Reader Mike sent me a note saying that he received a convincing looking phishing e-mail, I thought it was worth a reminder to be careful of these types of scams. The scam they received was an e-mail pretending to offer 150,000 points on a Hilton American Express card. The scammers used the same subject line that American Express usually uses for this type of offer and the same creatives.
The key differences/things to look for are:
- Sender e-mail, in this case this was not from American Express but from a junk e-mail address (e.g sdfsdfsd@randomdomain.com). The sender e-mail can be spoofed, so this isn’t fool proof
- The e-mail was entirely pictures rather than pictures and text. Scammers often do this to try to avoid tripping any automated spam filters.
- Link didn’t go to an American Express domain name. When you apply for an American Express card you want to make sure the domain name is americanexpress.com. In this instance it redirects you to the scammers domain name so they can get all your sensitive information. On google chrome next to the URL it will also show if a site is secure and who it’s registered to. In the case of American Express it shows that it’s a secured domain and that it’s registered by American Express. The phishers domain name showed as unsecured.
These scams aren’t limited to American Express, scammers will try this type of thing using any well known brands. If an offer is too good to be true, it usually is. In this case they just made they actually made the offer the same as the standard increased bonus which made it more believable. Before entering any sensitive and private information please make sure you’re entering it where you want to and aren’t being scammed.
I’m sure readers also have some good tips on what to look for. Share them in the comments below.
View Comments (41)
damn, i get daily emails from "apple", but damn, that's a low blow for a churner. They pray on our emotions.
Phishing and targeted fraud is prolific these days. Witnessed an IT security situation at customer that shall not be named where a key person was phished and handed over their company username/password. Attacker took over their email remotely, realized they were in accounts payable, and very quietly engaged in a covert campaign of emailing their customer contacts with outstanding balances, redirecting them to wire money to an account under their control. They covered their tracks and got away with it before anyone realized it happened. 300k gone. There are ten of thousands of foreign “whale hunters” that do nothing but search for big marks they can retire on and some are very clever. Being hyper cautious and aware is key. Use strong passwords and mix them up for heavens sake so someone can’t take over your entire online presence with the breach of a ecommerce site.
unfortunately, this post will mean little to anyone. habits like online security hygiene is almost impossible to change unless youre committed. its no different than going to the gym or quitting your netflix addiction. those who care, already care and those who dont, continue to get compromised. its really that simple. same thing with "the rich gets richer and the poor gets poorer".
people in this game are the most vulnerable. theres a difference between preventative and detective measures. both are critical, but prevention through awareness is the most key. unfortunately, this requires you to actually study attack vectors and be genuinely interested cyber security. social engineering like phone porting doesnt care about your lastpass or your review of email links to russian domains.
government and secured servers can be hacked. so what makes you think you will be OK? the only thing you can do is to not become a target through passive mass hack attacks which is what everybody is exposed to (e.g. emails, links, websites). everyone in this digital age should have some basic knowledge of cyber security.
I have recieved once a junk email and when i clicked unsubscribe it took me to a page asking me to fill out a lot of private details in order to unsubscribe. Lol.
If it's a junk email you didn't subscribe to--even if it looks like it's from a very legit company--I'd highly recommend not selecting the unsubscribe option, but instead marketing it as junk. In many cases scammers add that on, so that they can get you to verify that it's a valid address and you're responding. It's similar to picking up the phone on a scam caller. The legit callers avoid you because you're on a do-not-call list; the ones who still call are already breaking the law - they are just thrilled to know a live person picked up the phone ---- BINGO!
Well said.
I can't buy the advice to "be careful", or any thought of, "look for ____", to determine what's safe and what's not. You just can't, or shouldn't even try to waste your time trying. Or, at least know what you are up against, to stay safe.
After decades of managing email for many users and myself as well, there is just no way you can reliably "look at" or "inspect" any email and declare it safe. Here are some examples of why I disagree with the advice, (even though these are great strategies to start learning what has been used in the past):
Poor advice: "Inspect the return address to make sure it is safe".
Don't buy it because: The worst scams come from infecting the email of your friends and relatives, which then proceed to send you, and everyone in their address book, scam emails. Did it come from "your cousin's official email"?? Yes. Is it safe? Absolutely not.
Poor advice: "See if the email only appears to be text, and is in fact, pictures of the text",
Don't buy it because: If the email is well crafted, they won't do anything that is obvious. The best scams are going to be exact copies real original emails, only modified with perhaps one or two links that are only slightly altered--with devastating results. If you are great at inspecting and detecting scams like this, then become a forensics expert. (You already are an expert, if with hard work, you can reliably detect what's safe or not, and where the dangers lie.)
