Standard phishing attack targets American Express customers.
PandaLabs, the research arm of Panda Security, is warning users about a new phishing scam that attempts to trick people into giving up their American Express online credentials.
It’s a standard phishing attack. The phony email warns that American Express’ records are incomplete and asks the email recipient to complete the information. Of course, the victim will have to login to do that and the phishers have provided a convenient phony login tool.
PandaLabs’ Sean-Paul Correll:
This type of phishing campaign is the oldest trick in the book, but you can easily avoid it by knowing that financial institutions will never ask you to divulge your personal information.
While this is the standard run-of-the-mill phishing campaign, nearly every security vendor is warning about a rise in phishing attacks moving to social networks, including Facebook, Twitter and others. Most of the increase can be attributed to the link shortening services which make it easy for the bad guys to disguise a nefarious URL. There are tools available — browser add-ons — from nearly all the browser makers to allow you to check out a URL before clicking on it. The trust factor on social networks is high too, giving cybercriminals more of an incentive to move their phishing attempts there.
As for the American Express phishing attack, I suggest you don’t trust any email messages you receive from your bank. A couple of years ago I interviewed the CISO of ING and he said that banks probably shouldn’t be sending messages containing links. But if a security professional tries to get that message across to the bank’s sales/marketing staff they come up against a wall. Email is still a valuable tool for financial firms. They’re a business, so there’s no doubt, you will get email messages from some banks. Ignore them or at the very least, type in the banks URL manually, rather than clicking the link contained in the message. Safety first!