Best looking phish I’ve seen in a long time

A month ago one of our spam analysts came across a Bank of America phishing spam.  The thing about this one is that it is one of the best I've seen in a long time:


This is very legitimate-looking.  The logo is legitimate, it has correct grammar and the USA Olympic sponsor is a nice touch at the bottom.  The notification is plausible (irregular credit card activity), the name of the person is in the To: (as well as the email, ie, and the account ends in a four digit number (which I changed). 

Even the disclaimers look legitimate; they are asking the recipient not to respond to the email and they challenge the user to login to their site and verify their Alerts history.  This is clearly a bet that most people don't do this.

The hook here is the telephone number.  The 800-number is a bit unusual for a spammer because it means that they have to go measures that most other spammers wouldn't - they need to set up a telephone answering service (a human would be best) instead of doing everything electronically and anonymously.  It's more trouble and more traceable than a typical phish.

Of course, this message is a scam.  An internet search yields this result which explains what is going on.  I think that this scam demonstrates the lengths that some phishers will stoop to and making things look real greatly increases the odds of yielding a profit.

Comments (17)
  1. Mark Adams says:


    You point out all of the indicators that make it look legit, but none of the ones that make you think that it was a phishing scam. From what you’ve posted, it looks legit. Bank of America really does own and that number belongs to FIA Card Services, the provider of services for many credit card issuing banks.

    Now if the actual links went to some other site when clicked on, then I’d say it’s a phishing scam. 🙂

  2. Barbara Maxwell says:

    My husband called the number on a very similar notice (by mail) from with a bank of america logo and was hung up on when he started questioning the person who answered the phone.  He was asked many personal questions for "security purposes" but as soon as he asked for an explanation, the person hung up on him.  We assumed this was not a legitimate operation because of this.

  3. T Ferrer says:

    This is not a phish.  There were some aspects of the process that did make me wary.  However, to address my concerns, instead of  clicking on the links provided by the email, I used the link that I had bookmarked to take me to my account online.

    The online account has a couple of security features that I verified were what I specified when I created the account.  I even made sure to enter an incorrect password to be denied as well since a fake site would not be able to know if the pw provided was correct.  It correctly denied me.

    Secondly, once I was logged in, I was given the same information as the email and also referred me to  Now, when started asking me for more identifying information, I started to wonder again.  So I backtracked and confirmed the validity of the certificates being used to secure the HTTPS connection, both to the Bank of America website and  Verisign did confirm that they were made by Bank of America.  So, reassured again, I entered the identifying information.

    It showed me the suspect transactions and I did confirm that one of the transactions were illegitimate while the rest were valid.  This also reassured me as a fake site would not have valid transactions listed with invalid ones.  So I went through the process of canceling my card.

    I followed up by calling the 800 number and, after going through the necessary ID rigamorole, they confirmed the account status and answered some additional questions, some of which they could not have answered if they did not have access to the account already.

    If it’s a phishing scam, it’s really sophisticated and, boy am I screwed.  (However, that would also mean that Verisign’s or BOA’s security reputation is on the line, because, if it is a phish, then either Verisign issued certs to an illegitimate user or BOA’s certs have been compromised.)  But I am confident that the confirmation approach that I took, while not perfect, did confirm the legitimacy of the notice and of the credit card cancellation.

    One of the more effective things that you can do to confirm the legitimacy of the site is to enter what you know is incorrect information (e.g., enter the CC Security code incorrectly, or the expiration month or year, or your password).  A legitimate website should give you an error and give you the chance to correct it.  If it lets you in with what you know to be incorrect information, then that would be a red flag.

    Well, I should see within 10 days, either I will have new cards or will be starting ID recovery tasks.

  4. Kathy Hart says:

    I received several automated phone calls at an old phone number about possible fraudulent activity before then receiving a letter which had the BOA logo at the top and listed my credit card number.  The letter didn’t look legit to me because it was all black and white–even the BOA logo.  I logged into my online banking and chatted with a rep who advised me to call their 1-800 number.  I found out that the letter was legit (and the phone calls had been also), and that someone had attempted to charge $270 to my credit card, which interestingly enough I had never activated.  BOA denied the charge.  I have now canceled that card and made sure BOA has my current phone number on record.

  5. someone says:

    T Ferrer’s comments have loopholes:

    1. entering incorrect password and seeing it denied is NOT an indication of safety — the phishers could be doing a "man in the middle", connecting in realtime to the real site and testing the password there.

    2. even if the website in the email is legit, the phone number in the email might not be.

    My take after half an hour of reviewing all the online evidence: most likely, this is a scam, and B of A is not very helpful about warning about it on their main site, since they ought to specifically list both the good and bad phone numbers. Or, unlikely but possible, it’s legit, and B of A is really stupid about not making that obvious (by listing the phone number on their own site). But if it’s legit, who is motivated to post all the comments saying it’s not? So all in all, there is a good chance it’s really a scam.

  6. Jon says:

    When I called the number on the back of my BofA card, they told me to go to  So either they’re redirecting my phone calls or it’s legit.  And I don’t think they’re redirecting my phone calls.