Poor advice: "Inspect the links to see if they go to the proper company's domain".
Don't buy it because:
1. If there are 50 links and there's only one link that you would likely click, they will only change that one link. You'd have to study each email to see which link[s] are evil.
2. It is easy to totally obscure the true links in HTML, and you still can't tell where the evil link lies, without tearing apart the HTML of the email.
3. Legit companies use a ton of alternate domains, all of which are not evil or a problem at all, so you can't really use the "good links method", because these often look bogus as well, when they are in fact, safe.
4. If you go to your banking site, and your PC or your internet connection at a public internet connection is controlled by the bad guys, you can never be sure you are connected to the correct site.
-- > Try this: Click on http://Citbank.com and you can see that you are safely on the banking site. The URL domain changed, but this will be true and legit on most all banking websites, and the GREEN in your browser indicates you are on "the official site" for that URL. Proceed to put your login info into the page. BAM!! I now have your login name and PW for Citibank!!!!
-- > OK, you are just too sharp, since you frequently go to CitiBank's website, and you did notice that instead of Citibank, you happened to be on (a legitimate) CITbank banking website instead. However, if I was trying to trap you, why wouldn't I make my fake banking site look IDENTICAL to the real CitiBank website? As the bad guy, I probably would do exactly this.
-- > OK, you ARE much more careful to get fooled this way. You DO click on, or go to the known good website link, from a bookmark, search, or some other great source, or you just type it in, you are infinitely careful, and never make a mistake. You type: C I T I B A N K . C O M. You see your familiar website, and log in. Except, your DNS was POISONED, so instead of being on the real Citibank website, your PC, or your ISP, looked up the domain for "CitiBank.com", and it sent you to a different IP address and server--and a totally bogus website that looked identical to Citibank, but wasn't.
So, what are you supposed to do to protect yourself?? Let's face it. It really IS a jungle out there. And if they can eat you alive, they will. The best advice is to become a lifelong amateur student of security, and you will be safer than most everyone else.
The advice given in the article was good, but only if you are willing to spend (IMO) way too much time becoming an expert at detecting scams. My goal here is to just alert you to just how hard it is to be safe, and not adopt a false sense of security. Although I plan to write more on techniques to stay safe, it won't be a short article, and the advice will continue to evolve.
(In the past, my company has produced forensics software and other storage software used by millions of users for the past three decades. One of our current projects, http://DontBuy.ORG is designed to save users' time, money and frustrations, in coping with the faster and greater changes we all face on a daily basis.)
Gotta appreciate the dedication to marketing your own brand: You started your comment with "I can't buy" and ended it with a link to your "Don't Buy" site. *chef's kiss*
Yes you make great points. The scammers get more advances as the possible payoff increases. They will compromise your friend/relative/coworkers email and then attempt to coerece you out of funds using their legitimate accounts. You can only trust as far as your weakest link.
I've seen even crazier phishing emails, which scammers actually spoofed their email address into the legit email from the bank, but the hyperlink in the email are linked to an Indian domain.
Some other notes:
1. The domain names can be sneaky. Addresses start with https:// (or http:// but these days http:// is a sign that it's not a professional site) and then there are some words separated by periods, then there's another / and the part between https:// and the very next / is the part that matters. For amex, you want to see ".americanexpress.com/" as in dot-americanexpress-dot-com-slash, at the end of that section. "americanexpress.something.com" is not amex, "something.com/americanexpress.com" is not amex, "something-americanexpress.com" is not amex. (there are exceptions, companies sometimes use other addresses for marketing/branding, like amextravel.com, but if you're not sure it's best to be suspicious)
2. You'd rather avoid even clicking on scam site links, so on desktop, hover your mouse over a link and look at the address that pops up at the bottom of your browser window. That's the actual address the link goes to. They can have blue underlined text that says americanexpress.com take you to a website that is totalscam.com. I'm not sure there's a way to avoid that on mobile.
3. If you are suspicious at all, do some research or check with the company separately. If you put "amextravel.com" into google, you get all kinds of hits that link to amex sites. If you put "amexpromotion.com" into google, nothing for amex comes up. If amexpromotion.com was legit, amex would have marketed the heck out of it and it'd have a presence that search engines would pick up. You can also contact amex to see if they can confirm they really sent you that email. There's a chance they don't know about all the marketing stuff they've sent out, but you'd rather miss out on a deal than have to deal with a compromised account or identity theft.
4. Password managers can help with this. I don't know my amex password, and lastpass won't fill it in if it's not an americanexpress.com site, so even if I incorrectly think a site looks for real, I can't get to my password without jumping through hoops that exist to make me realize I'm not on americanexpress.com.
