·8 min read

Bank of America Text Scam: How to Spot the Fake Alert (2026 Guide)

Fake Bank of America text alerts are the #1 phishing scam targeting U.S. account holders in 2026. Learn the exact wording, the short codes real BofA uses, and the 5 steps to take if you clicked or replied.

Senior's hands holding a smartphone showing a suspicious fake Bank of America text alert about unusual account activity

"BofA Alert: A $749.00 Zelle transfer to Michael R. is pending. If you did not authorize this, reply STOP or visit bofa-secure-verify.com." If a text like that just hit your phone, take a breath — it's almost certainly a scam. Fake Bank of America text messages are the single most-reported phishing attack in the United States right now, and they are engineered to make you panic and tap the link in under 10 seconds. This guide shows you exactly what a real Bank of America text looks like, the seven red flags in every fake one, and the five steps to take right now if you already clicked.

What a real Bank of America fraud text actually looks like

Bank of America does send real fraud alerts by text. But real BofA texts follow a very tight, boring pattern. Once you know it, the fakes stand out immediately.

  • They come from the short code 39-411 (or 322-78 for credit card alerts). Never a 10-digit phone number.
  • They ask you to reply YES or NO to confirm a charge — they never ask you to click a link to "verify" your identity.
  • They never ask for your password, PIN, one-time code, full card number, or Social Security number.
  • They never threaten to close your account, freeze your card, or arrest you if you don't respond in X minutes.
  • They reference the last 4 digits of your actual card — not a random dollar amount out of nowhere.

7 red flags in every Bank of America text scam

  1. Sender is a regular 10-digit phone number, an email address, or an international country code — not the short code 39-411.
  2. The link uses a lookalike domain: bofa-secure.com, bankofamerica-alerts.net, boa-verify.co, bofa.com-login.info. Real Bank of America only uses bankofamerica.com.
  3. It creates urgency: "within 2 hours," "immediately," "final notice," "your account will be locked."
  4. It references a Zelle transfer, wire, or large purchase you didn't make — designed to make you tap without thinking.
  5. It asks you to reply with a 6-digit code you just received. That code is your real BofA login code, and you're about to hand it to the scammer.
  6. The message has small grammar errors, missing spaces, odd capitalization, or extra symbols ("Ale.rt," "B0FA").
  7. A follow-up phone call comes minutes later from someone claiming to be "Bank of America fraud department" asking you to "move your money to a safe account." Real banks never ask you to move money.

The 3 most common Bank of America text scams in 2026

1. The fake Zelle transfer alert

This is the number-one variant. You get a text saying a Zelle payment of $500–$2,000 is pending to a name you don't recognize. Reply STOP or click the link — either action opens a chat with a scammer posing as fraud protection. They then ask you to "send the money back to yourself via Zelle to reverse it." Every dollar you send goes straight to them and is almost never recoverable.

2. The frozen-account phishing link

"Your Bank of America account has been suspended due to unusual activity. Verify now: bofa-secure-verify.com." The site is a pixel-perfect copy of the real login page. The moment you type your username and password, it captures them and shows a fake "verification" screen that also asks for your one-time code — giving the scammer everything they need to drain your account.

3. The debit card lock-out

"BofA: Your debit card ending in 4471 has been temporarily locked. Call 1-888-###-#### to reactivate." The number goes to a call center of scammers with realistic hold music. They'll ask for your full card number, expiration, CVV, and PIN "for verification." Bank of America will never ask for your full card number over the phone.

How to tell a real Bank of America text from a fake in 10 seconds

  1. Look at the sender. Not 39-411 or 322-78? It's fake.
  2. Look for a link. If there's one, it's fake — real fraud alerts are yes/no reply only.
  3. Look at the last 4 digits. Real alerts reference YOUR real card number. Random dollar amounts with no card reference = fake.
  4. Don't tap. Open the Bank of America mobile app or type bankofamerica.com into your browser manually. If there's a real issue, you'll see it there.
  5. If still unsure, call the number on the back of your debit or credit card — never a number from the text.

What to do if you already clicked the link or replied

Don't panic — but move fast. The next 30 minutes matter more than the next 30 days. Here's the exact order of operations:

  1. Call Bank of America immediately at 1-800-432-1000 (personal) or the number on the back of your card. Tell them you responded to a phishing text and ask them to lock online access, freeze cards, and flag the account for fraud monitoring.
  2. Change your Bank of America online banking password from a different device — not the phone that received the text (assume it may be compromised).
  3. Turn on two-factor authentication using the BofA app's built-in authenticator, not SMS. SMS 2FA is exactly what the scammer just tried to steal.
  4. Report the text to 7726 (SPAM) by forwarding the message. This feeds carrier-level phishing filters.
  5. File a report at reportfraud.ftc.gov and, if money was lost, at ic3.gov (the FBI's Internet Crime Complaint Center).

How to stop Bank of America scam texts from coming in

  • Forward every scam text to 7726 (spells SPAM). It's free and works on Verizon, AT&T, T-Mobile, and every major U.S. carrier.
  • On iPhone: Settings → Messages → turn on Filter Unknown Senders. On Android: open Messages → Settings → Spam protection → on.
  • Never reply STOP or NO to a suspicious text — even that response confirms your number is live and you'll get more.
  • Enable Bank of America's real push notifications inside the mobile app. Once you rely on app alerts, any SMS "from BofA" becomes obviously suspicious.
  • Consider a call-blocking app designed for seniors like RoboKiller or Nomorobo — they filter known scam short codes automatically.

Frequently asked questions

Does Bank of America text you about fraud?

Yes — but only from short codes 39-411 (debit/checking) and 322-78 (credit card), and only asking you to reply YES or NO to confirm a specific charge. They never send links, never ask for passwords, and never demand you call a number in the message.

Is 39-411 really Bank of America?

Yes, 39-411 is Bank of America's official fraud alert short code in the U.S. But scammers can spoof numbers that look similar, so always verify by opening the BofA app directly rather than replying to the text.

What happens if I reply STOP to a scam text?

Replying anything — including STOP — tells the scammer your phone number is active and monitored. Expect an increase in scam texts and calls within days. Don't reply. Forward to 7726 and delete instead.

Will Bank of America refund money lost to a text scam?

It depends on how the money moved. Unauthorized transactions (someone using your login without your permission) are almost always refunded under Regulation E. Zelle transfers you authorized while being tricked are covered under BofA's voluntary imposter-scam reimbursement policy — report within 60 days.

How do scammers get my phone number?

Most scam texts are sent to blocks of numbers by area code — the scammer has no idea if you actually bank with Bank of America. Because BofA has more than 68 million U.S. customers, roughly 1 in 5 texts hits an actual customer. That's why the scam works at scale.

The bottom line

Bank of America will never text you a link, never ask you to move money to "protect" it, and never call you moments later demanding your one-time code. If a text scares you, close it, open the official BofA app, and if there's really a problem, it will be waiting for you there. Every second you don't tap is a second the scammer loses.

Get scam alerts before they reach you

Safe Retire Watch sends real-time alerts when new scams target retirees in your state. From $9/month. 30-day money-back guarantee.

Get Protected

Keep reading