AMEX Email Scam

AMEX Email Scam Description

When we talk about the AMEX email scam, we envision a particularly persistent email campaign that aims to collect bank card data from users. This threat appeared for the first time in March 2019 when scammers sent out a bunch of emails with a generic subject line that read 'Notice Concerning your Card Member Account' and a body text which explains that AMEX cardholders need to verify their account due to some recent system maintenance. The recipients have then been asked to open an email attachment, or follow a link inserted into the email, both actions leading to a phishing form or a phishing website where the potential victims have been urged to enter all kinds of personal details related to their AMEX card membership. Otherwise, the scammers threaten, the accounts would be suspended.

Since its first appearance, AMEX email scam resurges from time to time and uses carefully crafted email bodies and new email accounts to mislead users. The threat actors behind the AMEX email scam are known to copy logos from the official site of the American Express bank and simulate pages from www.americanexpress.com. The phishing pages employed in the AMEX email scam receive traffic from Web users who click on fake account updates sent by threat actors. The AMEX scam emails might offer the following text:

'Account 100457

We're reaching you on a recent update on our online service platform and we feel the need to evaluate Cardmember's profile.
At the moment of evaluation. your profile couldn't be authenticated during diligence checks.

However; For security reason. We declined access to card member's profile and request that you confirm what we have on records for you.
Attached along this message is a web filliable form. Complete request by downloading and filling out the form.

See Attached

Thank you for your Card Membership,

American Express Customer Care'

Web users that interact with the AMEX scam emails are redirected to pages that feature the top page bar from ww.americanexpress.com/us/security-center/ and may display a small message box saying:

'Cardmembership | Update
Enter Profile Details

A simple validation process to quickly you as possible. First we need to confirm your profile details. All Fields Required*'

The underlying page may be styled as a verification form you are supposed to fill out. The fake AMEX verification form is made to collect your bank card data, which includes:

  • User ID and password.

  • The 15-digit card number.

  • CID number on the front of your card.

  • CSC number on the back of your card.

  • Card expiration date.

  • Your mother's maiden name.

  • Your mother's birth date.

  • Place of birth.

  • Your first elementary school.

  • Your PIN number.


The phishing pages styled after www.americanexpress.com usually include typos, unfamiliar styling, and are likely to lack a proper HTTPS connection and digital certificate. Web browsers like Safari, Google Chrome, and Mozilla Firefox are likely to alert users of phishing domains. 
A New AMEX Email Scan Campaign Emerged in July 2019

A new phishing campaign of the well-known AMEX email scam hit the cybersecurity world in the middle of July 2019. This time, the threat actors have employed a novel technique to steal credentials from customers of American Express. Researchers detected the dangerous messages in an email box protected by Microsoft’s Office 365 Advanced Threat Protection (ATP). Targeting both individual and corporate AMEX cardholders, the emails were, as in the previous phishing campaign, full of grammatical errors but still tried to look legit by copying logos and other design concepts used by the financial institution. 

Yet, the new AMEX campaign uses a deadly twist to hide its malicious intentions. Instead of embedding a regular hyperlink to the page through which the cyber crooks collect the credentials, the new emails use a base HTML element to hide the corrupted URL from anti-malware programs. That trick allows the criminals to specify the base URL that should be used for all relative URLs within the spam message, practically splitting up the phishing landing page into two pieces. Since the hyperlink would only show the end part of the malicious URL, potential victims would not see the domain on which the page is hosted, preventing them from recognizing that the message is a scam.

Recipients of the AMEX scam emails are thus urged to click on the following link: hxxps://www.americanexpress[.]com /cardmembersvcs/ app/ signin/ Update/ Verification. Though it looks credible at first sight, in fact, it contains a 'base href' URL which leads to the fake AMEX website. The top-level domain of the phishing page is contained in the tag and it serves as a 'building block for any URL when a href tag is called further down the page." Then, the '/4423538420' link is added at the end of the base href element and this is how the full URL of the landing page is formed: 'hxxp://wasserhahnonlineshop[.]de/4423538420.' This way, the attackers effectively split the malicious URL into two pieces, making it undetectable for URL scanning tools.

Due to this tactic, the new AMEX scam messages are able to evade URL filers and active scanning services as such tools are currently not able to combine separate address pieces into one scannable URL.

As social engineering tactics suggest, the message is again written in a manner that aims to create a feeling of urgency, stating that the user would have his or her account with AMEX temporary suspended if they do not verify their personal information by following the provided link. Such a strategy is supposed to raise the scam campaign’s success rate as people tend to be less vigilant when under stress and in panic. Once the victim has clicked on the malicious link in the AMEX scam email, they get redirected to a fake American Express login page. Research shows that the crooks have targeted four types of AMEX accounts, as indicated by a drop-down menu on the top left side of the phishing page. These accounts are as follows:

  1. Cards – My account (a personally held American Express account)

  2. Membership Rewards accounts

  3. Merchant Accounts

  4. American Express @ Work (corporate accounts)


Thanks to its ability to bypass URL filters and email gateways, this new AMEX email scam has the potential to be very efficient. Therefore, you need to be cautious every time an email suggests your account has been breached and you need to update your profile information. Clients of American Express can find help at the official help portal, which is available on https://global.americanexpress.com/help. Do not enter your banking information on pages promoted via questionable emails. If you think that your card data has been compromised, you may want to visit the American Express Security Center at https://www.americanexpress.com/us/security-center/ and call your local bank branch. Software that may be causing redirects to pages associated with the AMEX Email Scam can be identified and removed with the help of a reputable anti-malware solution.

Do You Suspect Your PC May Be Infected with AMEX Email Scam & Other Threats? Scan Your PC with SpyHunter

SpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like AMEX Email Scam as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Note: SpyHunter's scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. Free Remover allows you to run a one-off scan and receive, subject to a 48-hour waiting period, one remediation and removal. Free Remover subject to promotional details and Special Promotion Terms. To understand our policies, please also review our EULA, Privacy Policy and Threat Assessment Criteria. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.
If you still can't install SpyHunter? View other possible causes of installation issues.

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their PC with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your PC. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.