BofA Phishing Email Examples (2026)

Bank of America is one of the most impersonated brands in phishing campaigns worldwide. With over 69 million consumer and small business clients, BofA represents an enormous target – attackers know that a significant portion of any random list of email addresses will include Bank of America customers. Combined with the 3.4 billion phishing emails sent globally every day, the odds are high that you have already received a fake Bank of America email, whether you are a customer or not. This article is part of our comprehensive Phishing & Social Engineering guide and walks through the specific phishing patterns targeting BofA customers in 2026.

Understanding what these scams look like is your first line of defense. Below are the most common Bank of America phishing email formats currently in circulation, along with smishing and phone-based variants, and practical steps for protecting yourself.

Pattern 1: The Suspicious Activity Alert

This is the most prevalent Bank of America scam email. It exploits the fear that someone has accessed your account without authorization.

Typical subject lines:

• “Suspicious Activity Detected on Your Account”
• “Unusual Sign-In Attempt – Verify Your Identity”
• “Alert: Unauthorized Transaction on Your BofA Account”

What it looks like: The email uses Bank of America’s logo, brand colors, and a layout that closely mirrors genuine BofA alerts. It states that unusual activity has been detected and that your account has been temporarily limited or locked. A prominent button says “Verify Your Identity” or “Review Activity Now.”

The tell: The sender address is not from @bankofamerica.com or @ealerts.bankofamerica.com. Common fakes include addresses like security@bankofamerica-alerts.com, noreply@bofasecure.net, or alerts@boa-online.com. The “Verify” button links to a fake login page on a lookalike domain designed to capture your credentials.

The reality: Bank of America does send genuine fraud alerts, but they direct you to sign in through the official app or website – they never ask you to enter credentials through an email link. If you receive a suspicious activity alert, open the Bank of America app directly or navigate to bankofamerica.com yourself.

Pattern 2: The Account Suspension Warning

This variant escalates the threat level by claiming your account will be closed or permanently suspended if you do not act immediately.

Typical subject lines:

• “Action Required: Your Bank of America Account Will Be Suspended”
• “Account Closure Notice – Immediate Verification Needed”
• “Your BofA Online Access Has Been Restricted”

What it looks like: The email warns that your account has been flagged for a policy violation, identity verification failure, or outdated information. It states that if you do not update your details within 24 or 48 hours, your account will be permanently closed. The message includes a “Reactivate Account” or “Update Information” button.

The tell: Legitimate banks do not threaten account closure via email with a 24-hour deadline. The urgency is entirely artificial – designed to override your critical thinking. The email requests information that Bank of America already has and would never ask you to resubmit through email, including your Social Security number, account number, or online banking password.

The reality: If Bank of America genuinely needed to restrict your account, you would see the restriction when you log in through the official app. You would also receive communication through secure message within your online banking portal, not through an unsolicited email with a countdown timer.

Pattern 3: The Security Upgrade or System Update

This phishing email disguises itself as a routine system notification, claiming that Bank of America has upgraded its security systems and requires customers to re-verify their accounts.

Typical subject lines:

• “Important: BofA Security System Upgrade – Action Required”
• “Bank of America Has Updated Its Privacy Policy”
• “Complete Your Account Migration to Our New Secure Platform”

What it looks like: The tone is less alarming than the fraud alert variants. It presents itself as a standard corporate communication about a system upgrade, new security features, or regulatory compliance. The email asks you to “confirm your account details” or “re-verify your identity” to maintain access after the upgrade.

The tell: Banks do send communications about system updates and policy changes, but they never require you to re-enter your password, SSN, or account number through an email link. A genuine upgrade notification would simply inform you of changes – it would not require you to take action through a link in the email.

Pattern 4: The Zelle or Transfer Confirmation

With the widespread adoption of Zelle for peer-to-peer payments through Bank of America, phishing emails now exploit transfer notifications to create urgency.

Typical subject lines:

• “You Sent $500.00 via Zelle – Confirm or Cancel”
• “A Zelle Payment of $1,200.00 Is Pending Your Approval”
• “Zelle Transfer Alert: Did You Authorize This Payment?”

What it looks like: The email mimics a Zelle transaction confirmation, showing a payment you supposedly initiated. The amount is typically large enough to cause alarm. The message includes a “Cancel This Transaction” or “Report Unauthorized Payment” button, preying on the instinct to act fast before money leaves your account.

