Fake or for real? How to know if a text from your bank is legit

Keeping tabs on your financial accounts is critical these days, but how can you be certain an alert from your financial institution is legitimate?

Farnoosh Torabi Former Editor at Large
Farnoosh Torabi is a financial strategist, host of the award-winning podcast So Money and a bestselling author.
Farnoosh Torabi
5 min read
Seksan Mongkhonkhamsao/Getty Images

In a world in which fraudsters are increasingly finding new ways to steal from our accounts, my guard's instantly up when I receive a text from my bank. But hackers are becoming much savvier at their game. So much so, that I almost fell for a scam this month.

Here's what happened -- and the (somewhat embarrassing) lessons I learned.

On a recent morning, Bank of America appeared to reach me via text message to notify me of an ill-fated attempt to hack my checking account. My first thought? "Yeah, right." I assumed this was a run-of-the-mill phishing scam aiming to retrieve my account username and password.

But upon further examination, I didn't know what to believe.

Here's a snapshot of the text to which I replied, "No."

Farnoosh Torabi/CNET

The part I was stuck on was the mention of Waltham, Massachusetts. I had been in the vicinity of that town while on vacation a week prior. I had, in fact, used my bank card in a few places while visiting.

Was it possible fraudsters had "shimmed" my card and stolen information on its chip? Had they attempted to then access my account? And Bank of America caught them in the act and sent me this alert?

Another persuasive part was that after I replied "No" to the text, I received a reply that said to call 866-500-6260 to change my username and password. The detective in me decided to dial the number. After a few rings, the "Bank of America Client Protection" switchboard came on the line. 

I hung up and continued to investigate.

While the Waltham reference was interesting, I spotted some red flags that suggested the text was likely bogus. For one, my "online ID" was not correct. A junior hacker might think to use my first initial followed by last name to log in, but they will not be successful! 

I also found the Bank of America logo following the text to be a bit wonky. Was it an effort to try to legitimize a text that might not otherwise be truthful?

Further, when I googled the 866 number in the text, it was not clear whether it belonged to Bank of America. No search result linked that number to the bank.

And then, stranger things happened.

I received a phone call from a supposed Bank of America representative, who was following up on the text exchange. She called from 877-551-0215, which I quickly looked up and found no evidence of being associated with the bank either. To my surprise, this person was polite, friendly, calm and pronounced my name correctly (no easy feat). 

This "rep" began by saying that since I verified that the transaction had not been authorized in that text with a "No," I needed to reset my password with her. Before she could go on, I told her I was confused. I said, honestly, I was not really sure the text that I received was legitimate. Taking no risks, I kindly let her know that I would just call Bank of America myself, to see what this was all about. She said she understood and that I should call the number on the back of my bank card. Good advice being provided by a hacker? Now I'm really dumbfounded.

My next move was to log into my Bank of America online account. And wouldn't you know, the first page that popped up after I successfully logged in said that I needed to reset my password due to some suspicious activity. It did not reference any sort of activity in Waltham, but it was an odd coincidence.

Read moreT-Mobile data breach and SIM-swap scam: How to protect your identity

Was the text legit after all? Was this rep who called me a real Bank of America employee and not a poser, as I'd doubted? Was I being too skeptical for my own good? I followed the instructions on the Bank of America website (after double checking the website was, indeed, the right one) and reset my account information.

I was annoyed with myself for being so perplexed by the situation. Fraud is usually easy enough to detect. You might see misspelled words in a text or an explicit request for your password. Sometimes the communication sounds urgent and alarming. I didn't really experience this here. 

I reached out to Bank of America's public relations team to better understand its protocols for alerting customers of potential fraud. I also sent them the communication I'd received, including the text message and phone numbers involved. 

Here's what a bank spokesperson confirmed:

  • Bank of America does sometimes send text alerts asking clients to verify a transaction, but the text I received was not from the bank. The phone number provided in the text was not a Bank of America line.
  • Actual text messages from the bank would not be alarming or ask clients to hand over sensitive information.
  • The phone call following the text message was also fraudulent, which is spooky but not unusual. 
  • Asking me to change my password over the phone was a serious red flag. 

And there you have it. The text was bogus and the kind woman on the phone with a knack for correctly pronouncing Iranian names was a thief. She was attempting to steal my money. And come to think of it, when she called, she did not say, as Bank of America reps normally do, that the call was "being recorded." Nothing official. Just, "Hi, Farnoosh. We need to reset your password." 

But then why did Bank of America prompt me to reset my password after I logged into my online account? Well, just as I'd initially assumed, it's because whoever was texting me (from Waltham) was, indeed, trying to hack my account. They had tried at least once, were unsuccessful, and decided to text me to get my password. At that point, Bank of America, seeing the attempts, prompted me to reset my password after I logged in.

In the end, my skepticism prevailed (thankfully). But it wasn't always clear what was going on and whether the bank messages were fake or for real. But I'm not going to beat myself up about it. The overarching lesson is -- whether via text, email or a voice call -- be suspicious and go with your pessimistic gut. I trust financial institutions are working diligently to protect customer accounts and prevent fraud. After all, the loss of money and customer trust are serious costs to them. But we need to be the biggest financial advocates we can be for ourselves. Nobody cares more about my money than me. And that's bad news for fraudsters.

Read moreBest identity theft protection and monitoring services for 2021