Watch out for emails claiming to be from Bank of America with subjects like “Bank of America Security: Strange Purchase" or “Security Alert: Verify Your Bank of America Account ...”. These are dangerous phishing scams that steal your personal information, including password, birthday, account number, social security number and more. SpamStopsHere is blocking them with multiple filter rules that were already in place before these latest variations emerged.
How to Spot This Phishing Scam
So you and your coworkers know what to look out for, here’s what these two campaigns look like:
Bank of America Phishing Scam Emails
The emails are similar and look somewhat authentic. They both use actual BofA images and links (e.g., Privacy and Equal Housing notices). One includes a text box at the top that the message is from a “trusted sender”. However, they still show signs of being spam that you should a train your coworkers to recognize. For example:
- No Customer Name
- The emails begin with “Dear Customer” and “Dear Valued Customer”. Your bank knows your name and would likely use it in an email to you. However, don’t assume an email is legitimate just because it uses your name. Spear-phishing campaigns do just that.
- Spelling and Grammar Mistakes
- No legitimate company would ever use such poor spelling and grammar (emphasis added):
- "We detected a hugh debit..."
- "...we strongly advice you verify..."
- "...we need to very sure it's you..."
- "We will review the suspicious activity on your account with you and upon verification, and remove any restrictions..."
- "...its mandatory for you to Verify Your Bank of America Account..."
- "...if this is not done as urgent as possible..."
- "...we are always there to keep you informed..."
- Strange URLs
- Some of the links (e.g., Privacy and Equal Housing) lead to legitimate BofA URLs. That's intended to make the emails seem authentic. However, the "call to action" or "click-me" links that the spammer wants you to click go to hacked websites that clearly do not belong to BofA. If you hover over the link text (don't click it!), the actual URL that it would take you to appears at the bottom of your browser window.
- Urgent Message
- Phishing is a form of social engineering, using various techniques to gain the victim's trust or otherwise get them to do what the spammer wants. One of these tricks is to create a false sense of urgency, so the victim acts without thinking. Both of these campaigns include urgent "Security Alert" subject lines and titles, as well as warnings that there has been a huge debit, suspicious activity and that failure to act quickly could result in account deactivation. Those are designed to get you to click the big button without taking precautions.
How this Phishing Scam Works
The malicious links go to a fake BofA login page that looks very realistic:
Fake Bank of America Login Page
Clicking Sign In (don’t do it), takes you to fake forms designed to steal your personal information so the spammer can assume your identity, drain your account, use your credit card, etc. The form associated with the first email was particularly dangerous because of how realistic it looked and behaved, and how much information it requested. The URL is obviously not the BofA website, but the spammer is betting that many people won’t notice. Here’s a portion of it:
Fake Bank of America Account Information Form
The first email has a really dangerous trick at the end to make it seem more legitimate. When you submit the form, a page appears that makes it look like the form is processing. Then, it takes you to a “session timeout” page. That last page is the actual session timeout page on the BofA website, lending even more credibility to the phishing scam. By that time it’s too late. The scammer has taken whatever information you submitted.
Fake Bank of America Loading Page
Bank of America Phishing Scam Actual Timeout Page
How We Block These Phishing Scams
SpamStopsHere is blocking these scams with at least 9 different filter rules, including phrases and other features that appear in this spam, but would never be in legitimate email. For obvious reasons, we generally don't release filter details, but we can say that we don’t block on individual "trigger" words.
Instead, our threat analysts block on long complex phrases (using regular expressions) and patterns. That helps make sure we don’t block legitimate email and helps us block future variations before we even know what they look like.