Fraudulent Email in the Name of Bank of America

There's an email in my Inbox this morning. The "From" field says "Bank of America" and the subject of the message reads "Account Suspension Case #00302353213" and the body of the message seems legitimate

The first sign that this may be a fraudulent email I noticed is the mail says there was an unsuccessful access on "24 June 2006." It could be more believable if it says "January 5, 2007" than "24 June 2006" as I checked my account last night and do we really use the "24 June 2006" format? 

When I move the mouse cursor over the "click here" link, it shows the following URL

http://www.fracchetti.it/alessandro/blog//content/www.bankofamerica.com/cgi-bin/common/update%20your%20account%20information/sign%20in/ 

and the page at the above URL again looks authentic

In fact, all the links at the bottom of the page are real BoA links, except the three on top right which point to the same URL but with no actual page associated with them.  

Actually, I think an easy step to determine whether it's an authentic message is to check exactly where it is from, not what it claims where it is from (the email address). In this case, the email address Bank of America <onlinebanking@alert.bankofamerica.comcom> is already suspicious. Once I clicked the Full Header option (not the compact header which only shows From, To, and Subject) from my Yahoo email, the entire path of how this message reached mailbox is revealed:

From Bank of America Fri Jan  5 10:34:38 2007                                                                 
X-Apparently-To: —@yahoo.com via 206.190.39.155; Sat, 06 Jan 2007 07:53:18 -0800                       
X-Originating-IP: [70.86.247.130]                                                                             
Return-Path: <nobody@server3.polaristar.com>                                                                  
Authentication-Results: mta352.mail.mud.yahoo.com  from=alert.bankofamerica.comcom; domainkeys=neutral (no sig)
Received: from 70.86.247.130  (EHLO server3.polaristar.com) (70.86.247.130)                                   
  by mta352.mail.mud.yahoo.com with SMTP; Sat, 06 Jan 2007 07:53:17 -0800                                     
Received: from nobody by server3.polaristar.com with local (Exim 4.52)                                        
    id 1H2ttm-00039v-En                                                                                         
    for —@yahoo.com; Fri, 05 Jan 2007 12:34:38 -0600                                                     
To: —@yahoo.com                                                                                        
Subject: Account Suspension Case #00302353213                                                                 
From: Bank of America  <onlinebanking@alert.bankofamerica.comcom>                                             
Reply-To: b-SEA-707363805-1@alert.bankofamerica.com                                                           
MIME-Version: 1.0                                                                                             
Content-Type: text/html                                                                                       
Content-Transfer-Encoding: 8bit                                                                               
Message-Id: <E1H2ttm-00039v-En@server3.polaristar.com>                                                        
Date: Fri, 05 Jan 2007 12:34:38 -0600                                                                         
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report                    
X-AntiAbuse: Primary Hostname - server3.polaristar.com                                                        
X-AntiAbuse: Original Domain - yahoo.com                                                                      
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]                                                    
X-AntiAbuse: Sender Address Domain - server3.polaristar.com                                                   
X-Source:                                                                                                     
X-Source-Args:                                                                                                
X-Source-Dir:                                                                                                 
Content-Length: 1337    

Though this apparently is a scam email, Yahoo's DominKey failed to flag it. And the email was send from server3.polaristar.com which has nothing to do with Bank of America. Using a free IP lookup tool at IP2Location.com, I found the sender's location is at Dallas, Texas. 

After determining that this is a fraudulent email, I forwarded the entire message to BoA for further investigation. In the reply email, BoA says

Thank you for contacting Bank of America to report a potentially fraudulent mail, commonly referred to as a "phishing" email. We take your security veryseriously and will investigate this matter immediately. If our investigation determines that the email is fraudulent, we will take steps to have the site shut down. 

I only hope they can really do what they promised to do "have the site shut down."

If you enjoyed reading this post, please consider subscribing to my full RSS feed (What's RSS feed?). Or you can also choose to have free daily updates delivered right to your inbox.

• Seeking higher returns for your cash? Take a look at the latest interest rates from leading online banks and find out where to get the most for your money.
• Earn up to 5% cash back from these cash back credit cards while shopping at gas stations, grocery stores, or online.