Confirm Your Account (American Express scam email)

Here is an example of a letter from a scammer who wants my American Express login and password details. (That's assuming I have an American Express card, obviously...)

This is interesting because email communication with many credit card institutions and banks now include a few digits from your account. The number of digits varies depending on the institution. The email will also include your name, a message such as "This email is for Alexis Wilke", proving (yeah! right!) that the sender is the dude that has your information.

Here the scammer clearly doesn't have that information and he changed the number with XXXX's. I find that interesting because if he had used just 3 digits, he would have had 1 in 1,000 chances of hitting the correct number. In other words, if he sends that email to 100 million people, 100,000 of them would receive an email with the correct digits... In all likelihood, though, the destination website would be knocked down before much damage happens.

On the other hand, most scammers would have difficulties to send million if not billion of emails with the correct recipient name or other details. (i.e. a company could include the last 4 digits of your phone number, for example—if those do not match any one of your phones, then you know that's not the company contacting you and you should not follow any of the links). So checking all of those parameters each time is not a bad idea.

The Verify Account button had the following link:

http://kkelvi.cox.s3-website-us-west-1.amazonaws.com

Nothice that this is an Amazon AWS computer and nowhere do you have American Express domain name in that URL. Finally, it was not secure (not HTTPS). This is probably going to do a 301. Often hackers do that to avoid having the final destination knocked out too quickly. (well, I'm assuming that's in part the thinking behind having 301s).

DMARC-Filter: OpenDMARC Filter v1.3.1 m2osw.com C0A22415A6
    dkim=pass (1024-bit key; unprotected) header.d=tallydashboard.net header.i=@tallydashboard.net header.b=R1+0Yl8j;
    dkim-atps=neutral
Received: from o1.apps.tallydashboard.net (o1.apps.tallydashboard.net [192.254.125.174])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by m2osw.com (Postfix) with ESMTPS id C0A22415A6
    for <contact@m2osw.com>; Thu,  9 Apr 2020 06:58:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=tallydashboard.net;
    h=mime-version:from:to:subject:content-type; s=s1;
    bh=siywZ9j3InpqKG/4CVQlpoLK9MRwJR/NvNHXs+6Ioms=; b=R1+0Yl8jP3KPX
    9+Mq6ks+jYfZMakr40nnFKmDXC8g8GcSIRS8QI+rGR8qw6P4+qrX2juSSY5HAIxM
    TpeTxd/7bblkpC8gEBNTp3YtMU5LqYHcOolOqXkxzZw0tDz+nvtRdWDyoTKpx5Xe
    4/oooxb4O+nkjBuPU/gnkYC6Iyq40A=
Received: by filter0344p1iad2.sendgrid.net with SMTP id filter0344p1iad2-19634-5E8EC74A-B
        2020-04-09 06:57:14.571556529 +0000 UTC m=+632481.507808555
Received: from WIN-43E79HIHPBB (unknown)
    by ismtpd0008p1sjc2.sendgrid.net (SG) with ESMTP id qOcRnMxCR76prUDoyki7OA
    for <contact@m2osw.com>; Thu, 09 Apr 2020 06:57:14.424 +0000 (UTC)
MIME-Version: 1.0
From: "American Express Online " <webmaster@bland.k12.va.us>
To: contact@m2osw.com
X-Priority: 1
Priority: urgent
Importance: high
Date: Thu, 09 Apr 2020 06:57:14 +0000 (UTC)
Subject: Confirm Your Account
Content-Type: multipart/alternative;
 boundary=--boundary_198312_6cf13752-1a77-4041-aa46-dc509c30f585
Message-ID: <qOcRnMxCR76prUDoyki7OA@ismtpd0008p1sjc2.sendgrid.net>
X-SG-EID: 8bkIEHxtkl+nSCuwmXWpcV7XHqRCbZ+hluoXpk7g7/5YE6XrI1c+HmfgwctTz6pzRimfigAjVwtOm/
 tgyGOxyMzPp8sBhZmIxXAyn3eejkcuFhzilY3RjkuLDE5lRACm1rJG9/b/5B6GIoNNz9hMwpqYeRKW
 1mVGTHyVLC3CbQwrtdvucsdQkgrx9NK29+b4ns8d1OJI6/Ec9yyk0WG+CuREiCrLyDdyLj7Ywf8pn9
 /eR3h7rpgxe3V55sbIXDgT