Bank of America scam is stealing account passwords -- what to do

bank of america email scam
(Image credit: Tero Vesalainen / Shutterstock.com)

Security researchers have found a new credential-phishing attack that masquerades as an email message from Bank of America.

The message, unearthed by cloud-security firm Armorblox, tricks users into providing the email addresses and passwords for their online bank accounts.

Users were told that inactive email addresses would be recycled unless they updated and confirmed their banking details via an online portal.

“This email claimed to come from Bank of America and asked readers to update their email address,” wrote Chetan Anand, co-founder and architect of Armorblox in a blog post

“Clicking the link took the targets to the credential phishing page resembling the Bank of America home page, designed to make targets part with their account credentials.”

 Bypassing security checks

Anand explained that the malicious message bypasses email security controls and doesn’t follow the tactics of more traditional phishing attacks.

First, the cyber crooks refrained from sending a mass email, instead using a "spear phishing" tactic. The message was sent to a select number of people, which helped it slip past email filters.

Although the message came from an individual Yahoo account with the name “Bank of America”, it was sent via SendGrid and wasn’t picked up by authentication checks like SPF, DKIM, and DMARC.

Social engineering tactics

Recipients were also duped by a zero-day link and convincing lookalike website, according to Anand: “The attacker created a new domain for the link in this email attack, so it got past any filters that were created to block known bad links.

“The final credential phishing page was painstakingly made to resemble the Bank of America login page. The superficial legitimacy of this page would pass most eye tests from busy readers that want to get on with their other work duties after ‘updating their email address’ as soon as possible.”

However, when you take a closer look at the email message, it’s clearly not been sent by Bank of America. 

After providing their account information to the phishing page, users were also asked to answer three security-challenge questions. 

This makes the phishing page look more legitimate because the Bank of America also asks for security questions upon login by default -- but it also means that the attackers will then have the answers to your security questions.

Like all good examples of social engineering, the email message used psychological tactics to convince people to provide legitimate credentials. 

Anand said: “The email language and topic was intended to induce urgency in the reader owing to its financial nature. Asking readers to update the email account for their bank lest it get recycled is a powerful motivator for anyone to click on the URL and follow through.”

If you get such an email, don't respond to it directly. Instead, call Bank of America and ask them if they sent it.

  • Read more: Secure your data safe with the best US VPN

"Provides adversaries with vital personal information"

Speaking to Tom's Guide, Anand told us: "“With the enforcement of Single Sign On and 2FA, across organizations, adversaries are now crafting email attacks that are able to bypass these measures. This credential phishing attack is a good example.

"Firstly, it phishes for Bank of America credentials, which are likely not to be included under company SSO policies. Secondly, it also phishes for answers to security challenge questions, which is often used as a second/additional form of authentication.

"Asking security challenge questions not only increases the legitimacy of the attack, but also provides the adversaries with vital personal information about their targets.”

TOPICS

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
Bill Gates in 2019
Bill Gates just predicted the death of every job thanks to AI — except for these three
NYTimes Connections
NYT Connections today hints and answers — Wednesday, March 26 (#654)
Gemini screenshot image
Google unveils Gemini 2.5 — claims AI breakthrough with enhanced reasoning and multimodal power
Samsung Galaxy Z Flip 6 review.
Samsung Galaxy Z Flip 7 design just teased in new cases leak — and the outer display is huge
Google Chrome
Chrome failed to install on Windows PCs, but Google has issued a fix — here's what happened
nyc spring day AI image
OpenAI just unveiled enhanced image generator within ChatGPT-4o — here's what you can do now