Menu Search Hoax-Slayer

American Express 'Personal Security Key' Phishing Scam

Outline
Email claiming to be from American Express instructs recipients to visit a website and create a Personal Security Key (PSK) as an account authentication measure.

Brief Analysis
The email is not from American Express. Links in the email open a fraudulent website designed to emulate a genuine American Express webpage. The fake website asks users to provide credit card details and other information. The criminals behind the scam will use the stolen data to commit credit card fraud and hijack online accounts. If this message comes your way, do not click on any links or open any attachments that it contains.


Example

Important: Personal Key
Please create your Personal Security Key. Personal Security Key (PSK) is one of several authentication measures we utilize to ensure we are conducting business with you, and only you, when you contact us for assistance.
American Express uses 128-bit Secure Sockets Layer (SSL) technology. This means that when you are on our secured website the data transferred between American Express and you is encrypted and cannot be viewed by any other party. The security of your personal information is of the utmost importance to American Express, please click here or visit our website at [removed] to create your PSK (Personal Security Key).
Note: You will be redirected to a secure encrypted website.
Thank you,
American Express

Your Card Member information is included in the upper-right corner to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress.com/phishing. We kindly ask you not to reply to this e-mail but instead contact us via customer service.

Amex PSK Phishing Scam



Detailed Analysis
According to this email, which purports to be from American Express, users can increase their account security by having a Personal Security Key (PSK). The message invites recipients to click a link to create their PSK. The email is professionally presented and includes seemingly legitimate subscription and copyright information.


At first glance, the message may seem like a genuine American Express notification, especially since it supposedly provides information to help customers protect themselves from fraud. American Express does offer customers a PSK system as one of several authentication measures.

However, this email is not from American Express. Ironically, considering its content, the email is itself a scam designed to defraud customers. Clicking any of the links in the fake message will take users to a bogus website that asks for their credit card information. Like the email itself, the bogus website looks professional and has been built so that it closely emulates a genuine American Express page.

The information provided on the fake website can be collected by scammers and used to commit credit card fraud and identity theft.

The website used in this particular attack has already been taken down. However, scammers are likely to create new scam sites and send out more of the scam emails. Phishing scammers continually target American Express and other credit card providers. As such scams go, this is a quite sophisticated attempt. Because of the way it is presented, the scam may catch out even more experienced users.

American Express will never send customers unsolicited emails that request them to provide their card details or other sensitive personal information by clicking a link.

The American Express website includes information about phishing and how to report scam emails.


Last updated: February 26, 2014
First published: February 26, 2014
By Brett M. Christensen
About Hoax-Slayer

References
Phishing Scams - Anti-Phishing Information
American Express 'Unusual Activity' Phishing Scam
Visa - Mastercard 'Security Incident' Phishing Scam
American Express - Identity Theft

© Brett M.Christensen, 2014. All Rights Reserved.


Go to Desktop Version