A new American Express phishing attack that specifically targeted American Express cardholders is unlike other attacks, according to security researchers. It contains a sophisticated method of harming the recipient that experts are not as familiar with.

Phishing attacks are nothing new. They arrive as emails, texts, social media messages or phone calls that appear to come from someone you know. It might look like your boss or co-worker, someone in your email contact list, your bank or your favorite retailer.

Each new phishing attack email has different goals, depending on what kind of ruse they are using. A fake email from your boss might tell you to change a password or send funds to a different account number, but an email from your bank might try to get you to hand over your username and password. Many phishing attacks only want the user to click a link in the email so they can be taken to a fake website where the thief steals their information. Or even worse, a link that downloads a virus to their computer.

In the case of the American Express phishing attack, the link embedded in the American Express phishing emails is two different parts. This way, the hacker can insert malicious code into the link while also confusing your antivirus software. Instead of warning you about a harmful link, your software does not recognize it as malicious.

The email itself was very typical of these kinds of attacks, namely in that it was filled with grammatical errors. Some reports have shown that the spelling and punctuation mistakes, like the ones seen in the American Express phishing attack, are intentional so that only more gullible recipients will interact with it.

Fortunately, the age-old advice about avoiding a phishing attack still holds true. These are some things to keep in mind.

Never click a link or download an attachment that you are not expecting

If the email came from your boss, pick up the phone and verify it. If it appears to come from a company you do business with, ignore the email and go directly to their website. From there, you can see if there is an issue with your account.

Spelling matters

Companies do not send out emails or other messages with multiple errors. If you see any strange mistakes, that is probably a sign it is a fake.

Check the email address and URL

If you look very carefully at the sender’s address or the website address they have included in the message, you might notice something strange. If it says “Amaz0n.com,” for example, it is fake. If the website is Citibank.card.shop.com, instead of the company’s actual web address, again, it is a fake.

Do not trust the caller ID

If the phishing attempt comes by phone, like the American Express phishing attack, do not go by what you saw on the caller ID. It is easy to change the phone number or screen name to say anything the scammer wants, such as “IRS” or “County Sheriff’s Dept.” If you receive a phoned attempt at getting you to verify your identity or make some kind of payment, hang up and contact the company directly using a phone number you have located yourself.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next…

How to File an Equifax Claim for Data Breach Settlement

SCAM: Your Social Security Number Has Been Suspended

New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches