American Express ‘Personal Security Key’ Phishing Scam

Outline:
American Express SafeKey email instructs you to visit a website and create a Personal Security Key as a means of  increasing account security and providing an additional layer of fraud protection.




Brief Analysis:
The email is not from American Express. Links in the email open a fraudulent website designed to emulate a genuine American Express web page. The fake website asks you to provide account login details, credit card numbers, and other personal information. The criminals behind the scam can use the stolen data to hijack your account, commit credit card fraud, and steal your identity. If this message comes your way, do not click on any links or open any attachments that it contains.

Example:
American Express SafeKey is an authentication service that provides an additional layer of fraud protection. This service is part of our continuous efforts to increase account security.Please create your Personal Security Key

As a Card Member you are enrolled in American Express SafeKey, so you just need to take one additional step to benefit from this security feature.

Verify Your Account Information

The security of your personal information is of the utmost importance to American Express, please click here to create your Personal Safe Key.

Secure Your Account

American Express uses 128-bit Secure Sockets Layer (SSL) technology, this means that when you are on our secured website the data transferred between American Express and you is encrypted and cannot be viewed by any other party.

American Express SafeKey Phishing Scam





Detailed Analysis:
According to this email, which purports to be from American Express, you can increase your account security by creating a Personal Security Key via the company’s SafeKey authentication service. The message invites you to click a link to create your Personal Security Key and thereby take advantage of the American Express SafeKey system. The email is professionally presented and includes graphics and formatting that you might expect to see in a genuine credit card provider email.

At first glance, the message may seem like a legitimate American Express notification, especially since it supposedly provides information to help customers protect themselves from fraud. American Express does offer customers SafeKey and Personal Security Key systems as part of its authentication measures.

However, this email is not from American Express. Ironically, considering its content, the email is itself a scam designed to defraud customers. Clicking any of the links in the fake message will take you to a bogus website that asks for your account login credentials, your credit card numbers, and a large amount of other personally identifying information.  Like the email itself, the bogus website looks professional and has been built so that it closely emulates a genuine American Express page.

The information provided on the fake website can be collected by scammers and used to hijack your AmEx account and commit credit card fraud and identity theft.

Phishing scammers continually target American Express and other credit card providers. As such scams go, this is a quite sophisticated attempt. Because of the way it is presented, the scam may catch out even more experienced users.

American Express will never send customers unsolicited emails that request them to provide their card details or other sensitive personal information by clicking a link.

The American Express website includes information about phishing and how to report scam emails.




Last updated: November 23, 2016
First published: February 26, 2014
By Brett M. Christensen
About Hoax-Slayer

References
Phishing Scams – Anti-Phishing Information
American Express ‘Unusual Activity’ Phishing Scam
Visa – Mastercard ‘Security Incident’ Phishing Scam
American Express – Identity Theft