There are affiliate links on this page.
Read our disclosure policy to learn more.
Translate this page to any language by choosing a language in the box below.
Important: Personal Security Key Email Scam - A Scammer is Phishing for Your Identity
Phishing and Vishing Identity Theft Scams
The American Express "Important: Personal Security Key" Scam
Redirects to spoofed (Fake) website:
You may have received an email like the one below that looks very authentic, like it came from American Express, or a phone call about the same subject. It is an attempt to get you to enter confidential information (typically a social security number, name, address, bank account information, etc., to allow the scammers to steal your identity and open credit cards in your name.
This email was not sent by American Express; American Express is a victim as well. This is referred to as spoofing (making a fake email that looks legitimate, "phishing" (when by email) or "vishing" (when by telephone). If you receive an email similar to the one below, DO NOT click on the link, and do not enter any information on the forms there.
The website that the link leads to is a spoof; a fake website, not created by American Express. It goes to , or other websites (they constantly hack and change destinations), not anything legitimately related to your American Express Personal Security Key! Google has a warning if you search for the mnloyalty website.
When you enter the information they ask for, you will simply be handing the thieves the keys to your bank accounts. That is how spoofing, phishing and vishing works.
If you want to change your American Express personal security key, here is what American Express says on their own website, on this page:
The Personal Security Key is one of several authentication measures we utilize to ensure we are conducting business with you, and only you, when you contact us for assistance. To set up or change your Personal Security Key, simply call us at 1-888-654-0019.
Remember, no reputable business would send you an email or a phone call requesting your personal account information. Any such email you receive asking for this information should be considered phony and brought to the attention of the business being 'phished'.
Anytime you need to go to a website for your bank, credit card companies or other personal, financial or confidential information; do not follow a link in an email; just type their address in your browser directly (such as www.American Express.com )
Below are actual phishing emails that started circulating in early 2008. We removed the links to the phisher's website, which is
It is possible that the owners of the website () are not involved, and that their server has been hacked, but the fact remains that this is the address the scam goes to.
From: American Express [mailto:AmericanExpress@welcome.aexp.com]
Sent: Tuesday, February 04, 2014 6:55 PM
To:
Subject: Important: Personal Security Key
Important : Personal Key
Please create your Personal Security Key. Personal Security Key (PSK) is one of several authentication measures we utilize to ensure we are conducting business with you, and only you, when you contact us for assistance.
American Express uses 128-bit Secure Sockets Layer (SSL) technology. This means that when you are on our secured website the data transferred between American Express and you is encrypted and cannot be viewed by any other party. The security of your personal information is of the utmost importance to American Express, please click here or visit our website at https://www.americanexpress.com to create your PSK (Personal Security Key).
Note: You will be redirected to a secure encrypted website.
The contained message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
Thank you,
American Express
If you'd like to stop receiving this alert, simply click here.
Was this e-mail helpful? Please click here to give us your feedback.
|
|
Your Card Member information is included in the upper-right corner to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress.com/phishing. We kindly ask you not to reply to this e-mail but instead contact us via customer service.
' 2014 American Express. All rights reserved.
AGNEUALE0061695
What is Phishing?
Phishing is an attempt by an individual or group to solicit personal
information from unsuspecting users by employing social engineering techniques.
Phishing emails are crafted to appear as if they have been sent from a
legitimate organization or known individual. These emails often attempt to
entice users to click on a link that will take the user to a fraudulent website
that appears legitimate. The user then may be asked to provide personal
information such as account usernames and passwords that can further expose them
to future compromises. Additionally, these fraudulent websites may contain
malicious code.
Learn More About Phishing
ThThe following documents and websites can help you learn more about phishing and how to protect yourself against phishing attacks.
- Avoiding Social Engineering and Phishing Attacks
- Protecting Your Privacy
- Understanding Web Site Certificates
- Anti-Phishing Working Group (APWG)
- Federal Trade Commission, Identity Theft
- Recognizing and Avoiding Email Scams
- Google's warning about the Mnloyalty website (obtained on February 04, 2014):
Methods of Reporting Phishing Email to US-CERT
- In Outlook Express, you can create a new message and drag and drop the phishing email into the new message. Address the message to phishing-report@us-cert.gov and send it.
- In Outlook Express you can also open the email message* and select File > Properties > Details. The email headers will appear. You can copy these as you normally copy text and include it in a new message tophishing-report@us-cert.gov .
- If you cannot forward the email message, at a minimum, please send the URL
of the phishing website.
* If the suspicious mail in question includes a file attachment, it is safer to simply highlight the message and forward it. Some configurations, especially in Windows environments, may allow the execution of arbitrary code upon opening and viewing a malicious email message.
For more information about phishing, see
this page.
Recommendations- What to do:
- Only open email or IM attachments that come from a trusted source and that are expected
- Use an anti-virus/anti-spam package (we recommend Norton 360 or Norton Internet Security scan all attachments prior to opening. Click here to see Norton 360 2013 on Amazon.com .
- Delete the messages without opening any attachments
- Do not click on links in emails that come from people you do not know and trust, even if it looks like it comes from a company you know.
- Keep your anti-virus software up to date
- Keep your operating system up to date with current security patches. Click here for an article that describes how to do this.
And please let us know about any suspicious calls or emails you receive. We look for patterns so that we can alert the authorities and victims to new scams, before it is too late!
For a comprehensive list of national and international agencies to report scams, see this page.