Phishing scams have been around for some time. Consumers have been warned numerous times not to click on links in emails and give out personal information or passwords. But what if the phishing email really looks genuine, without the usual telltale signs? In the last few days, a number of Bank of America phishing scams have been circulating that seem to be getting more and more sophisticated.

One of the emails includes the following message: “The Digital Certificate for your Bank of America Direct online account has expired. You need to update the certificate using Bank of America Direct Digital Certificate Updating Procedure”. These emails have the same look and feel as legitimate Bank of America notification emails, and the link shown in the email seems to go to bankofamerica.com. In fact when you do a ‘View Source’ the link goes to an entirely different domain, but the masked link will be enough to fool non tech-savvy consumers. The email is not full of the usual obvious spelling and grammar mistakes (although the grammar is not quite correct). Another smart trick is that the phishers are spoofing the sender address that is used for legitimate Bank of America alerts. This allows them to bypass any spam filters that have this email address in the white list.

The link in the email, if clicked on (Readers: please do not click on the link!), will take you to a website where you will be asked to log on with your digital certificate. The phishing website is so sophisticated that it will then actually check with Verisign if your digital certificate is valid. If it is not valid, it will not store your information, but it will still infect your computer with a virus. If it is valid, they will record your digital certificate and more nasty stuff will await you. The following article by Gary Warner from his CyberCrime & Doing Time blog includes more details on this latest Bank of America phishing scam: http://garwarner.blogspot.com/2009/06/bank-of-america-digital-certificates.html.