People will fall for this bogus domain name.
Domain investor Abdu Tarabichi sent a screenshot of a text he received today from a scammer:
If you go to the subdomain of BofA-SMS.com it will ask you to unlock your account by entering your credit card number, expiration date, CVV and the last four digits of you SSN.
I’m sure people will fall for this scam, and it’s a reminder of one of the broken promises of what new top level domain names can offer.
Some peddlers of new TLDs argued that companies could cut down on phishing by getting a .brand top level domain name. When consumers see a .brand domain such as .bofa, they’d know they were at the right site, the argument goes. Therefore, they won’t get phished anymore.
The problem with this argument is that seeing the valid TLD is a positive. People get phished by the negative: not noticing that it’s the incorrect URL.
Validated TLDs such as .bank (podcast) have a similar problem.
By the way, BofA-SMS.com has a public whois but it appears to be false. The phone number transfers to an international dial tone and then goes to voicemail.
The same user is also associated with BofA-txt.com according to DomainIQ.
AJ says
Has the domain been reported to ICANN?
Craig Schwartz says
You talk about an issue with a .COM domain, but then drag in validated TLDs such as .BANK in a negative way…what’s your point? A phishing URL such as the one mentioned could never be registered in .BANK because of our validation requirement. Further, given the email authentication requirement for .BANK domains, a bank could say with confidence to its customers that if the email address doesn’t end in .BANK it’s not from us. If you want to point fingers, pick a place where the bad activities are happening. I find your post empty and meaningless.
Andrew Allemann says
The point is that even if banks tell their customers “if the email address doesn’t end in .BANK it’s not from us”, they will still fall for phishing scams like this. So cutting down on phishing is not a real selling point to validated or brand TLDs.