Share
BANK SMISHING SCAM

Bank of America "fraud alert" text scam: real or fake?

It looks exactly like the real thing. A five-digit short code, your first name, a check number, and a dollar amount that makes your stomach drop. Then it asks you to reply, or to call a number. That single reply is where the account starts to empty.

SafeBrowz Threat Research Security ResearchJuly 11, 20269 min read

Verdict

A Bank of America text that pushes you to reply YES/NO or call a number to "authorize" or "stop" a charge is almost always a scam. The forensic tell is what happens next: reply or call, and a person posing as the BoA fraud department asks you to read back a security code that was just texted to you. That code is a real login code the scammer triggered - reading it back logs them in and lets them move money by Zelle or wire within minutes. Bank of America will never ask you to read back a code, and never asks you to call a number written inside a text. Do not reply, do not tap the link, do not call the number in the message. Verify only by opening the Bank of America app or calling the number on the back of your card.

The text that lands at 9:47 on a Tuesday

Here is the message, close to word for word, that lands on phones across the US every day:

"BofA Alert: Did you authorize check #0000008124 for $39,182.00? Reply YES to authorize or NO to decline. STOP to opt out."

Everything about it is engineered to feel legitimate. The sender ID reads "BankofAm" or shows a five-digit short code instead of a ten-digit mobile number, which is exactly how real bank alerts look. The amount is enormous and completely wrong, which is the point: no one authorized a $39,182 check, so the natural reaction is to reply "NO" as fast as possible. The scam is built around that reflex.

Reply "NO" and one of two things happens. Some campaigns fire back a follow-up text with a phone number: "To secure your account, call our fraud department now at (XXX) XXX-XXXX." Others skip straight to a live call within seconds, because your reply confirmed the number is active. Either path lands you on the phone with someone calm, professional, and reading from a script that sounds identical to a genuine fraud analyst.

That is the trap. The text was never about the check. It was bait to open a phone line where the real theft happens.

The kill step: "read the code back to me"

On the call, the fake analyst walks you through a reassuring routine. They confirm the fraudulent check, tell you they are "reversing it," and say they need to verify your identity first. Then comes the line that ends the account:

"For security, I have just sent a verification code to your phone. Can you read that six-digit code back to me so I can confirm it is really you?"

A code did just arrive, and it genuinely came from Bank of America. That is what makes people comply. But the bank sent it because the scammer, at that exact moment, was typing your username and password into the real bankofamerica.com login, or authorizing a Zelle transfer. The code went to you, the account owner, as a final check. Read it back, and you hand the attacker the last thing standing between them and your money. This is a hands-on version of an adversary-in-the-middle 2FA bypass: the scammer relays a real login in real time and lets you supply the code they are missing.

Some versions never even need your password. If the scammer already has enough of your details from a data breach, reading back a password-reset or Zelle-enrollment code is all they need. Once inside, transfers by Zelle, wire, or bill pay leave in minutes, and money moved by those rails is far harder to claw back than a disputed card charge.

What a real Bank of America fraud alert actually does

Genuine BoA fraud alerts exist, which is why the fake ones work. Real alerts come from Bank of America's own short code, not a personal-looking mobile number, and a real one may indeed ask you to reply YES or NO to confirm a transaction. That much the scammers copy accurately. The difference is everything that comes after.

A real Bank of America alert will never put a phone number inside the text for you to call, and a real fraud representative will never ask you to read back a security code, one-time passcode, or PIN. Those codes exist so that no one but you ever sees them, and the bank states plainly that it will not ask for them. If a call or text asks you to share a code, that alone is proof it is a scam, no matter how convincing the caller sounds.

The only domains that belong to the bank are bankofamerica.com and secure.bankofamerica.com, and the safe way to reach them is to type the address yourself or open the app, never through a link inside a text. When in doubt, ignore the message and call the number printed on the back of your card. That number is not spoofable and it routes you to the real fraud team.

