Spoofed American Express Security Alert Exploits Urgency to Steal Credentials
In this phishing attack, cybercriminals impersonate American Express by sending an email from a spoofed address, falsely claiming that the recipient’s account has been temporarily restricted due to unusual activity. The email, which features extensive impersonated American Express branding, instructs the recipient to verify recent transactions using the provided link. However, should they click the link, they will be redirected through “https://t[.]co,” a URL shortener, to a malicious website designed to steal sensitive account information. By mimicking official American Express security alerts and creating urgency around potential fraudulent activity, the attacker seeks to manipulate recipients into acting quickly without verifying the authenticity of the message.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed address, contains no attachments, and uses a URL shortener to bypass traditional verification checks. Modern AI-powered email security solutions detect links to suspicious domains, recognize that the sending domain does not match any of the domains included in the links, and flag that there is language in the message that is commonly used in information theft to correctly identify the email as an attack.
To protect against these threats, users should avoid clicking on links in unsolicited emails and instead verify any security alerts by logging directly into their American Express account through the official website or app. Strengthening security awareness and utilizing advanced threat detection tools are critical measures to prevent falling victim to these increasingly sophisticated attacks.
Fake fraud alert sent by cybercriminals impersonating American Express to trick recipients into providing sensitive information
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Use of URL Shortener: The email includes a link shortened by a URL shortener, which helps it pass link verification checks by masking the true destination.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
- Personal Information Theft: The email contains language attempting to steal personal information, a common tactic used by attackers to deceive recipients into providing sensitive data.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.