A new phishing campaign involves scammers sending fake Chase and Amex fraud protection emails asking users if the listed card transactions are valid. Victims who click the “no” button in the message to dispute the transactions will be redirected to a fake yet legitimate-looking Chase or American Express login site where they will go through a fake verification process that invites them to enter their username, password, birth date, social security number, as well as their bank and credit card information.
The latest scam targeting Chase and American Express customers demonstrates how effective impersonation techniques can be in phishing attacks. In fact, 83 percent of phishing emails are brand or company impersonations. Playing on Chase and Amex users’ fears of someone abusing their credit card information, victims are more inclined to fall for the bait and input their highly sensitive information in a fake verification process. Doing so would allow cybercriminals to commit identity theft on the victims or sell their information in dark-web marketplaces.
As threat actors become more adept at crafting emails that are indistinguishable from legitimate ones, we must focus on validating and authenticating sender identity. With email, this can be accomplished by properly enforcing DMARC, a widely-accepted open standard that ensures only authorized senders can use your domain in the From: field of their email messages.