Imposter scams are on the rise: Here’s how to manage the risks

As our daily reliance on digital communication steadily increases, scammers are evolving their tactics to exploit the trust that financial services have built over time. Imposter scams are on the rise with consumers reportedly losing more than $12.5 billion to fraud in 2024, which represents a 25% increase from the previous year.¹

 

Imposter scams typically begin with an anomalous email (commonly known as phishing), a phone call from a falsified number (vishing), an unsolicited text (smishing), a social media message or a malicious QR code. The communications appear to be from trusted professionals like bank representatives, lawyers or government officials.² The perpetrators may even pose as your current relationship manager or representatives of companies you already have relationships with.

 

By creating fraudulent websites using legitimate information they’ve harvested from online sources, these scammers trick clients and prospects into providing confidential information with the intention of committing financial fraud.

The best defense against imposter scams is recognizing them. Beyond awareness, here are some common red flags that can help you identify these scams before you fall victim:

 

• An unexpected phone call from your “relationship manager,” which might be a vishing attempt.
• An urgent request to fill out an online form. Your actual relationship manager will have reviewed forms with you during your onboarding.
• Poor website design quality, including inconsistent font, color scheme, grammar and low-resolution/missing images.
• Incorrect domain spelling and unusual top-level domains (e.g., websites ending with .zip, .cn and .xyz).
• A website domain that uses the name of the relationship manager rather than a reputable firm — always look for a legitimate website to be connected to bankofamerica.com or ml.com.

Imposter scams are successful because of how much legitimate information scammers can mine from publicly available information on the web, allowing them to convincingly impersonate a professional or simulate a professional’s website. You can protect yourself by following these best practices:

 

• Verify all unusual communications, requests for payments and personal information by double checking the sender information and independently confirming the source using contact information taken from a legitimate website, verified bill, card or statement. Do not rely on the caller ID to confirm a caller’s identity!

• Make sure the URL contains “https” (the “s” in “https” stands for secure), which means the connection between your web browser and the website server is encrypted. This ensures bad actors are not eavesdropping or intercepting your communication between your browser and the website’s server. You may also find extra assurance from a “lock” icon near the URL field, depending on the browser you’re using.

• Never send payments to anyone without personally verifying their identity (via contact information taken from a legitimate website, verified bill, card or statement).

• Never give sensitive information over the phone or through a website unless you’re absolutely sure of who you’re interacting with. 

• Cut off contact at any point with someone you suspect is impersonating a professional. You can always call back using a verified and trusted number.

• Immediately forward any suspicious email that uses Bank of America’s name to abuse@bankofamerica.com, then delete it.

 

Remember: Do not transfer money or make payments at the direction of an unexpected call or text! Also, remember that Bank of America knows who you are — we will never text, email or call you and ask you for your account authorization code.