New American Express Credit Card Identity Theft Phishing Scam

new american express credit card identity phishing scam
Share the knowledge

A new American Express credit card identity theft phishing scam is being sent out in spam email. The subject line is “A recent charge attempt requires your attention” with a random number, so that the subject of our sample reads “A recent charge attempt requires your attention 688836786” The spam goes on to ask “did you recently use your card?”

Here’s our sample, with full headers below in case you’re into that sort of thing. Note that the actual “From” says ‘America Express’, and also the sandiego.edu address is fake, this was not sent out through a San Diego edu account, it was sent out through MailJet.

From: America Exp𝖗ess Subject: A recent charge attempt requires your attention 688836786

Confirmation

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

 

Verify Your identity

Your Account Number Ending: *****

Dear Cardmember:

Did you recently use your card ?

To help protect your identity your access to your credit has been paused, We wanted to be sure that you had made this transaction.

See amerlcanexpress.com/identity/1526816048 Have your card handy, Sign ln and follow the simple step, Then our intelligent security system will connect you back instantly.

Thank you for your Card Membership.

Of course, the “amerlcanexpress.com/identity/1526816048” link (note the ‘l’ instead of an ‘i’) is actually linked to a tinyurl.com link (tinyurl.com/lavak39di3), which in turn goes to a subdomain at montecitovillas.com. montecitovillas.com, in turn, was just registered a few days ago, and at the home page has only a “welcome to WordPress” splash page. Obviously the unique subdomain has a page mimicking the actual American Express home page, so that you try to log in and voila! The phisher has captured your username and password.

Hopefully if you received this, you did some research first and weren’t taken in!

Here are the full headers of that email, with the actual recipient redacted:

