Payment Received says AMEX phishing email
Phishing emails get recycled. We have observed this phenomenon three times this week. A recycled phishing email usually has “enhancements” making it more realistic. The enhancements can mean extra logos, branding or links. In the case of today’s American Express (AMEX) phishing email, it is all three. A phishing email first noted on 31/3/2015 has re-appeared, but with more branding and links. The text of the email is (apart from minor differences) unchanged.
Figure A shows the original email from 31/3/2015.
Figure B is the latest version. Figure B looks on first glance the more realistic of the two. The subject line used is “Unusual Activity in your American Express”. The sender of the email is unusual. It is listed as “docs2”. No attempt made to disguise the sender of the email. There are twelve links in the email. Six are to a malicious site; the remaining link back to American Express. Compare that to the original phishing email, which had two links. Both the links in the original email were to a malicious site.
A significant amount of branding is present in the email. Social media links are positioned down on the bottom right of the email. The look and feel of the email mirrors typical corporate emails. The use of several genuine links adds to the realism.
The heading is out of context; it reads “Payment received”. Yet the email talks about irregular activity on the user’s account. The email uses a different date to the original, and does not specify a time (the original did).
Whilst it is a convincing copy, the email is still a fake. The greeting used is “Hello Customer”. American Express does not use a generic greeting. They use the name of the account holder. Six of the twelve links lead to a phishing site. This phishing site steals user account credentials.
Although this email is more convincing than the somewhat untidy original, it is still a fake.