A sophisticated Bank of America phishing campaign is active, using fake “account lock” alerts to steal online credentials, Social Security numbers, and OTP codes. The attack utilizes pixel-perfect clones of the Bank of America portal, often combined with telephone spoofing, to harvest full financial access. Users should avoid clicking links in alerts and instead navigate directly to bankofamerica.com to verify account status.
Target: Customers of Bank of America (USA)
Threat Level: Critical (Full Account & Identity Takeover)
Phishing Method Description
In this attack, scammers use Advanced Credential Harvesting. The victim typically receives an urgent SMS or email stating that their account has been “locked due to suspicious activity.”
The link leads to a pixel-perfect clone of the Bank of America Online Banking login page. This multi-step phishing kit is designed to steal:
Online ID and Passcode
Social Security Number (SSN) (last 4 digits or full)
Email Address and Email Password (Claiming it’s for “identity verification”)
One-Time Passwords (OTP) intercepted in real-time.
⚠️ Red Flags to Watch For
The Lookalike URL: The official domain is bankofamerica.com. Phishing sites often use deceptive addresses like bofa-online-security.com, bankofamerica-verification.net, or short links like bit.ly or t.co in the initial message.
Requesting Email Credentials: A legitimate bank will never ask for the password to your personal email account (Gmail, Yahoo, Outlook) to “verify” your identity.
Sensitive Personal Info: While banks may ask for a part of your SSN on their official site, a sudden request for your full SSN and card PIN on a page you reached via a link is a major red flag.
🛡️ How to Protect Yourself
Use the Mobile App: Always use the official Bank of America Mobile Banking app for any alerts. If there is a real issue, you will see a notification inside the secure app environment.
“Sign-In ID” Check: Bank of America uses a “SiteKey” or persistent recognition features. If the login page looks “generic” and doesn’t recognize your browser/device as it usually does, close it immediately.
Protect Your Email: Enable Two-Factor Authentication (2FA) on your email account. Even if scammers steal your bank password, they won’t be able to access your email to reset it if your email is properly secured.
Reporting: You can report Bank of America phishing directly by forwarding suspicious emails to [email protected].