We know this horror story: A trusted character is not who (or what) others think he is. Typically, movie audiences get to see the creature's eyes glow or go all black when the onscreen victim isn't looking. Devils behind a recent phishing scam that targeted American Express accounts, however, were fiendishly clever about hiding their tell-tale signs of evil.
Just last month, many Amex customers received a phishing email that had both the correct branding and familiar format of American Express. A very well written message asked recipients to create a "Personal Safe Key" as part of a new security measure. Customers were instructed to follow a link to a phony Amex log-in screen with the URL of amexcloudcervice dot com. (Go back. Can you spot the spelling error in the web address? BY THE WAY, DO NOT ACCESS THAT LINK!!) The scamming process then required the Amex account holder to enter such information as credit card numbers, card expiration dates, four-digit CVV codes, Social Security numbers, birth dates, mothers' maiden names, mothers' birth date, date of birth, and email addresses.
Bear in mind, web pages that the scammers created to accept victims' personal information meticulously mimicked an official American Express website. IT security professionals (let's call them the Van Helsings of the cyber world) can usually spot a phishing scam, but the average person doesn't readily have such skills. If we aren't careful, are distracted, or are in a hurry, we too might be easily tricked into compromising sensitive information.
Here are a few precautions that should serve you well:
- Automatically be very suspicious of emails involving your personal or financial information.
- Pay special attention to the sender's email address and to the domain.com/net/etc. If the domain name looks too long or is misspelled STOP.
- Carefully examine the URL links within the email to see if the name closest to the .com/net/etc is what you would expect.
- NEVER follow a link to check out a questionable site. Locate the organization's official Website via a PROVEN search engine and see what you can find out. Or contact the real company by phone.
Scammers are getting better at their craft all the time. As the saying goes, "Trust, but verify," and trust is optional.