America Exp𝖗ess A recent charge attempt requires your attention 688836786
Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=feedback-id:list-unsubscribe:list-unsubscribe-post:date:subject:to :from:mime-version:message-id:dkim-signature:precedence:delivered-to; bh=SkjnJ4dnffmUt1eFRLHR4B3mHrsjHVKaYGUw9dSYrK0=; b=oiTyFvGo1UCdA9qXSq6px/ZaRsDUZeXUd9VfYwJTgXRqa8RgFfOWCWxgRtjjqEFWF8 zSl8XpY+61Bgdsl032+ber20K38o7crKgxziAubs8ZB/PE5eW9v8PyY2n0sq1jWcqDZY xjxjQ4E8JT4owEXMEzkYkZ9/srWNbm/kHhFkuIq4qyVkNaXPmBr3cwUhWoxWqLI0yBNS /Oh++RbI+fCVJTyKAr4WFUGxBsv2cuv+1il+As3lqbN+Vn5EOwNOlP9pOSaOoj0G8T/W pv/coArPLJfCpmHkDVtnPh9FaTzSmvVvvgRmV1rr5Nwxyra/3XEPcSHO8CxGdSDan8oh evmw==
X-Csa-Complaints: [email protected]
X-Mj-Mid: AVIAAFwji6UAAAAAAAAAAAXfv1MAAAAAh2UAAAAAAB2g7ABixH8jCHZuys2_TXKcGasohTEahQAcLBc
Authentication-Results: concerto.isipp.com; dkim=pass header.d=bnc3.mailjet.com header.s=mailjet2 header.b=H372Yrl5; spf=pass (concerto.isipp.com: domain of “anne.mitchell.esq+caf_=[redacted][email protected]” designates 209.85.160.43 as permitted sender) smtp.mailfrom=”anne.mitchell.esq+caf_=[redacted][email protected]”; dmarc=fail reason=”SPF not aligned (relaxed), DKIM not aligned (relaxed)” header.from=sandiego.edu (policy=none); arc=pass (“google.com:s=arc-20160816:i=1”)
List-Unsubscribe-Post: List-Unsubscribe=One-Click
X-Received: by 2002:a05:6870:33a5:b0:f5:febe:1b27 with SMTP id w37-20020a05687033a500b000f5febe1b27mr21605330oae.229.1657044779105; Tue, 05 Jul 2022 11:12:59 -0700 (PDT)
X-Received: by 2002:ac8:5dc9:0:b0:319:6117:29c8 with SMTP id e9-20020ac85dc9000000b00319611729c8mr29988258qtx.464.1657044777040; Tue, 05 Jul 2022 11:12:57 -0700 (PDT)
Return-Path:
Return-Path:
X-Report-Abuse-To: Message sent by Mailjet please report to [email protected] with a copy of the message
X-Rspamd-Queue-Id: 265ICxXR1275534
X-Google-Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:delivered-to:delivered-to:precedence :dkim-signature:message-id:mime-version:from:to:subject:date :list-unsubscribe-post:list-unsubscribe:feedback-id; bh=SkjnJ4dnffmUt1eFRLHR4B3mHrsjHVKaYGUw9dSYrK0=; b=jB6qRawLXORTQGIX25in0o2sw+Bu6oN3rhCxewo+R8YZZxbyJgC7A06n/RrYibiSGg /c7gHfv5Oct8sDkoInIaHLA+8hJMwWHvE7X33SM3+GqKFqOn7l74ya3CHP8QD9riXkpe GJCO8iPUorlarHIsbV6oOZa4lhpAfG22iPyEU0MdmVptEQKCBn4ARgCnAjX815h6hZYx c8itT4+GuPprEamaKlaNu64wos+gNcekAmpV2BmHLP7rUcTkSiO+JAt3XDF4ixXU3L3c 1cH4n/Jlsj9gd6OvfwPThqJkBD+BQst1aK8mg0+vzuF3yKUOgdwtXmT3Y1dz0x3M4Vhn EMRg==
X-Gm-Message-State: AJIora/9cZnVsKzFIs7fuwNcEpq5tnBALnmbgG8Mdax7Ts/HKWJXdkzb nigSBQxSJvQP1MF00Nz7uDPzrpCmOfLkAVqtt2o/JfKYkLfMgYpbgw==
X-Mj-Smtpguid: 08766eca-cdbf-4d72-9c19-ab2885311a85
X-Google-Smtp-Source: AGRyM1v0vnB0dJRmAc5LY6ICvD7r0y0hM4fky31u/guX4Ou9KZ4Ke+KUzu49CpVMru0dPZyXIlB6
X-Cmae-Analysis: v=2.4 cv=A6ypg4aG c=1 sm=1 tr=0 ts=62c47f28 b=1 cx=a_idp_d a=A14kKIxpoMAQw//Q5Fuftw==:117 a=A14kKIxpoMAQw//Q5Fuftw==:17 a=fGYPQxYm8b8A:10 a=j1P8S1yNTQMA:10 a=6pYsxpYcewsA:10 a=x7bEGLp0ZPQA:10 a=9DvhAHx2yrWFMPxQWpQA:9 a=WsJn1VA2TvdkLhGcKLwA:9 a=QEXdDO2ut3YA:10 a=eX_U_b1SAAAA:20 a=rWRFTMSvAAAA:8 a=EO41GEpFAAAA:8 a=4we06IOLgr9hafYIVFoA:9 a=fvB4Bw8O32ALgqFV:21 a=_W_S_7VecoQA:10 a=w0uSm66vjPwA:10 a=H9UP3l6zVwe8sI7kG2sy:22 a=0jxUg_Tu7LEDvtUZywox:22
