Phishing on a Digital Binary Warning Abstract

Avoid: BofA, Wells Fargo SMS phishing

It always pays to be cautious where unsolicited text messages are concerned, as conniving phishers don’t always stick to the tried and tested route of email scams. For example, here’s two random texts sent out to one of our burner phones:

bofa phish
wells phish

The targets here are customers of Bank of America and Wells Fargo. The messages read as follows:

BofA customer your account has been disabled!!!

Please read this readmybank0famerica.cipmsg-importantnewalertt(dot)com

I think I’d probably be faintly worried if my otherwise sober and businesslike bank started sending out messages with more than two exclamation marks in a sentence, but even without that, observant recipients would notice they also added an extra “t” onto the end of “alert”.

The other message reads as follows:

(wells fargo) important message from security department! Login


The above URL redirects clickers to the below website:


Phishing for info

The phishers want a big slice of personal information, including name, DOB, driving license, social security number, mother’s maiden name, address, city, zipcode, card information, ATM PIN number, and even an email address.

All this, from a simple text.

SMS phishing is not new, but it does snag a lot of victims. Random messages from your “bank” asking you to visit a link should be treated with suspicion, especially if those links ask you to login. Banks are certainly not the only target of SMS phishers, but they’re one of the more valuable bullseye for scammers to sink their teeth into. Whether receiving messages by email, text, or phone, your logins are only as safe as you make them – don’t make it easy for bank phishers and delete that spam.

Christopher Boyd (Thanks to Dana)


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.