Threat Database Phishing AMEX Email Scam

AMEX Email Scam

By GoldSparrow in Phishing

When we talk about the AMEX email scam, we envision a particularly persistent email campaign that aims to collect bank card data from users. This threat appeared for the first time in March 2019 when scammers sent out a bunch of emails with a generic subject line that read 'Notice Concerning your Card Member Account' and a body text which explains that AMEX cardholders need to verify their account due to some recent system maintenance. The recipients have then been asked to open an email attachment, or follow a link inserted into the email, both actions leading to a phishing form or a phishing website where the potential victims have been urged to enter all kinds of personal details related to their AMEX card membership. Otherwise, the scammers threaten, the accounts would be suspended.

Since its first appearance, AMEX email scam resurges from time to time and uses carefully crafted email bodies and new email accounts to mislead users. The threat actors behind the AMEX email scam are known to copy logos from the official site of the American Express bank and simulate pages from The phishing pages employed in the AMEX email scam receive traffic from Web users who click on fake account updates sent by threat actors. The AMEX scam emails might offer the following text:

'Account 100457

We're reaching you on a recent update on our online service platform and we feel the need to evaluate Cardmember's profile.
At the moment of evaluation. your profile couldn't be authenticated during diligence checks.

However; For security reason. We declined access to card member's profile and request that you confirm what we have on records for you.
Attached along this message is a web filliable form. Complete request by downloading and filling out the form.

See Attached

Thank you for your Card Membership,

American Express Customer Care'

Web users that interact with the AMEX scam emails are redirected to pages that feature the top page bar from and may display a small message box saying:

'Cardmembership | Update
Enter Profile Details

A simple validation process to quickly you as possible. First we need to confirm your profile details. All Fields Required*'

The underlying page may be styled as a verification form you are supposed to fill out. The fake AMEX verification form is made to collect your bank card data, which includes:

  • User ID and password.

  • The 15-digit card number.

  • CID number on the front of your card.

  • CSC number on the back of your card.

  • Card expiration date.

  • Your mother's maiden name.

  • Your mother's birth date.

  • Place of birth.

  • Your first elementary school.

  • Your PIN number.

The phishing pages styled after usually include typos, unfamiliar styling, and are likely to lack a proper HTTPS connection and digital certificate. Web browsers like Safari, Google Chrome, and Mozilla Firefox are likely to alert users of phishing domains. 
A New AMEX Email Scan Campaign Emerged in July 2019

A new phishing campaign of the well-known AMEX email scam hit the cybersecurity world in the middle of July 2019. This time, the threat actors have employed a novel technique to steal credentials from customers of American Express. Researchers detected the dangerous messages in an email box protected by Microsoft’s Office 365 Advanced Threat Protection (ATP). Targeting both individual and corporate AMEX cardholders, the emails were, as in the previous phishing campaign, full of grammatical errors but still tried to look legit by copying logos and other design concepts used by the financial institution. 

Yet, the new AMEX campaign uses a deadly twist to hide its malicious intentions. Instead of embedding a regular hyperlink to the page through which the cyber crooks collect the credentials, the new emails use a base HTML element to hide the corrupted URL from anti-malware programs. That trick allows the criminals to specify the base URL that should be used for all relative URLs within the spam message, practically splitting up the phishing landing page into two pieces. Since the hyperlink would only show the end part of the malicious URL, potential victims would not see the domain on which the page is hosted, preventing them from recognizing that the message is a scam.

Recipients of the AMEX scam emails are thus urged to click on the following link: hxxps://[.]com /cardmembersvcs/ app/ signin/ Update/ Verification. Though it looks credible at first sight, in fact, it contains a 'base href' URL which leads to the fake AMEX website. The top-level domain of the phishing page is contained in the tag and it serves as a 'building block for any URL when a href tag is called further down the page." Then, the '/4423538420' link is added at the end of the base href element and this is how the full URL of the landing page is formed: 'hxxp://wasserhahnonlineshop[.]de/4423538420.' This way, the attackers effectively split the malicious URL into two pieces, making it undetectable for URL scanning tools.

Due to this tactic, the new AMEX scam messages are able to evade URL filers and active scanning services as such tools are currently not able to combine separate address pieces into one scannable URL.

As social engineering tactics suggest, the message is again written in a manner that aims to create a feeling of urgency, stating that the user would have his or her account with AMEX temporary suspended if they do not verify their personal information by following the provided link. Such a strategy is supposed to raise the scam campaign’s success rate as people tend to be less vigilant when under stress and in panic. Once the victim has clicked on the malicious link in the AMEX scam email, they get redirected to a fake American Express login page. Research shows that the crooks have targeted four types of AMEX accounts, as indicated by a drop-down menu on the top left side of the phishing page. These accounts are as follows:

  1. Cards – My account (a personally held American Express account)

  2. Membership Rewards accounts

  3. Merchant Accounts

  4. American Express @ Work (corporate accounts)

Thanks to its ability to bypass URL filters and email gateways, this new AMEX email scam has the potential to be very efficient. Therefore, you need to be cautious every time an email suggests your account has been breached and you need to update your profile information. Clients of American Express can find help at the official help portal, which is available on Do not enter your banking information on pages promoted via questionable emails. If you think that your card data has been compromised, you may want to visit the American Express Security Center at and call your local bank branch. Software that may be causing redirects to pages associated with the AMEX Email Scam can be identified and removed with the help of a reputable anti-malware solution.


Most Viewed