PDA

View Full Version : Is this phishing or not?


KrazyHorse
26-10-2005, 21:51:03
I just applied for a credit card online. I filled out the forms, including my social security number. I just got an email purporting to be from the credit card company, saying that they needed my social security number to complete my application. The address of the link they give is under the right domain name (it's www.americanexpress.com/myappstatus)

If I open a separate browser window and type that URL in, it will be safe to give whatever info I'm prompted for, right?

Asher
26-10-2005, 22:12:26
Make sure that browser window is secure. In Firefox 1.5 betas the address bar should be yellow and have a padlock on it, and in the status bar at the bottom it should have a domain (ie, www.americanexpress.com) next to the padlock.

If it's a popup window without any statusbars/address bars, right click and select View Page Info then click the Security Tab.

If the page is NOT secure, I would not enter anything.

If it IS secure, click 'View' to view the security certificate and ensure the issued-to domain is something legit.

KrazyHorse@home
26-10-2005, 22:16:46
Okay. Everthing seems to be in order.

Thanks, Asher.

Don't know why they needed me to reenter my SSN.

notyoueither
27-10-2005, 04:56:05
Fucking brilliant of them to send an email and invalidate all those 'do not reply to emails' warnings.

Fucking morons.

notyoueither
27-10-2005, 05:02:39
If you haven't already been raped, I'd call them and tell them to shred my application since I don't want to entrust financial relationships to such an irresponsible company.

KrazyHorse@home
27-10-2005, 07:29:51
Thinking about this now, what's even odder is that in order to edit my information (i.e. give them my SSN again) I had to sign in...by entering my SSN

WTF?

Dyl Ulenspiegel
27-10-2005, 07:45:00
See if you can get to that window from the amex start site.

The page as such looks ok, but who knows. I tried to see whether they have a no-mail, no-info policy, but I only found this with a mail adress you may wish to use:

http://home3.americanexpress.com/corp/cr/fraud/phishing.asp

And if they really ask per mail for personal information online, they are retarded.

KrazyHorse@home
27-10-2005, 07:47:40
Yeah. I also checked that.

www.americanexpress.com
->personal cards
->check the status of my application

sends you to the same redirect URL as does typing in www.americanexpress.com/myappstatus

Dyl Ulenspiegel
27-10-2005, 07:51:26
Ok, took te me to a slightly different site (also appears a bit differently):

https://www65.americanexpress.com/eaol/statuscheck/welcome_statuscheck.jsp?CCNR=application

vs

https://www65.americanexpress.com/eaol/statuscheck/welcome.jsp

I may be slightly paranoid and overestimate what can be forged by phishers, but I'd contact the company and ask, just to be sure.

Gary
27-10-2005, 07:51:49
Think I'd have phoned (or emailed them - not reply) to ask what the hell was going on.

Can never be too sure these days.

Asher
27-10-2005, 15:03:50
If the window he entered the information on was secured and the certificate was assigned to a legit domain like americanexpress.com, it wasn't phishing, and just stupidity on American Express' part.

That's why the new version of Firefox will now show the issued-to domain for security certificates on the bottom right hand corner of the screen, so you can tell who is responsible for secure sites.

Venom
27-10-2005, 15:18:23
Thanks for the SSN KrazyHorse.

KrazyHorse
27-10-2005, 19:28:13
Anyhow, I talked to AmEx and everything's cool.

It is dumb of them, though.

notyoueither
28-10-2005, 04:35:44
Did you tell them to fuck off, because you do not want them 'being dumb' and sending financial information in plain 0's and 1's over the internet?

Hey, sniffers, just look for this combo, and then send them a follow up message, now that you know they'll be prepared by their own fucking bank to be swindled!

Asher
28-10-2005, 04:56:22
I don't think they sent unencrypted financial information over the internet, they asked him to enter the SSN on their secured website.

KrazyHorse@home
28-10-2005, 20:41:10
Asher is correct.

But NYE's attitude is also correct.

They should not send a request for information via email.

KrazyHorse@home
28-10-2005, 20:41:51
But I'm also their ho because their rewards program is so good (the only reason I'm getting a second credit card in the first place)

:(

Dyl Ulenspiegel
28-10-2005, 20:58:58
I'll never understand the credit card business.

So by the rewards program, you'll rip off the retards who pay 20 % interest for their consumption credit?

Dyl Ulenspiegel
28-10-2005, 21:26:46
I just got a badly written phishing mail with the usual babble.

Odd thing: the link it gives www.bawag.com, which leads to the correct bank site, which has a current phishing warning that such mails direct to www.bowag.com. wtf? :confused:

Venom
28-10-2005, 21:34:38
Phishing for phishers maybe?

Dyl Ulenspiegel
28-10-2005, 21:36:54
Now that would be so cunning.