"We detected irregular card activity on your American Express," it says. "As the Primary Contact, you must verify your account activity before you can continue using your card."
The email offers a link that seemingly points to AmEx' official website, and urges potential victims to update their account information within 24 hours if they don't want to have access to their accounts restricted.
Unfortunately, the link leads to one of 419 different URLs hosted on compromised servers, and via a Java Script file finally redirects users to the fake AmEx account settings website.
The victims are asked to enter their user ID and password, Social Security number, birth date, their mother's maiden name, her birth date, and the PIN associated with the card. On the next page, they are told to enter the card number:
Finally, they are instructed to share the expiration date and the 3-digit security code on the back of their card.
The hapless victim is then "given" 5,000 bogus reward points and redirected to AmEx' legitimate site. Needless to say, the information he or she entered has been sent to the phishers and will be used to make unauthorized purchases or will be sold to other crooks who will do the same.
If you have fallen for this scheme, contact American Express immediately so that they can block and revoke your card. If you're lucky, the money in your account is still there or will be refunded by the company if it's not.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.