Email scam targets frequent flyers

As do all Internet users, I receive my share of spam and scam in my email inbox. As a longtime Web enthusiast, I thought I'd seen just about every possible permutation of the online hustle. But yesterday a colleague forwarded me an email he deemed suspicious (correctly), and which featured a novel twist.

The email's subject line was "AAdvantage Survey Program" and read as follows:

Greetings from AA.com

Welcome to the American Airlines AAdvantage(R) program, the first and largest loyalty program in the world! We are proud to inform you that today June. 26 /2008 AmericanAirlines.com launch a new reward program. Please log in to your American Airlines account and take the 5 questions survey. For your effort you will be rewarded with $50

Your 50 dollars bonus code is AA-001NXX-2008NX22. Please log in to your www.aa.com account and follow the steps.

Thank you very much for your help and your patient and hope you will enjoy the American Airlines reward program in the future

Sincerely,
American Airlines Reward Department

Those who clicked on the link in the email were taken first to a web page that looked exactly like a page on AA.com where they were asked to provide an AAdvantage membership number and PIN; then to an online survey with questions pertaining to American's website; and finally to a page requesting the user's personal information, including social security number, date of birth, mother's maiden name, credit card number, expiration date, code, and ATM PIN.

This is classic phishing. (According to Wikipedia, "phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.")

I can't say for sure that this is the very first frequent flyer program-related email scam, but it is the first one I'm aware of. Also noteworthy is American's response.

A recipient of the email forwarded it to American spokesman Tim Wagner, who alerted the AAdvantage department and American's IT security personnel. It was determined that the email, which appeared to have been sent from AA.com, actually traced back to a server in Moscow. American then took the unusual step of sending an email to AAdvantage members, as follows:

It has come to our attention that a "phishing" email was received by many people including some of our AAdvantage(R) members. A phishing email attempts to trick unsuspecting people into revealing personal information to a third party. This particular phishing email is a fraudulent email message that claims to be from American Airlines and offers a $50 payment in return for completing a survey.

If you received this email, do not open the link and delete the email immediately.

If you have received the phishing email and have provided your personal AAdvantage information, please log on to AA.com immediately, verify your account balance and change your password. If unauthorized changes have been made to your account, please call us at 1-800-882-8880 and speak "AAdvantage Services," then select "Account Information" and ask for an "agent."

If you provided other personal information when completing the phishing survey, we suggest you contact your financial institutions.

Wagner suspects the culprits were more interested in obtaining credit card information than in using AAdvantage information to fraudulently obtain free tickets. I think he's right—frequent flyer awards are easily traced.

Targeting frequent flyer program members may be a one-time-only event. Unfortunately, it's more likely that this is just the beginning of a new trend.

As banks and credit card issuers know, frequent flyers are a highly desirable segment of the consumer universe. Perpetrators of phishing scams recognize that too, and can be expected to target mileage program members again. And again and again and again.

Think that email is from your frequent flyer program? Don't be too sure. (See the Wikipedia article referenced above for assistance in recognizing and eliminating phishing emails.)