Arc-Seal: i=1; a=rsa-sha256; t=1657044777; cv=none; d=google.com; s=arc-20160816; b=tJ4AxJHR++8L6DnUgLLOZugbrtIo7SxK2sWF1Q7KZB1FVEEOdmu9lhffo5PkPlwB9V qPvL2IzidZhekL/CpEzlNufSrkuh5sfwGMHXTlEpxcSqO+zijBOF1thkjHvA4gPR5T4w vmN84fbE9rGnqzOtP5gLkprrDoMu2GMSNMH4aXZqrG90wg/uKDnuYL0QcdAYAEdiyg8X nkHO7DRYDGaKWfMRKA74oxC21MHY9QU6YADmkRexGYYBdTFmZHG3zmRaY0h/XE4MiS6K 5W6boEO8oUvE9Yv0XELi7inKpjIQfcnmz58LXK3ZKNzwLYAP5oukN1Cyq/+Kbv6hrbOA tBJA==
X-Spamd-Result: default: False [1.58 / 7.00]; DCC_REJECT(2.00)[bulk Body=2 Fuz1=many Fuz2=many rep=17% ]; ARC_ALLOW(-1.00)[google.com:s=arc-20160816:i=1]; URI_COUNT_ODD(1.00)[1]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17:c]; R_DKIM_ALLOW(-0.20)[bnc3.mailjet.com:s=mailjet2]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_POLICY_SOFTFAIL(0.10)[sandiego.edu : SPF not aligned (relaxed), DKIM not aligned (relaxed),none]; MX_GOOD(-0.01)[]; HAS_LIST_UNSUB(-0.01)[]; REDIRECTOR_FALSE(0.00)[amerlcanexpress.com->tinyurl.com]; TO_DN_ALL(0.00)[]; PRECEDENCE_BULK(0.00)[]; DKIM_TRACE(0.00)[bnc3.mailjet.com:+]; RCPT_COUNT_ONE(0.00)[1]; FORGED_RECIPIENTS(0.00); FORGED_SENDER_FORWARDING(0.00)[]; NEURAL_HAM(-0.00)[-0.987]; RCVD_IN_DNSWL_NONE(0.00)[185.250.237.33:received,173.201.193.181:received,209.85.160.43:from]; FORGED_SENDER(0.00)[[email protected],[email protected]]; FWD_GOOGLE(0.00)[[email protected]]; RCVD_COUNT_FIVE(0.00)[6]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; DWL_DNSWL_NONE(0.00)[mailjet.com:dkim]; TAGGED_FROM(0.00)[caf_=[redacted]=isippcom]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.160.43:from]; FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]]; FORGED_RECIPIENTS_FORWARDING(0.00)[]
X-Forwarded-For: [email protected] [redacted]@isipp.com
<[email protected]iljet.com>
X-Spamd-Bar: +
Arc-Authentication-Results: i=1; mx.google.com; dkim=pass [email protected] header.s=mailjet2 header.b=H372Yrl5; spf=pass (google.com: domain of srs0=sbru=xk=a1941740.bnc3.mailjet.co[email protected]bounce.secureserver.net designates 173.201.193.181 as permitted sender) smtp.mailfrom=”SRS0=sbRU=XK=a1941740.bnc3.mailjet.co[email protected]bounce.secureserver.net”; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sandiego.edu
Mime-Version: 1.0
Precedence: bulk
Received: from concerto.isipp.com (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by concerto.isipp.com with LMTPS id qE1oCzF/xGKVdhMAxsXosw (envelope-from ) for <[redacted]>; Tue, 05 Jul 2022 18:13:05 +0000
Received: from mail-oa1-f43.google.com (mail-oa1-f43.google.com [209.85.160.43]) by concerto.isipp.com (8.15.2/8.15.2/Debian-22) with ESMTPS id 265ICxXS1275534 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for <[redacted]@isipp.com>; Tue, 5 Jul 2022 18:13:04 GMT
Received: by mail-oa1-f43.google.com with SMTP id 586e51a60fabf-10bf634bc50so9136177fac.3 for <[redacted]@isipp.com>; Tue, 05 Jul 2022 11:13:04 -0700 (PDT)
Received: by 2002:a9d:5d04:0:b0:616:e16f:48c7 with SMTP id b4csp5205621oti; Tue, 5 Jul 2022 11:12:57 -0700 (PDT)
