A month ago one of our spam analysts came across a Bank of America phishing spam. The thing about this one is that it is one of the best I’ve seen in a long time:
This is very legitimate-looking. The logo is legitimate, it has correct grammar and the USA Olympic sponsor is a nice touch at the bottom. The notification is plausible (irregular credit card activity), the name of the person is in the To: (as well as the email, ie, firstname.lastname@example.org) and the account ends in a four digit number (which I changed).
Even the disclaimers look legitimate; they are asking the recipient not to respond to the email and they challenge the user to login to their site and verify their Alerts history. This is clearly a bet that most people don’t do this.
The hook here is the telephone number. The 800-number is a bit unusual for a spammer because it means that they have to go measures that most other spammers wouldn’t – they need to set up a telephone answering service (a human would be best) instead of doing everything electronically and anonymously. It’s more trouble and more traceable than a typical phish.
Of course, this message is a scam. An internet search yields this result which explains what is going on. I think that this scam demonstrates the lengths that some phishers will stoop to and making things look real greatly increases the odds of yielding a profit.