Phishing

I sometimes receive emails pretending to be from a legitimate business such as a bank trying to get me to divulge sensitive information such as account numbers or passwords.  This fraudulent practice is called "phishing".  Such emails are easy to recognize when they purport to be from a business that you do not have a relationship with.  However if you are sending out millions of such emails you don't need a high response rate.  You just need to get lucky a few times with recipients who for one reason or another find the email plausible enough to get past their guard.

This happened to me.  I have a corporate credit card with American Express which I rarely use but had recently used on a business trip.  I had also recently filled out an online form with a financial institution which has moved to a mandatory 2-factor authentication system.  So when I received an email purportedly from American Express (similar to this) asking me to update my authentication information I accepted it as genuine without much thought. 

It is a well known psychological phenomenon that people prefer to incorporate new information into an existing world view rather than rather than use it to overturn previous beliefs.  So once I had accepted the email as genuine I didn't revisit this question as I filled out the attached form despite some in hindsight red flags.  Even when the form asked for my email password (which I refused to provide) I didn't question that the email was genuine believing instead that American Express was being unreasonably nosy.  It wasn't until I was driving to work the next day that the penny dropped and I realized I should consider the possibility that the email was fake.  Still I was a little reluctant to abandon my preexisting belief even as I added up the considerable evidence favoring fake.

Fortunately my mistake will apparently have no serious consequences.  I am not sure any of the information I provided actually got back to the sender as I didn't complete the form and submit it (whereupon according to the link above I would have been redirected to a genuine American Express page).  In any case I notified American Express that evening who told me they hadn't been any recent activity on my card and that I wasn't responsible for fraudulent charges.  All in all they didn't seem very concerned but did give me an email address to forward the fake email to.  I did so and received an acknowledgement so I think I am covered.

I was a little concerned that the email might have ill intentions besides eliciting sensitive information (like for example encrypting my hard drive and requesting ransom to decrypt it) but the link above seems to discount any such possibilities.