Bank of America Text Message Phishing Attack

Tuesday evening I was targeted by a text message phishing attack. Here’s what tipped me off that it was fake, and how you can avoid being tricked in the future.

At the end of the day yesterday I was greeted with a text message coming from a strange email that tipped me off immediately that it was a scam. Once I opened the text it was even clearer that this was a scam to steal information from Bank of America customers. The alert comes in as a fake message that your card has been locked and you need to go to a link to unlock it. Remember when messages like this come, open up a new browser window and go to your financial institutions website to check on your accounts.

fakeSMS

This message was sloppy, using a random email address instead of the usual five number combo. Ex. 5xx-1x

The big tips in this text message are that the email is not from Bank of America, the zero used in “Bnk0fAmericaDEBIT”, and the URL to click on isn’t at bankofamerica.com it ends in tbm5430.com. Remember to stay vigilant when you get messages like this, don’t panic and think you immediately need to click the link. Take your time and read through the message for flaws, and then externally visit your bank’s website or call them from the number listed on their website.

Because I knew this was a scam, I fired up an android VM and visited the link to see what the pages looked like. Immediately you’re greeted with something that should throw several red flags. The webpage is clearly not formatted correctly and doesn’t look to have any functionality.

ScamHomePage, text message fishing

The first website is a static image ripped from the actual BofA site.

However after a few minutes the page reloads and brings you to a more well done mobile version of Bank of Americas site. There were several screens with forms to fill out, three in total that all asked for different personal information from me to “unlock my account”. The forms were looking for debit card number, cvv, expiration date, birth date, last four digits of your social security number, drivers license number, home address, zip code, and phone number. With this much information they could easily go after the money you have in your bank accounts.

FakeBofAForm, text message fishing

Just one of three forms looking for personal information.

Your financial institution is never going to send you a text message and request all of this information. Even if that situation arises one day and you suspect the message to be real, always go externally to their website by typing in the URL yourself, and not using the link or phone number provided. Because I wanted to press on with the scam, I filled all of these out with “none” and 0’s and the form completed and redirected me to an actual Bank of America webpage about their privacy policy. (See below)

RealBofA, text message fishing

After finishing the form you’re redirected here to convince you it was all real.

Keep an eye out for similar scams like this in the future, they’re fairly common. Remember to always question random text messages you get, and visit your financial institution yourself. Do not use the link or phone number that was provided by the scam message.

If you’d like to read about a similar SMS phishing attack involving American Express, see this post.

 

Stop Responding to Threats.
Prevent Them.

Want to get monthly tips & tricks?

Subscribe to our newsletter to get cybersecurity tips & tricks and stay up to date with the constantly evolving world of cybersecurity.

Related Articles