Is this Bank of America text a scam?

Bank of America texts are frequently spoofed by scammers who replicate BofA alert messages to steal login credentials. The messages often claim a purchase was flagged, your account is locked, or a wire transfer needs your approval.

Bank of America will not text you a link and ask you to verify your full online banking password, SSN, or card number through it. Legitimate BofA alerts direct you to call the number on the back of your card or log in directly at bankofamerica.com.

Red flags

Text contains a link to a domain that is not bankofamerica.com
Alert says your account will be closed unless you verify your information immediately
Message asks you to confirm or deny a large purchase by clicking a link
You receive a call after the text from someone claiming to be BofA fraud prevention
The message requests your debit card number, expiration date, or CVV

How Bank of America smishing texts work

BofA Alert: Did you authorize $1,247.83 Zelle to JOHN MARTINEZ? Reply YES or NO. If NO: https://bofa-secure.online/verify

Real BofA fraud alerts use Reply YES/NO only — they never include a verification link in the message body.

If you already clicked or paid

Change your Bank of America Online ID and passcode immediately at bankofamerica.com directly, enable two-factor authentication, lock debit and credit cards through the mobile app, call the number on the back of your card. Watch for unauthorized Zelle transfers. If you provided one-time codes from a separate text or call, assume your account has been accessed.

How to verify the real thing

Real Bank of America fraud alerts come from short codes 39872 (BofA SafePass) and 73383. They ask Reply YES if you recognize, NO if you don't, and NEVER include a clickable link. Log into bankofamerica.com directly or open the official mobile app and check the Message Center under Settings.

Frequently asked questions

What short codes does BofA use?

39872 and 73383. Reply YES or NO format. Never includes links.

Will BofA ever ask for my passcode by text?

Never. BofA will not ask for Online ID, passcode, full card number, debit PIN, or one-time SafePass code by any channel.

What's the SafePass code scam?

Scammers call claiming to be BofA fraud and ask you to read back the SafePass code that texted you. That code is your account access — never share SafePass codes by phone.

I clicked the link — am I hacked?

Not from clicking alone. The risk is whether you logged in. If yes, change Online ID and passcode from bankofamerica.com directly, enable two-factor authentication, call the number on your card.

How do I report a BofA scam?

Forward to abuse@bankofamerica.com. Report account fraud at the number on your card or 1-800-432-1000.

Related scam guides

Last reviewed: 2026-06-24 by the ScamRadar editorial team. We update this page when scammer tactics change or when official agencies issue new guidance.

ScamRadar · Blog · Scam Database · Is It Legit? · About