Received: from p3plsmtp18-01-25.prod.phx3.secureserver.net (p3plsmtp18-01.prod.phx3.secureserver.net. [173.201.193.181]) by mx.google.com with ESMTP id r132-20020a37a88a000000b006a3ac063c42si16702819qke.324.2022.07.05.11.12.56 for ; Tue, 05 Jul 2022 11:12:57 -0700 (PDT)
Received: (qmail 7315 invoked from network); 5 Jul 2022 18:12:56 -0000
Received: (qmail 7313 invoked by uid 30297); 5 Jul 2022 18:12:56 -0000
Received: from unknown (HELO p3plibsmtp02-04.prod.phx3.secureserver.net) ([68.178.213.4]) (envelope-sender <[email protected]941740.bnc3.mailjet.com>) by p3plsmtp18-01-25.prod.phx3.secureserver.net (qmail-1.03) with SMTP for [redacted]; 5 Jul 2022 18:12:56 -0000
Received: from o33.p38.mailjet.com ([185.250.237.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by CMGW with ESMTP id 8n2ZoMtXMlCtl8n2boigWC; Tue, 05 Jul 2022 11:12:56 -0700
Content-Type: multipart/alternative; boundary=”X7zmPM=_MHtOoEEafJD3AI6AwbdlHxKCTM”
X-Rspamd-Server: concertino
Received-Spf: pass (google.com: domain of srs0=sbru=xk=a1941740.bnc3.mailjet.co[email protected]bounce.secureserver.net designates 173.201.193.181 as permitted sender) client-ip=173.201.193.181;
List-Unsubscribe:
List-Unsubscribe:
Feedback-Id: 42.1941740.1846295:MJ
X-Cmae-Envelope: MS4xfE2IcW8jUplLBRk4C0GX3tGlikX3lsM0u4MZmi9FmjvhgzzFC25TVA0WRLmfGi68yqFhfSANqNmUo8wXA4Nu2zcz66LMI/zwjE5qCVafN5CJlHz2LY/4 u0zZcj0nfur3wir59hHX15DiWh7ZzsasacZRTu4bRQPjU5HZtl3W3cSfRVVeOB1FrH5Kpql9r65i2dwh1ibAtzYTPzu5x2eN05LBD7rRZmSXy6sFnKEaJTJo GDaGB7La5PKMkV1ahTcFhQl9PBmFfj4rt9EPoAkoZpGvp7M2ZXGa/nSjbipI4UIk
X-Forwarded-To: [redacted]@isipp.com
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt; d=bnc3.mailjet.com; [email protected]; s=mailjet2; h=message-id:mime-version:from:from:to:to:subject:subject:date:date:list-unsubscribe-post:list-unsubscribe: feedback-id:x-csa-complaints:x-mj-mid:x-mj-smtpguid:x-report-abuse-to: content-type; bh=4AL7RHgJNrcLSxQd5J3kwmvZGxiwIXoKTzKjamiejpg=; b=H372Yrl5qbCxW/85QCa5SwEc7aYxazf0o0Ims0vWP/kyFG91I1Z3Y20Jk 0mntfEScmJ5eU8FxI9MRWmtAYyb2iEl0fhgV4vcT770TC5yaw0B5VxsVWzbU 2jDAo7nSJJMUj0RBJ3CaOVVCteY1yfcTwR90iTY9MMm/7uUpGig8g8=

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

 


Share the knowledge

One thought on “New American Express Credit Card Identity Theft Phishing Scam

  1. I’ve been getting my fair share of those kinds of emails (and not just for American Express), but I’m a lot more concerned about my phone SPAM. Lately, I’m being bombarded with SCAM phone calls from fake Amazon asking me to verify a $1300 iPhone purchase. What’s worse, they call from spoofed phone numbers (there’s an unlimited supply of those!) and they continue calling every few minutes all day long. They’ll keep it up for a few days and then stop. They wait about a week (or sometimes two) until they think I’ve probably forgotten about it and then they start all over again.

    I never answer my phone unless the caller is on my contacts list. If it’s a legitimate caller, they’ll leave a message. If it’s not a legitimate caller, they might still leave a message, but at least you know not to return the call. Ditto all callers that don’t leave any message.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.