Is it phish, or is it Amex?

I am a bit freaked.

Last month I received an email message from American Express.  I very nearly deleted it unread: it was obviously phish, right?  (I was teaching in Toronto that week, so I had even more reason to turf it unread rather than look at it.)

However, since I do have an Amex card, I decided to at least have a look at it, and possibly try and find some way to send it to them.  So I looked at it.

And promptly freaked out.

The phishers had my card number.  (Or, at least, the last five digits of it.)  They knew the due date of my statement.  The knew the balance amount of my last statement.

(The fact that this was all happening while I am aware from home wasn’t making me feel any more comfortable with it …)

So I had a look at the headers.  And couldn’t find a single thing indicating that this wasn’t from American Express.

(I had paid my bill before I left.  Or, at least, I *thought* I had.  So I checked my bank.  Sure enough, that balance had been paid a couple of days before.  However, I guess banks never actually transfer money on the weekend or something …)

A couple of days later I got another message: Amex was telling me that my payment was received.  That’s nice of them.  They were once again sending, in an unencrypted email message, the last five digits of my card number, and the last balance paid on my account.

Well, I figured that it might have been an experiment, and that they’d probably realize the error of their ways, and I didn’t necessarily need to point this out.  Apparently I was wrong on all counts, since I got another reminder message today.

Are these people completely unaware of the existence and risk of phishing?  Are they so totally ignorant of online security that they are encouraging their customers to be looking for legitimate email from a financial institution, thus increasing the risk of deception and fraud?

Going to their Website, I notice that there is now an “Account Alerts” function.  It may have been there for a while: I don’t know, since I’ve never used it.  Since I’ve never used it, I assume it was populated by default when they created it.  It seems to, by default, send you a payment due notice a week before the deadline, a payment received notice when payment is received, and a notice when you approach your credit limit.  (Fortunately, someone had the good sense not to automatically populate the option that sends you your statement balance every week.)  These options may be useful to some people.  But they should be options: they shouldn’t be sending a bunch of information about everybody’s account, in the clear, by default.

(There are, of course, “Terms and Conditions” applicable to this service, which basically say, as usual, that Amex isn’t responsible for much of anything, have warned you, and that you take all the risks arising from this function.  I find this heavily ironic, since I knew nothing of the service, don’t want it, and got it automatically.  I never even knew the “Terms and Conditions” existed, but in order to turn the service off I’ll have to read them.)

(In trying to send a copy of this to Amex, I note that their Website only lists phone and snailmail as contact options, you aren’t supposed to be able to send them email.)

Share
  • http://www.justanotherhacker.com Wireghoul

    My bank thought I was crazy when I told them that I did not wish to give them my email. Why WOULDN’T you want your bank to email you?!?!?!

    My phone company charge me extra not to have my bills delivered to my email with a simple click to pay link.

    It’s not just amex…

  • Volatile

    If you want to be safe, you’ll just call up the bank and have them verify the message.

    Luckily enough, they aren’t this incompetent in my country. My Visa got locked down a few days ago, and I was wondering what was wrong, since I had been involved in any illegal online purchasing. But apparently, my service had spotted my card being activated across shores, and was immediately closed.

    My service has got alot of brains when it comes to financial security.

  • Naugahyde

    I received email purportedly from AMEX saying it was a survey. Nowhere in the document was there a link to americanexpress.com, but it was to a survey company. Yeah, it gets trashed. I forwarded it to their phishing department and they dismissed it as standard operating procedure. Morons.