Bank of America Text Message Phishing Attack

Tuesday evening I was targeted by a text message phishing attack. Here’s what tipped me off that it was fake, and how you can avoid being tricked in the future.

At the end of the day yesterday I was greeted with a text message coming from a strange email that tipped me off immediately that it was a scam. Once I opened the text it was even clearer that this was a scam to steal information from Bank of America customers. The alert comes in as a fake message that your card has been locked and you need to go to a link to unlock it. Remember when messages like this come, open up a new browser window and go to your financial institutions website to check on your accounts.

fakeSMS

This message was sloppy, using a random email address instead of the usual five number combo. Ex. 5xx-1x

The big tips in this text message are that the email is not from Bank of America, the zero used in “Bnk0fAmericaDEBIT”, and the URL to click on isn’t at bankofamerica.com it ends in tbm5430.com. Remember to stay vigilant when you get messages like this, don’t panic and think you immediately need to click the link. Take your time and read through the message for flaws, and then externally visit your bank’s website or call them from the number listed on their website.

Because I knew this was a scam, I fired up an android VM and visited the link to see what the pages looked like. Immediately you’re greeted with something that should throw several red flags. The webpage is clearly not formatted correctly and doesn’t look to have any functionality.

ScamHomePage, text message fishing

The first website is a static image ripped from the actual BofA site.

However after a few minutes the page reloads and brings you to a more well done mobile version of Bank of Americas site. There were several screens with forms to fill out, three in total that all asked for different personal information from me to “unlock my account”. The forms were looking for debit card number, cvv, expiration date, birth date, last four digits of your social security number, drivers license number, home address, zip code, and phone number. With this much information they could easily go after the money you have in your bank accounts.

FakeBofAForm, text message fishing

Just one of three forms looking for personal information.

Your financial institution is never going to send you a text message and request all of this information. Even if that situation arises one day and you suspect the message to be real, always go externally to their website by typing in the URL yourself, and not using the link or phone number provided. Because I wanted to press on with the scam, I filled all of these out with “none” and 0’s and the form completed and redirected me to an actual Bank of America webpage about their privacy policy. (See below)

RealBofA, text message fishing

After finishing the form you’re redirected here to convince you it was all real.

Keep an eye out for similar scams like this in the future, they’re fairly common. Remember to always question random text messages you get, and visit your financial institution yourself. Do not use the link or phone number that was provided by the scam message.

If you’d like to read about a similar SMS phishing attack involving American Express, see this post.

 

(Visited 5,541 times, 2 visits today)

9 thoughts on “Bank of America Text Message Phishing Attack

  1. I received a text message from BofA saying my account was resitrcted, and has a link to go, Of course I never clicked that link. the phone number from message is 872-225-8671. I called Bank and I was informed that all my cc and bank accounts has NO problem at all. BE CAREFUL!!!!

  2. I got one of these messages. First hint it was bad, I don’t bank with Bank Of America. SHould I still be wary of my bank account information.

    • As long as you didn’t click on the link and give them any information then you are all set Amy. The cyber criminals don’t have any of your bank information yet when they attempt to execute these scams, they are just phishing for it by sending you this message. Have a wonderful day and stay safe online!

  3. I entered my ss# before backing out. I never entered the full name, date of birth, address etc… I entered my ss# and hit continue and it brought me to the personal information page. That’s when I called the bank. What should I do?

  4. Spelling “apologise” with an “s” tells you that it probably not from an American source. That spelling is acceptable outside the USA.

  5. In the first screenshot another clue is the mispell of “apologize” with an “s” instead of a “z”, bank websites usually never make typos on basic words..

  6. With all the apps made how about one that on receiving ransomware or a phishing attack. you press the app and
    the senders machine gets effected.

Leave a Reply

Your email address will not be published. Required fields are marked *