Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Identity thieves posing as Bank of America are targeting the inboxes of customers in the US in an attempt to steal personally identifiable information (PII) and credit card data.

Two ongoing phishing campaigns masquerading as legitimate bank correspondence have drawn the attention of Bitdefender researchers in the past week.

Bitdefender Antispam researchers spotted the first phishing campaign on July 10. According to our telemetry, the fraudulent correspondence originates from IP addresses in Belize. The fraudulent email presents itself as a seemingly legitimate security alert from the financial institution. It notifies recipients that their account was suspended due to unusual activity and asks them to download an online form.

Not having an account with Bank of America and receiving such correspondence should be a dead giveaway of a scam. But if you do have an account, take a look at the suspicious email domain — @bentonairpark — and the HTML attachment that should immediately sound the alarm.

Users who download and access the attachment are asked to confirm banking details and personal information, including:

  • Online ID, Full name, address and ZIP code
  • ATM, Card PIN or Passcode
  • Credit or Debit card number, expiry date and verification code (CVV)
  • Savings account number and routing number
  • Email address and phone number
  • Social Security number, date of birth, parents’ names and driver license number

Here’s a sample of the online form:

Fraudsters are trying to get as much information as possible to directly access customers’ bank accounts and use the newly acquired identities to conduct various forms of fraud in the victim’s name. If the lengthy process of filling out this form doesn’t discourage users, maybe the cramped style and poor layout will.

The second attempt at stealing users’ information comes as a Bank of America gift card notification email that has reached hundreds of thousands of targets. 77% of the scam emails appear to have been sent from the Czech Republic, and 15% from the United States. Only 64% of the phishing emails were directed towards users in the US. 17% reached Ireland, 4% Denmark, and 3% Sweden. A limited number of users in the UK, Romania and Germany have also seen the scam.

This fraudulent email attempts to trick unsuspecting victims into taking an online marketing survey to win a $90 reward.

Once verified, the page asks users to provide details such as name, email address and telephone number, or more sensitive information such as credit card details to pay for processing fees or transfers charges. The scammers will then abuse any provided details.

The perps use a variety of subject lines and headers in an attempt to dodge antispam mechanisms.

Subject lines used include:

  • All-Your.Bank.Of.America.Rewards.in.One.Place
  • BONUS: $50 BANK OF AMERICA Gift Card Opportunity
  • Congratulations! You can get a $50 Bank of America gift card!
  • Leave your feedback and you could WIN!
  • Shopper, You can qualify to get a $50 Bank of America gift card
  • (ENDS.SOON) You’re-.eligible.to.-receive.-exclusive.rewards

Markers in the email header indicating the sender include:

  • Bank of America Opinion Requested
  • Bank Of America Shopper Feedback
  • Bank of America Shopper Gift Card Chance
  • Bank of America Shopper Gift Opportunity

How can you avoid becoming a victim?

The best way you can avoid being scammed is to never respond to unsolicited emails that ask for your information unless you are absolutely sure of their origin.

Banks or financial instructions never ask customers to provide Social Security numbers, account numbers, ATM or debit card PINs, or any other sensitive information in response to an email. Knowing this information is vital when you’re not sure if the email comes from a trusted source.

Moreover, even if the appeal is urgent, in most cases, banks will not use email as the initial method of contacting customers in response to a pressing matter. If you or a family member have received this email, forward it to your bank (abuse@bankofamerica[.]com), then delete it.