LastPass is great, but there’s a little learning curve and elbow grease required with using it effectively. Especially in setting up the 2FA which I think is a must but is also pretty clunky and is a really obtuse implementation. The product needs some polishing before less technical diy people pick it up even though it’s probably best out there.
Cannot believe frauders would try and scam churners... We are the worst people to target, always on top of our finances and logging into accounts to verify points, new offers and of course transactions.
My guess is that they're sending out 5000 of those emails and don't do any sort of screening. We aren't the only ones applying for cards.
true. I sometimes forget that some people pay interest on their credit cards too lol!
Well said
Here is another one: They actually send you one of YOUR own passwords in the email indicating they know about you, your browsing habits, etc and extort you to pay them 2K in bitcoin "or else....", These passwords associated with email addresses must be available for sale for cheap on the dark web courtesy the hacks of various companies.
I received one of those recently. Had a former password and wanted bitcoins. It wasn’t too alarming as credit karma had sent an email saying that particular password was part of a breach.
Which is why everyone should use a password manager which makes it easy to have unique passwords & it validates sites (it's a good idea to launch the site from within the password manager). Also two factor authentication.
More broadly, everyone that has much of their social and/or financial life online, as most of us visiting this site do, should aim to have some basic-decent opsec knowledge and hygiene. Part of that should be a cost-benefit analysis to, for instance, use Mint but not an app like Acorn that demands you hand over the logins of every single bank/card you use. Lots of sites that employ top-notch security get breached, so what's it gonna look like for Acorn subscribers if they get breached?
I've always wondered what would happen if you called their bluff and told them to just "go ahead".
I mean obviously take all precautionary measures and change your password before doing that, but it'd still be a fun way to screw with them.
I recall getting a similar email quite some time ago, though it didn't have a particular password in it: it threatened to expose me to all of my friends and family--having accessed my browsing info and photos and hacked into my computer's camera, yadda yadda yadda--if I didn't pay up. I was a little worried at first, but then I realized I didn't care if they sent anything to anyone and brushed it off. (Nothing happened.) And a colleague just got hit by this same email (don't recall if the amount was the same or not); it freaked him out because it DID include a password he recognized. But he let the 2 days they gave him go by and nothing happened to him, either. (Of course he's changed all of his passwords to be on the safe side.)
They threatened to leak my nude photos.
I wasn't sure which part was the threat.
lol best comment of month nomination
literally nobody is going to steal from me, at least not very easily and not anything i wont get reimbursed.
all of my money is in FDIC insured / SIPC insured banks up to or below the maximum limits. Every single one of my logins has a unique password that I have created using LastPass. I only have to remember my LastPass pw which is very unlikely anyone will ever get even through brute force.
Even if they do get lucky enough i had a two-factor authenticator that sends text to my phone for each unique device login.
I cannot believe these fraudsters are still around, how they dont get caught is beyond me.
Until you give all your secure passwords out to Dosh, Chime, Acorn, Private Capital, Mint, etc. to save a few pennies! Always surprised so many people trust giving their bank account passwords to these sites.
The only thing that's 100% risk proof re online stuff is to stay offline. That is in real life it's a matter of benefit-risk analysis. To that end an app like Mint is not the same as Acorn, not by a long shot. I'm referring to the inherent vulnerabilities of their models and the risk exposure to the end users, not the companies behind the apps.
Actually staying offline isn't 100% either, what would stop a fraudster from signing for for online access to your accounts?
I actually dont give out this to those sites. I linked one brokerage site to personal capital (just to get the $100 Amazon Gift card) and its not even my main one with a majority of my funds. I agree though, thats something we all need to think about whether savings a few dollars here and there is worth the risk.
Can you explain more LastPass? Thanks.
Everyone needs a password manager, not just churners! It not only makes your life more secure but also EASIER! Check it out!
Love LastPass. Can easily set up 24-128 character secure passwords for every acccount. Use it on my PCs, android and iPhone devices. One secure password with two-factor authentication (even accepts Yubi key), and then you can keep secured notes in there too, not just IDs & passwords. I keep all of my mother's passwords in here too, as she's prone to forgetting them. Very easy.
It's a password manager. You can use it to generate and store random passwords, Then you only need to know the master password to input them into user/password fields. I believe it's free for web based access to your passwords but if you want access on your phone//tablet etc its $2/m. There are similar products from keepass, dashlane, 1password etc.
Thanks!
I received an email like that recently. That was a little alarming :/
almost every company and service out there has been hacked. Assume your email and some passwords are out there. that's why unique passwords are recommended
Thanks for the alert. I got this exact email. I saved it thinking I may go back and apply later. Good thing this information was posted or else I may have given all my information to the bad guys.
hey, it's me, a good guy. can I has your info. pliz