Michael Horowitz
Home => Shame on American Express
[Formatted for Printing] From the personal web site of  Michael Horowitz

Shame on American Express and evaluating a phishing email

March 18, 2020

So, I try to buy something online using my American Express card and it does not go well. I give up. The next day, I get the following email supposedly from American Express.

email that is maybe from Amex
Is this email message really from Amex?

For the sake of search engines, the message says, in part:

We are writing to you because we need to speak with you regarding a security concern on your account. For your security, new charges on the accounts listed above may be declined. ... Please call us immediately at 1-888-800-5234 ...

This is EXACTLY the sort of message that scammers and phishers send. It looks like it was copied from a Scamming for Beginners class.

What's wrong? A "security concern on your account" is the vague phrasing bad guys have to use. The phone number is not the phone number on the back of my Amex card. There are two trusted points of contact for American Express. Their AmericanExpress.com website and the phone number on their credit cards. The message makes no reference to either one. Again, exactly what bad guys would do. And the plea to call immediately is also right out of the scammer playbook. They don't want to give you time to think or consider.

I did not even bother looking at the FROM address and neither should you. The FROM address of an email message means nothing, it is very easy to fake.

So, is this message really from American Express or is it a scam?

EVALUATING THE MESSAGE

The first question is whether the phone number is legitimate. I go to AmericanExpress.com and search for the phone number. Nothing. Then, I try the Contact Us page and the phone number is not listed there either. The message is about a security concern, so I try the Security Center section of the Amex website. The phone number is not there either.

Non-techies should assume at this point that the message is a scam and either ignore it or call Amex using a known good phone number - either the one the back of the card or one found at AmericanExpress.com.

But, I am a techie and thus have an advantage.

Not only am I a techie, but my specialty is Defensive Computing. A great defense in the modern world is to use a different email address on every account you have. Or, at the least, on the important accounts. I do this. The email address that American Express has for my account is one that only they have. It is not used anywhere else. For more about having dozens (or hundreds) of email address, see the Email section of my Defensive Computing website.

The fact that this email message was sent to the correct email address goes a long way in telling me that the message is legit. It's not a guarantee however. Amex could have been breached and my account information could have been stolen. I need more proof.

That additional proof came from the email message header. Headers are normally hidden, but they are part of every email message. Un-hiding the headers is a process that varies with every email system and email client but its not rocket science. However, reading email headers was not taught when I went to school, so, I do my best, flawed though my approach may be.

In the email header, I found this: (some text below has been omitted and it is marked as such)

Received-SPF: pass (welcome.aexp.com: 148.173.96.85 is authorized to use
'C9020031802304356000000000000057.AMEX.ENG-ALERTS@welcome.aexp.com'
in 'mfrom' identity (mechanism 'mx' matched)) receiver=OMITTED; identity=mailfrom;
envelope-from="C9020031802304356000000000000057.AMEX.ENG-ALERTS@welcome.aexp.com";
helo=welcome.aexp.com; client-ip=148.173.96.85

Received: from welcome.aexp.com (extmta2-new.aexp.com [148.173.96.85])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by OMITTED (Postfix) with ESMTPS
for ; Wed, 18 Mar 2020 05:31:36 -0400 (EDT)

The only thing I take away from this is that email message was sent from IP address 148.173.96.85. Looking it up at ipinfo.io shows that the IP address belongs to American Express. The message was from them. I called them and resolved the issue.

Another option for verifying the phone number is Twitter, specifically the @AskAmex account. I asked them about the phone number and they verified that it does belong to them. You can see this below.

Asking @AskAmexon Twitter
Asking @AskAmex on Twitter

Like many big companies, Amex has more than one name for the same thing. On Twitter, the phone number belongs to the Fraud Team. On the phone, the same department is referred to as both Account Protection Services and Fraud Prevention. And, of course, the email message that prompted this blog makes no reference to the specific department you are supposed to call.

WHAT AMEX NEEDS TO DO

The email message should say to call the number of the back of the card and ask for the Fraud Prevention department. And, the phone number of the Fraud Prevention department should be on the Contact Us page at AmericanExpress.com

And, really, they need to employ some smarter people. There were far too many failures of judgement here over such a simple thing.

 

 

 @defensivecomput TOP Home => Shame on American Express   
 michael--at--michaelhorowitz.com   Last Updated: March 18, 2020 7PM UTC  
  License Plate
Copyright 2001-2020
Copyright 2001-2020  
Printed at:   December 4, 2020 11:03pm   ET
Viewed 1,809 times since March 18, 2020 (7/day over 261 days)