Amex Chase Users Targeted In New, Clever Phishing Campaign – Email Security Expert Commentary

A new phishing campaign involves scammers sending fake Chase and Amex fraud protection emails asking users if the listed card transactions are valid. Victims who click the “no” button in the message to dispute the transactions will be redirected to a fake yet legitimate-looking Chase or American Express login site where they will go through a fake verification process that invites them to enter their username, password, birth date, social security number, as well as their bank and credit card information.

Experts Comments

February 13, 2020
Peter Goldstein
CTO and Co-founder
Valimail
The latest scam targeting Chase and American Express customers demonstrates how effective impersonation techniques can be in phishing attacks. In fact, 83 percent of phishing emails are brand or company impersonations. Playing on Chase and Amex users’ fears of someone abusing their credit card information, victims are more inclined to fall for the bait and input their highly sensitive information in a fake verification process. Doing so would allow cybercriminals to commit identity theft on.....Read More
The latest scam targeting Chase and American Express customers demonstrates how effective impersonation techniques can be in phishing attacks. In fact, 83 percent of phishing emails are brand or company impersonations. Playing on Chase and Amex users’ fears of someone abusing their credit card information, victims are more inclined to fall for the bait and input their highly sensitive information in a fake verification process. Doing so would allow cybercriminals to commit identity theft on the victims or sell their information in dark-web marketplaces. As threat actors become more adept at crafting emails that are indistinguishable from legitimate ones, we must focus on validating and authenticating sender identity. With email, this can be accomplished by properly enforcing DMARC, a widely-accepted open standard that ensures only authorized senders can use your domain in the From: field of their email messages.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.