Bank of America – Account Servicing Update = Phishing Invitation

Sometimes it seems like Bank of America is deliberately trying to train their customers to fall for phishing scams. How else can we explain their persistent use of email policies that make it difficult, even for experts like us, to determine if their business emails are legitimate? And if it’s difficult for us, how much more difficult must it be for their customers that aren’t intimately familiar with the deceptive practices of the email fraud industry?

The example we’re looking at today gives clues that would normally go a long way toward proving its legitimacy while at the same time giving off a strong scent of email fraud.

Subject: FULL CUSTOMER NAME W/ MIDDLE INITIAL (REDACTED): Bank of America – Account Servicing Update

From: Bank of America Alert <customer.assistance.bac@assist.bankofamerica.com>

At first glance we were impressed that BoA seemed to be mending their ways a bit. The only link in the message is a generic link to www.BankofAmerica com (more on this later) and the usual ‘Sign-In’ link that makes life so easy for BoA phishers is gone.

However, as we continued our analysis we were less and less impressed and more and more horrified by what we were finding.

BoA Phishing Invitation
Click image for larger version

Before we get to the ugly parts, though, there are several good points about this message that we should address:

  • The subject and body of the message use the full name, including the middle initial, of the victim customer. This doesn’t prove that the message is real but it is rare for spammers to have such detailed information.
  • The message contains the last four digits of the customer’s account number. This is also very unlikely to be included in a phishing email.
  • The link to www.BankofAmerica.com just takes the recipient to the main BoA web site instead of to a login page. (Or it would if it wasn’t broken, we’ll get to this in a minute.)

All of the above make a very convincing case for the message’s authenticity but we can make an equally convincing case for ignoring it:

  • The www.BankofAmerica.com link does not include the protocol (http://) so it won’t work from most webmail applications. This is also exactly the type low quality HTML we expect to see in phishing messages. Maybe B0A is saving money by turning their sensitive email project over to an intern.
  • The language of the message is extremely suspicious. Boiled down it basically says: We want to talk to you about your account ASAP but we’re not going to tell you why. This should have anybody’s fraud alarm bells ringing loudly.
  • The message contains an unverifiable phone number. We searched the web and BoA’s web site for 1.888.762.7152 and were unable to prove the number belonged to them. We even called it was confirmed that the persons answering the phone could not point to any document anywhere on the internet to validate the number as valid. Again, another highly suspicious and questionable tactic.

If we got this email we would definitely be calling the number on our card.

You might think, judging by some of the posts linked below, that we just like picking on Bank of America. While we do often point out the flaws in their emails, it is simply because see so many phishing examples targeting BoA and also their legitimate emails have so many flaws that it makes it easier for con artists to exploit BoA customers.

Hopefully the message above is an indication that they’re trying to do a better job. At least they took the ‘Sign-In’ link off. BoA, if you’re reading this, here’s how you can help make life more difficult for phishing scams:

  • Be more specific about the issue addressed in the message while at the same time trying not to scare the customer into doing stupid things like clicking links in emails. Yes it’s difficult but you’re a huge corporation, we’re sure you can get some focus groups together and figure it out.
  • Change the www.BankofAmerica.com link to text and add the protocol so it looks like this: http://www.BankofAmerica.com (don’t link it).
  • Instead of including phone numbers, tell customers to use the number on the back of their card or from their last statement. Alternatively, if you must ask customers to call and must provide a phone number, then provide one that can be cross referenced on your web site.
  • Provide an identification number for the incident referenced in the email so that customers can say “I’m calling about case number XXXXX” instead of “I just got this weird email and it says something’s wrong with my account” when calling in via numbers found on the BoA web site or on the card.

If you’re a Bank of America customer, our recommendation for you is that you always use channels other than the email they send you to contact them. Also, call them and complain about their email policies and, if you’re so inclined, vote with your wallet and find a good credit union instead.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , ,

One Response to “Bank of America – Account Servicing Update = Phishing Invitation”

  1. David says:

    I too received this email – and to the best of my knowledge, I do not have a bank of america account. I also searched the phone number on google – that’s how I ended up on your site.

    I believe I am a very informed internet user (I am in corporate marketing for a large company and have done more than my share of email marketing). Yet despite my knowledge, there was tiny voice in my head saying, “what if somebody opened an account in my name? maybe I should call to find out.” If this email made me go through the trouble of researching, I bet there are plenty of people who actually called the number, especially the elderly.

    There needs to be a better way of protecting people from scammers…