The lookalike links attached to these texts

Not every version relies on a callback. A large share attach a link that opens a pixel-accurate Bank of America sign-in clone, which harvests your username, password, and then the one-time code in the same session. The domains follow a small set of predictable shapes. Tap any red-dotted example to run it through the live scanner below:

  • Brand-keyword-hyphen: bankofamerica-alerts[.]com, bankofamerica-verify[.]net
  • The tell: the real domain is whatever sits immediately before the first single slash after https://. Only an exact match on bankofamerica.com is the bank. A "bankofamerica" that appears as a subdomain or a hyphenated prefix on some other domain is not.
🛡 LIVE CHECK

Test a suspicious link right now

Got a fraud-alert text? Tap any red-dotted domain above, or paste your own suspicious link. Our 3-layer engine (Local + APIs + AI) returns a verdict in about three seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

Red flags in a "fraud alert" text

Any one of these is enough to treat the message as a scam and stop. Together they are unmistakable.

  • It gives you a number to call. Real BoA alerts never include a callback number inside the text. A phone number in the body is the single biggest tell.
  • Anyone asks you to read back a code. A security code, one-time passcode, or PIN read aloud to a caller is game over. The bank never asks for this. No exceptions.
  • A wildly wrong amount. A $39,182 check you obviously did not write is designed to make you panic and reply "NO" without thinking.
  • A link to tap. Genuine alerts do not send you to a sign-in link by text. Any link, even one that spells out "bankofamerica," should be treated as hostile.
  • Pressure to act "right now." "Call immediately," "your account will be frozen," "we are reversing this now." Real fraud teams work on your timeline, not a countdown.
  • The reply flips you to a live call. A text conversation that suddenly becomes a phone call from a "fraud analyst" is a scripted handoff, not customer service.
  • The caller already "knows" your fake transaction. They sent the fake alert, so of course they can describe it. Knowing details does not prove they are the bank.

Block the fake fraud line before you dial

The defense is a habit, not a gadget. Route every alert back through a channel you opened yourself, and the whole scheme collapses.

  1. Do not reply, tap, or call the number in the text. Replying "NO" or even "STOP" confirms your number is live and often triggers the follow-up call. Silence is the correct first move.
  2. Open the Bank of America app, or type bankofamerica.com yourself. Do not search "Bank of America login" during an alert wave; ad slots have carried typosquats. Check Alerts and recent activity inside the app. If there is no matching alert there, the text is fake.
  3. If you want to speak to someone, call the number on the back of your card. That number reaches the real fraud team and cannot be spoofed. Never call a number a text handed you.
  4. Never read a code to anyone. Bank of America will not ask, and no legitimate caller ever needs a code that was texted to you. If someone asks, hang up.
  5. Block the lookalike before you type. A browser-layer scanner flags the fake sign-in page from the link before it loads, so a stolen tap does not become stolen credentials. More on that below.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. For this scam, each layer targets a different stage of the con.

  • Layer 1 - Local detection: 60+ URL pattern rules plus a 550+ brand database, including Bank of America, match the lookalike shapes the moment a link opens. The "bofa" and "bankofamerica" brand-keyword-hyphen pattern on any domain that is not bankofamerica.com, along with Cyrillic and Punycode homograph tricks, resolves right inside the extension before the page renders. No network call needed.
  • Layer 2 - API checks: the lookalike domains that fit these campaigns, such as bankofamerica-alerts[.]com and bankofamerica-verify[.]net, are cross-referenced against Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLD lists so known smishing pages are flagged fast.
  • Layer 3 - AI deep scan (Premium): the fake fraud-callback and sign-in pages are freshly spun up daily, so signatures alone miss the newest ones. AI content analysis across 100+ languages recognizes a Bank of America sign-in or "verify your identity" page served from any domain other than the bank's own, and flags it in seconds.

Honest scope: SafeBrowz blocks the fake page from loading if you tap the link, which stops the credential-harvest path cold. It cannot intercept a phone call or unhear a code you read aloud. If the scam runs entirely by voice, the only defense is the rule that never changes: never share a code with anyone, ever. Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

If you already replied, called, or read back a code

Money moved by Zelle or wire leaves fast, so treat this as minutes, not hours.

  1. Call Bank of America now using the number on the back of your card. Say you gave information to a phishing scam and ask them to freeze outgoing transfers, flag the account, and review recent activity. This is the most important step.
  2. Change your password and passcode from inside the app or by typing bankofamerica.com yourself. Sign out of all devices and re-enroll your login credentials.
  3. Review recent activity for unauthorized Zelle transfers, added recipients, new linked external accounts, wires, or a changed address or phone number. Those changes are often the setup for a second wave.
  4. If you shared other details such as your Social Security number or date of birth, place a free fraud alert with the three credit bureaus and consider a credit freeze. The FTC consolidates the steps at identitytheft.gov.
  5. Report it so the campaign gets shut down faster (see below).

