Blog

Bank of America Phishing Email Uses Multiple Tactics

Security researchers detected a phishing campaign whose attack emails employed numerous tricks to steal recipients’ Bank of America (BOA) credentials.

Security firm Armorblox observed a BOA phishing arrive in a customer’s inbox. The message informed the recipient that BOA was in the process of recycling its customers’ inactive email addresses. In support of this ruse, the attack email instructed the recipient to verify their email address by clicking an “Update email address” button. It warned them that the email address could become available to someone else, thus preventing BOA from sending important account information, in the event the recipient didn’t comply.

Clicking on the “Update email address” button embedded in the email message redirected the recipient to a phishing site designed to look like the Bank of America official login page.

Immediate take-aways:

Embed email threat protection within your corporate email system.
Keep your employees educated and aware of these schemes with solid security awareness training.

Recycling email addresses in general isn’t a new practice. Yahoo is known to have previously recycled email addresses. This didn’t go so well back in 2013 when these email addresses’ new owners were still receiving messages for their previous owners. Some of those emails even contained passwords, according to Naked Security. In response to these issues, Yahoo and Facebook worked together to develop the Require Recipient Valid Since (RRVS) email security protocol, as Techlicious reported at the time.

As a financial institution, BOA has the authority to ask that users update their emails and/or contact information. But it has no control to transfer an email address from one user to another. This should have been a clear red flag to recipients who are trained and alert.

The sender name impersonated BOA, making the email likely to get past eye tests when people glanced through it amidst hundreds of other emails in their overflowing mailboxes. The email language and topic was intended to induce urgency in the reader owing to its financial nature. Asking readers to update the email account for their bank lest it get recycled is a powerful motivator for anyone to click on the URL and follow through.

The phishing emails described above made their way past email security controls for several reasons identified by Armorblox in its research. These included the following:

The attack campaign described above wasn’t the first operation in which malicious actors sent out phishing emails that abused Bank of America as a lure. In the past, Zix | AppRiver came across an attack email not dissimilar from the one described above. Via the use of spoofing tactics and social engineering techniques, that message claimed that Bank of America could not verify the recipient’s account information. It then instructed the recipient to confirm their contact information by clicking on a “Sign In” button and authenticating themselves.

The Zix | AppRiver team also came across one more BOA-themed phishing email in the past. Arriving only with the subject line “Important Message,” the attack email informed the recipient that they needed to reconfirm their email address and mobile phone number in order to continue to process money transfers. The email also sought to assuage the recipient’s concerns by informing them how they could verify the message’s legitimacy:

Want to confirm this email is from Bank of America? Sign in to Online Banking and go to Alerts. The Alerts History lists the Alerts sent to you in the past 60 days. To verify that this email is from Bank of America, confirm your last sign-in date is correct. To access Online or Mobile Banking, go directly to bankofamerica.com or use our Mobile Banking App.

The email included an “update contact information” link. Recipients who clicked on the link found themselves redirected to website designed to look like the Bank of America login page. That website concealed a phishing kit designed to steal a recipient’s credentials.

Organizations can defend themselves against phishing attacks such as those described above by investing in their email security. They can do this by deploying a tool that’s capable of scanning incoming messages for signs of known threat behavior. This solution should perform these analyses while allowing legitimate correspondence to reach their intended destination.

Learn how OpenText Cybersecurity can help organizations strengthen their email security defenses.

Microsoft SolutionsMicrosoft Solutions

MSP SolutionsMSP Solutions

Partner ProgramPartner Program

MSP ProgramMSP Program

Become a PartnerBecome a Partner

Partner PortalPartner Portal

Resource CenterResource Center

Cybersecurity BlogCybersecurity Blog

WebinarsWebinars

Microsoft Solutions

MSP Solutions

Partner Program

MSP Program

Become a Partner

Partner Portal

Resource Center

Cybersecurity Blog

Webinars