The tell: If you did not initiate a Zelle payment, the email is fraudulent. Clicking “Cancel” leads to a phishing page that harvests your online banking credentials. Real Zelle notifications from Bank of America come from @ealerts.bankofamerica.com and can be confirmed by logging into the BofA app directly.

The reality: Even if a fraudulent Zelle payment were initiated, clicking a link in an email would not cancel it. You would need to contact Bank of America directly through the app or by calling the number on the back of your debit card.

Pattern 5: The Reward or Cashback Notification

Not all phishing emails rely on fear. This variant uses the promise of money to lure you into clicking.

Typical subject lines:

• “Your BofA Preferred Rewards Balance: $347.50 Available”
• “Claim Your Bank of America Cash Back Bonus”
• “You’ve Earned a Special Loyalty Reward – Redeem Now”

What it looks like: The email congratulates you on earning rewards, cashback, or loyalty points, and provides a link to “redeem” them. The design mimics Bank of America’s rewards program branding. Some variants claim you need to redeem before your rewards expire.

The tell: Bank of America does offer rewards programs, but redemption happens within your online banking account or app, not through an email link. Rewards do not expire with a 48-hour countdown. Any email asking you to “log in to claim” rewards through an embedded link should be treated as suspicious.

Pattern 6: The Tax Document or Statement Notification

This pattern peaks during tax season (January through April) but appears year-round.

Typical subject lines:

• “Your BofA 1099 Tax Document Is Ready”
• “Download Your Bank of America Year-End Statement”
• “Important Tax Information from Bank of America”

What it looks like: The email states that an important tax document or account statement is available for download. It may include a “Download Document” button or a PDF attachment. The PDF attachment may contain malware, or the download button links to a credential-harvesting page.

The tell: Bank of America makes tax documents available through online banking, not as email attachments. If a tax document is ready, you will see it when you log into your account. Never open attachments from unexpected emails, even if they appear to come from your bank.

Smishing: BofA Text Message Scams

SMS phishing – smishing – targeting Bank of America customers has surged in recent years. Text messages are particularly dangerous because they appear on your lock screen, are read almost immediately, and mobile browsers make it harder to inspect URLs.

Common BofA smishing messages:

• “BofA ALERT: Your debit card has been locked due to suspicious activity. Verify at [link]”
• “Bank of America: A $2,400 wire transfer was initiated from your account. If not you, call [number]”
• “BofA Security: We detected a sign-in from an unrecognized device. Verify immediately: [link]”

These texts either include a link to a phishing site or a phone number that connects you to a scammer posing as Bank of America’s fraud department.

How to handle BofA smishing:

1. Do not tap any links in the text.
2. Do not call any phone number included in the text.
3. Open the Bank of America app directly and check your account.
4. If you are concerned, call Bank of America using the number on the back of your debit card.
5. Forward the suspicious text to 7726 (SPAM) to report it to your carrier.
6. Delete the message.

Vishing: Phone Call Scams Impersonating BofA

Phone-based phishing – vishing – often follows a smishing attempt or operates independently. The caller ID may show “Bank of America” or a number that appears to be from BofA (caller ID spoofing is trivial for attackers).

Common vishing scenarios:

• The caller claims to be from BofA’s fraud department and says they have detected unauthorized transactions. They ask you to “verify” your identity by providing your account number, PIN, or one-time passcode.
• The caller says your account has been compromised and offers to “help you secure it” by walking you through a process that actually gives them access.
• The caller asks you to confirm a one-time passcode that was just sent to your phone. In reality, the attacker is trying to log into your account and the passcode is a legitimate 2FA code – if you share it, the attacker completes the login.

The rule: Bank of America will never call you and ask for your full account number, SSN, PIN, password, or one-time passcode. If someone calls claiming to be from BofA and asks for any of this information, hang up. Call Bank of America directly using the number on the back of your card (800-432-1000 for general customer service).

How to Verify a BofA Email Is Legitimate

Before acting on any communication that claims to be from Bank of America, run through this checklist:

1. Check the sender address: Legitimate BofA emails come from @bankofamerica.com or @ealerts.bankofamerica.com. Click on the sender name to see the full email address, not just the display name.

2. Inspect the links without clicking: Hover over any buttons or links (on desktop) or long-press them (on mobile) to see the actual URL. It should point to bankofamerica.com – not bankofamerica-login.com, bofasecure.net, or any other domain.