For a full walkthrough of the first 24 hours after any scam, see our guide on what to do right after you have been scammed.

How to report a Bank of America smishing text

Reporting takes a few minutes and shortens the campaign's life because carriers and the bank use these reports to seed takedowns.

  1. Forward the text to 7726 (SPAM). This free short code sends the message to your mobile carrier's threat team so they can block the sending number. The FCC recommends this for every smishing text.
  2. Report the fake account activity to Bank of America by calling the number on the back of your card, then delete and block the sender.
  3. File a complaint at ic3.gov (FBI Internet Crime Complaint Center), especially if money was moved.
  4. Report to the FTC at reportfraud.ftc.gov so the case feeds the federal fraud database used by law enforcement.

Same script, different brand

The "fraud alert, confirm the charge, then read us the code" playbook is a rented kit aimed at every large US bank in rotation, and increasingly at government and delivery brands too. The same call flow drives the Chase fraud alert lures, the fake Chase and JPMorgan login pages, and the wider wave of bank and government imposter scams the FTC tracks. When the callback comes with a convincing human voice, it edges into voice-phishing and AI voice-cloning territory. The defense never changes across any of them: never call a number a message gives you, and never share a code. If a term here is new, our scam and security glossary defines smishing, vishing, and one-time passcodes in plain language.

Block the fake page before it loads

Add the browser extension, or the SafeBrowz Android app, that runs every check in this article automatically on every page, before it renders. If you ever tap a fraud-alert link, the fake Bank of America sign-in never gets a chance to load. Free forever.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

Upgrade to Premium for AI deep scan of novel Bank of America lookalike pages in 100+ languages, at $14.99/year.

Frequently asked questions

Is a Bank of America fraud alert text real?

Bank of America does send real fraud alerts by text from its own short code, and a genuine alert may ask you to reply YES or NO to confirm a transaction. But a real alert never includes a phone number to call and never leads to a link asking you to sign in. If the text gives you a callback number, sends you to a login page, or the call that follows asks you to read back a code, it is a scam. Verify by opening the Bank of America app or calling the number on the back of your card, never through the text.

Does Bank of America text you to confirm a transaction?

Yes, if you have enrolled in transaction and fraud alerts. Those come from Bank of America's official short code, not a regular ten-digit mobile number. The scam copies this format closely, which is why the sender ID alone cannot be trusted. The reliable difference is behavior: a genuine alert stays inside the reply-YES-or-NO flow and never routes you to a phone number or a sign-in link. Anything that asks you to call, tap a link, or share a code is fraudulent.

I replied YES or NO, or called the number in the text. What now?

Replying by itself confirms your number is active and may trigger a follow-up call, but it does not hand over your account. The damage happens if you called and shared login details or read back a code. Call Bank of America immediately using the number on the back of your card, ask them to freeze outgoing transfers and review activity, then change your password and sign out of all devices. Review recent activity for unauthorized Zelle transfers, added recipients, or changed contact details, and report the text to 7726 and at ic3.gov.

Why did Bank of America send me a real security code during the scam call?

Because the scammer triggered it. While you are on the phone, they enter your username and password, approve a device, or start a Zelle transfer on the real Bank of America site. The bank then texts a one-time code to you, the account owner, as a final identity check. The caller asks you to read it back so they can complete the login they started. The code is real, but sharing it finishes the theft. No legitimate representative ever needs a code that was sent to your phone.

How do I report a Bank of America smishing text?

Forward the message to 7726 (SPAM) so your carrier can block the sending number, then delete and block it. Report suspicious account activity to Bank of America by calling the number on the back of your card. If money moved or you shared information, file a complaint at ic3.gov with the FBI and at reportfraud.ftc.gov with the FTC. These reports feed the takedown and enforcement systems that shorten a campaign's life.

Related reading

Bottom line: the Bank of America "fraud alert" text borrows a real behavior - the bank really does text you about suspicious charges - and adds one thing the bank never does: a number to call or a link to tap, followed by someone asking you to read back a code. That code is the last lock on your account, and reading it aloud opens it. Never call a number a text hands you, never share a code, verify only through the app or the number on your card, and put a browser-layer scanner like SafeBrowz in place so the fake sign-in page can never load.