As do all Internet users, I receive my share of spam and scam in my email inbox. As a longtime Web enthusiast, I thought I'd seen just about every possible permutation of the online hustle. But yesterday a colleague forwarded me an email he deemed suspicious (correctly), and which featured a novel twist.
The email's subject line was "AAdvantage Survey Program" and read as follows:
Greetings from AA.com
Those who clicked on the link in the email were taken first to a web page that looked exactly like a page on AA.com where they were asked to provide an
AAdvantage
membership number and PIN; then to an online survey with questions pertaining to
American's
website; and finally to a page requesting the user's personal information, including social security number, date of birth, mother's maiden name, credit card number, expiration date, code, and ATM PIN.
This is classic phishing. (According to
Wikipedia
, "phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.")
I can't say for sure that this is the very first frequent flyer program-related email scam, but it is the first one I'm aware of. Also noteworthy is American's response.
A recipient of the email forwarded it to American spokesman Tim Wagner, who alerted the AAdvantage department and American's IT security personnel. It was determined that the email, which appeared to have been sent from AA.com, actually traced back to a server in Moscow. American then took the unusual step of sending an email to AAdvantage members, as follows:
It has come to our attention that a "phishing" email was received by many people including some of our AAdvantage(R) members. A phishing email attempts to trick unsuspecting people into revealing personal information to a third party. This particular phishing email is a fraudulent email message that claims to be from American Airlines and offers a $50 payment in return for completing a survey.
Wagner suspects the culprits were more interested in obtaining credit card information than in using AAdvantage information to fraudulently obtain free tickets. I think he's right—frequent flyer awards are easily traced.
Targeting frequent flyer program members may be a one-time-only event. Unfortunately, it's more likely that this is just the beginning of a new trend.
As banks and credit card issuers know, frequent flyers are a highly desirable segment of the consumer universe. Perpetrators of phishing scams recognize that too, and can be expected to target mileage program members again. And again and again and again.
Think that email is from your frequent flyer program? Don't be too sure. (See the Wikipedia article referenced above for assistance in recognizing and eliminating phishing emails.)