the customer is not addressed by name, a piece of information that banks have, should ring the alarm bells.
Furthermore, the sheer amount of details requested by these so-called account verification activities should make anyone think twice before providing it.
The card number, CVV (card verification code) and the expiration date of the card are enough for making online purchases, so forms asking for this data are not to be trusted and users should steer away as soon as possible.
If additional details are demanded (anything personal ranging from date of birth to security questions and social security number), then the scam attempt is evident.
On the same note, checking the link for any association with the financial entity the message claims to come from is a good way to spot the scam.