Bank of America (BoA) continues to be one of the biggest targets for smishing scams — phishing campaigns that come through SMS instead of email. Why? Because millions of Americans use BoA, and scammers know they only need to trick a small percentage to cash in. These scams are getting more frequent, more realistic, and more dangerous. Attackers now blend convincing messages, spoofed caller IDs, fake websites, and even live phone agents to trick victims into handing over everything from banking passwords to one-time passcodes (OTPs).

How the Scam Works

The typical entry point is a simple but urgent-looking SMS, for example:

• “(Fraud) Alert: Your BofA ATM/Debit card has been suspended. Please call 1-870-***-**** to verify.”
• “BofA Payment Accepted for $153.48 at PetSmart on 04/21. Was this you? IF NO RING 1-***-***-8834.”

At first glance, these messages seem legitimate. They often come from spoofed numbers or sender IDs like “BankofAm” and use support-style wording. Some even mirror actual BoA fraud notifications, making it hard to spot the difference. In one recent dataset, we found:

• 59+ card suspension messages
• 97+ unique phone numbers tied to smishing
• 254+ spoofed email addresses mimicking BoA alerts
• Domains like “b_o_f_a_support_line[at]comcast.net” are used to hide behind foreign infrastructure

What Happens If You Call or Click

Victims who call the number usually reach a fake automated phone menu that sounds like BoA, or a live scammer pretending to be from the BoA fraud department. These actors follow polished scripts and will ask for “standard verification”, such as:

• Last four digits of your SSN
• ZIP code
• Online banking username
• Full card number

If you have enabled two-factor authentication (2FA), they will prompt you to read back the security code sent to your phone — effectively bypassing your account protections. In more sophisticated cases, scammers direct users to install remote access tools on their phone or computer, allowing them to take over online banking sessions in real-time.

Protect Yourself with Trend Micro ScamCheck

With the increasing number and sophistication of scams, staying one step ahead is more crucial than ever. Unfortunately, antivirus software alone isn’t enough. Introducing the newly updated Trend Micro ScamCheck! Available for both Android and iOS, ScamCheck offers comprehensive protection from deceptive phishing scams, scam and spam text messages, deepfakes, and more:

• Scam Check: Instantly analyze emails, texts, URLs, screenshots, and phone numbers with our AI-powered scam detection technology. Stay secure and scam-free.
• SMS Filter & Call Block: Say goodbye to unwanted spam and scam calls and messages. Minimize daily disruptions and reinforce your defenses against phishing.
• Deepfake Scan: Detect deepfakes in real-time during video calls, alerting you if anyone is using AI face-swapping technology to alter their appearance.
• Web Guard: Surf the web safely, protected from malicious websites and annoying ads.

Fake Links and Lookalike Domains

Some messages go even further, embedding links that take users to cloned Bank of America pages where they are asked to “verify” or “review” a suspicious payment or check, for example:

• “Did you authorize check #0000008124 for $39,182.00? View image: <URL>”

These URLs are cleverly disguised, and once you log in, your credentials are sent straight to the scammer. From there, your account can be drained before you even realize what happened.

What the Scammers Want

These campaigns aim to steal:

• Online banking log-in info
• Debit or credit card numbers
• Personal details like SSNs, emails, and phone numbers
• SMS-based security codes and OTPs

After gathering what they need, scammers vanish. The phishing sites are often taken offline within hours. Meanwhile, stolen funds are funneled through mule accounts or converted into cryptocurrency to make them harder to trace.

What makes these scams especially dangerous is how closely they resemble real BoA fraud alerts. For example, legitimate BoA texts often warn: “Bank of America will never ask you to transfer money to ANYONE, including yourself.” Scammers copy that exact language — then turn around and ask you to call a bogus number or approve a fraudulent transfer.

How to Protect Yourself

If you get a suspicious BoA text:

• Don’t call the number in the message. Use the official number on BoA’s website or app.
• Don’t click links unless you’re 100% sure they’re legitimate.
• Never share 2FA codes or install remote access software unless you’re on the phone with someone you called through official channels.

Smishing attacks on Bank of America customers are part of a larger trend in mobile fraud. They combine urgency, realism, and smart use of phone infrastructure to trick even savvy users.

These aren’t just low-effort phishing texts anymore — they’re coordinated, multi-channel fraud campaigns. Staying alert and knowing what to look for is your best first line of defense.

To download Trend Micro ScamCheck or to learn more, click the button below.

As ever, if you’ve found this article an interesting or helpful read, please SHARE it with friends and family to help keep the online community secure and protected. Also, please consider clicking the LIKE button or sharing your experience in a comment below. Here’s to a secure 2025!