3. Look for requests for sensitive information: Bank of America will never ask for your SSN, full account number, PIN, password, or one-time passcode via email, text, or phone. Any message requesting this information is fraudulent, no matter how official it looks.

4. Evaluate the urgency: Legitimate communications from your bank do not threaten account closure within 24 hours or demand immediate action through an email link.

5. Verify independently: When in doubt, open the Bank of America app or navigate to bankofamerica.com directly. Any legitimate alert will be visible within your account. You can also call the number on the back of your debit card.

For a broader framework that applies to all phishing attempts, see our guide on how to recognize phishing emails.

Why a Password Manager Is Your Strongest Defense

Technical defenses matter more than awareness alone. Even security-conscious people occasionally click links when they are tired, distracted, or stressed. A password manager provides an automated safety net that works even when your attention lapses.

Domain Matching Stops Credential Theft

When you use a password manager’s autofill to log into Bank of America, the password manager checks the exact domain of the page you are on. If the domain is bankofamerica.com, autofill works normally. If the domain is anything else – bankofamerica-secure.com, bofalogin.net, bankofamerica.com-verify.xyz – autofill stays silent. It does not matter how perfect the fake page looks. The domain check is automated and precise.

PanicVault performs this domain matching through Apple’s system-wide AutoFill on iPhone, iPad, and Mac. When you tap a login field on a site claiming to be Bank of America and PanicVault does not offer your credentials, that absence is your signal that the site is not genuine. Learn more about this mechanism in our article on how a password manager prevents phishing.

Unique Passwords Contain the Blast Radius

Credential stuffing – where attackers use stolen username/password combinations from one breach to access other accounts – accounts for 22% of data breaches. If you reuse your Bank of America password on other sites (or vice versa), a breach anywhere compromises your banking. A password manager generates and stores a unique, random password for every account, ensuring that a compromise on one site cannot cascade to your bank.

Navigate From Your Vault, Not From Email Links

When you receive a notification about your Bank of America account, instead of clicking the link in the email, open PanicVault and tap your Bank of America entry. It will take you to the real bankofamerica.com and autofill your credentials. This simple habit eliminates the risk of landing on a phishing page entirely.

What to Do If You Fell for a BofA Phishing Scam

If you entered your credentials on a phishing site or shared sensitive information with a scammer, act immediately:

1. Log into bankofamerica.com directly (type the URL or use your password manager) and change your online banking password.
2. Call Bank of America at 800-432-1000 to report the incident. They can flag your account for monitoring and issue new card numbers if needed.
3. Enable two-factor authentication on your BofA account if it is not already active.
4. Review recent transactions for any unauthorized activity. Report fraudulent transactions immediately.
5. Check other accounts – If you use the same password elsewhere, change those passwords too. This is an urgent reason to adopt a password manager if you have not already.
6. Forward the phishing email to abuse@bankofamerica.com.
7. Report it to the FTC at ReportFraud.ftc.gov and to the Anti-Phishing Working Group at reportphishing@apwg.org. See our full guide on how to report a phishing attempt.
8. Consider a credit freeze if you shared your Social Security number. Contact the three major credit bureaus (Equifax, Experian, TransUnion) to place a freeze, which prevents new accounts from being opened in your name. Our online banking security guide covers this process in detail.

Staying Ahead of BofA Phishing in 2026

Bank of America phishing campaigns will continue to evolve. AI-powered phishing tools generate emails with perfect grammar, personalized details pulled from data breaches and social media, and branding that is indistinguishable from the real thing. The old advice to “look for spelling errors” is no longer sufficient.

What does work is a layered defense:

• Use a password manager that checks domains automatically and refuses to autofill on fake sites.
• Enable two-factor authentication on your Bank of America account and every other financial account.
• Never click links in emails or texts claiming to be from your bank. Navigate to the site directly.
• Verify independently through the official app or by calling the number on the back of your card.
• Report every phishing attempt to help protect others.

The attackers are counting on a moment of panic – the instant when you see “unauthorized transaction” and react without thinking. The best countermeasure is building habits that remove panic from the equation: let your password manager handle the domain verification, go directly to the source for every alert, and treat every unsolicited communication with healthy skepticism.

Related Articles

• How to Recognize a Phishing Email: 10 Red Flags
• Fake Login Pages: How Phishing Sites Steal Credentials
• How to Report a Phishing Attempt
• How a Password Manager Protects From Phishing
• Online Banking Security: 10 Rules