Fraudulent Email in the Name of Bank of America
There’s an email in my Inbox this morning. The “From” field says “Bank of America” and the subject of the message reads “Account Suspension Case #00302353213″ and the body of the message seems legitimate
The first sign that this may be a fraudulent email I noticed is the mail says there was an unsuccessful access on “24 June 2006.” It could be more believable if it says “January 5, 2007″ than “24 June 2006″ as I checked my account last night and do we really use the “24 June 2006″ format?
When I move the mouse cursor over the “click here” link, it shows the following URL
and the page at the above URL again looks authentic
In fact, all the links at the bottom of the page are real BoA links, except the three on top right which point to the same URL but with no actual page associated with them.
Actually, I think an easy step to determine whether it’s an authentic message is to check exactly where it is from, not what it claims where it is from (the email address). In this case, the email address Bank of America <email@example.com> is already suspicious. Once I clicked the Full Header option (not the compact header which only shows From, To, and Subject) from my Yahoo email, the entire path of how this message reached mailbox is revealed:
From Bank of America Fri Jan 5 10:34:38 2007
X-Apparently-To: —@yahoo.com via 22.214.171.124; Sat, 06 Jan 2007 07:53:18 -0800
Authentication-Results: mta352.mail.mud.yahoo.com from=alert.bankofamerica.comcom; domainkeys=neutral (no sig)
Received: from 126.96.36.199 (EHLO server3.polaristar.com) (188.8.131.52)
by mta352.mail.mud.yahoo.com with SMTP; Sat, 06 Jan 2007 07:53:17 -0800
Received: from nobody by server3.polaristar.com with local (Exim 4.52)
for —@yahoo.com; Fri, 05 Jan 2007 12:34:38 -0600
Subject: Account Suspension Case #00302353213
From: Bank of America <firstname.lastname@example.org>
Date: Fri, 05 Jan 2007 12:34:38 -0600
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – server3.polaristar.com
X-AntiAbuse: Original Domain – yahoo.com
X-AntiAbuse: Originator/Caller UID/GID – [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain – server3.polaristar.com
Though this apparently is a scam email, Yahoo’s DominKey failed to flag it. And the email was send from server3.polaristar.com which has nothing to do with Bank of America. Using a free IP lookup tool at IP2Location.com, I found the sender’s location is at Dallas, Texas.
After determining that this is a fraudulent email, I forwarded the entire message to BoA for further investigation. In the reply email, BoA says
Thank you for contacting Bank of America to report a potentially fraudulent mail, commonly referred to as a “phishing” email. We take your security very seriously and will investigate this matter immediately. If our investigation determines that the email is fraudulent, we will take steps to have the site shut down.
I only hope they can really do what they promised to do “have the site shut down.”
This article was originally written or modified on . If you enjoyed reading this post, please consider subscribing to my full RSS feed. Or you can also choose to have free daily updates delivered right to your inbox.