American Express Impersonator Uses Verification Request to Steal Data in Likely AI-Generated Phishing Attack
In this likely AI-generated phishing attack, cybercriminals impersonate American Express by sending an email from a spoofed address with the subject line “Important Notice.” The email falsely claims that there are urgent verification requirements for the recipient’s bank account to ensure its security and accuracy. Recipients are instructed to click on a link to complete beneficiary and security question verifications. However, the link redirects them to a malicious website designed to steal sensitive information, such as login credentials, personal data, or financial details. By mimicking the format and tone of legitimate American Express communications, the attackers create a false sense of trust and urgency, pressuring recipients into acting quickly without scrutinizing the email's authenticity.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed address, uses legitimate links in the message, and contains no attachments. Modern AI-powered email security solutions detect links to suspicious domains, recognize that the sending name and domain name do not match, and flag language patterns commonly used in financial theft to correctly identify the email as an attack.
To avoid falling victim to these scams, users should verify unusual account notifications directly through American Express’s official website or app rather than clicking on links in unsolicited emails. Businesses can also mitigate risk by educating employees about common phishing tactics and leveraging advanced security tools to detect and block increasingly sophisticated attacks.
Cybercriminals pose as American Express in this phishing email
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks due to their legitimate structure.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Sender Name and Domain Mismatch: The sender’s name does not match the sender’s domain, raising suspicion during Abnormal’s analysis.
- Financial Theft Language: The email contains language that may be attempting to steal money from the recipient, a common tactic identified by Abnormal’s content analysis and NLP algorithms to detect potential financial fraud.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.