  7. Itsme says:

    The website is legit.  Of course someone phishing could also send you a phish email that looked just like this one.

    If you have any concerns about the site you can also access it through

  8. Nick says:

    This post really needs to be deleted. I just wasted 15 minutes on the phone with BofA trying to verify the site's legitimacy because this post cast further doubt on the site which I already thought looked phishy. *IS* a legitimate site, owned by Bank of America. Look it up on if you doubt this. Plus, I just had it verbally verified to me by a BofA customer service rep that I reached by calling the number of the back of my card.

  9. Toby Simmons says:

    The site is real. I was also very wary when I received an e-mail and visited the website. I went so far as to hover over the submit button but then played it safe and logged into the regular bank site and, sure enough, my account had a hold on it. I then called the number on the back of my credit card and was told the same information (that there had been irregular charges on my card) — after verifying the unauthorized charges (some bogus online dating junk) I got through to customer service and we are working it out.



  10. Daniel Morin says:

    I just received two letters from Bank of America from the Fraud Detection Department.

    The first letter was asking me to call 1-800-635-0581 and the second letter was asking me to call 1-800-427-2449 or visit  When I called the number, I noticed something strange asking for the full account number and the social security number.  Instead, I called the number behind my Visa card and Bank of America told me this letter was not from them.  I am investigating a bit about what is going on, however I would recommend to be careful with this letter.

  11. Geoff B says:

    This site is legit.  I agree it may look like a scam, but it really is B of A.

  12. The Dude says:

    Please remove this blog post – it's irresponsible to leave it up without correcting the information.  I just got off the phone with B of A and they verified that 800-427-2449 is the number of the company that handles their fraud protection.  The B of A operator even transferred me directly to them.  Turns out they handle other CC companies as well – they were calling about a non B of A account.  Peace.

  13. L Haskins says:

    800-427-2449 is a legit number for B of A you Aholes! Damn this scared the crap out of me 'til I found that you were full of it YOU are probably part of some fraud ring giving false info like this… I'm reporting you to B of A Jerkoffs!

    Terry Zink you are scum for not taking this down! "Best looking phish I've seen in a long time" because it isn't!

  14. Anonymous says:

    I got a call from that number and it seemed suspicious. But it seems very unlikely that a  phone number would be around for seven years if it's not from a legitimate source. Bank employees won't know every outgoing number used by each department, so if it's not one they know, they won't be able to confirm it.

    I didn't answer the call from the 800 number, and I received a later call, which I also ignored. I then went online and found that my FIA credit card was blocked for suspicious activity.

    I called FIA using the number on the back of my card and got is straightened out. I still have no idea why a call came from that 800 number, or how they got the number they called me on, since it's not the one they have on file for me.

    It's probably legitimate, but you are still better off calling the financial institution directly using the number on the back of your card. Caller ID can be spoofed, so a fraudster could call and make it appear to be from that number. However, it would be impossible for it to work in the other direction. If you place the call to the 800 number, it would have to go to whoever owns the number.

    A fraudster would have something to gain by calling you with a spoofed caller ID, but would have nothing to gain by sending you an email telling you to call that number.

    The link to the 800notes includes reports from people like me who found it suspicious, and I reported it there. I later retracted it.

    It seems almost impossible that a fraudster would call with a spoofed number over a seven year period, and by coincidence do so exactly when the financial institution expects fraud. Given that the suspicious charges turned out to be legitimate, it's not even possible that they made suspicious charges on my card as a ruse.

    Given how many people called the bank directly to confirm that there was legitimate activity, and given that the FBI wouldn't be letting a scam go on for seven years (If they hooked a few people, it would have triggered an investigation) it's just about impossible that this is fraud. But it can never hurt to hang up and call the number on the back of your card instead.

  15. Josh says:

    Before you jump to conclusions, spammers can and do fake this 800 number through Caller ID spoofing.  I received a call from this number.  Didn't recognize it, so I didn't answer.  I googled and found that it is associated with BOA fraud detection.  I called BOA myself and they said they had no record of fraud being detected and did not call me.  Moral of the story: some calls are actually from BOA, some are not (even when caller ID shows this number).  If you are concerned, don't answer or hang up and call them back directly.

    1. Tony Fondacaro says:

      My wife just got a text with what appeared to be an account login code, with the disclaimer saying “If you did not request the code, call 1.800.427.2449 for assistance. Called the number, got a recording that failed to identify who it was, or ask for any personal information, and it instantly passed me along to a representative who claimed it was BoA Fraud Department. I hung up and called BoA Fraud Department from the number on their website. I immediately got a recording that identified itself as BoA Fraud Department and asked for the account number.

      I think it’s a scam. Every call I’ve ever made to a bank I’ve gotten:

      1. An automated message identifying the financial institution I’m contacting.
      2. A prompt for an account number.
      3. Options to “better assist” you.

      I’m willing to bet it’s a scam. Luckily there were no fraudulent charges on my wife’s account and all the login attempts were from her phone or our computer.

Comments are closed.

Skip to main content