The legitimate email is the email from Eastern Mountain Sports (EMS.com)! Here are all the reasons that support the authenticity of this email:
- The email was sent from the domain "EMS.com"
Though email "from" fields can be spoofed, we would expect that the from field match the content of the email. Don't pay any attention to the gibberish in the from address that appears before the @ symbol. What is important is the letters that appear immediately before ".com" and it is EMS. Check out EMS.com and you'll see that it is the official website for Eastern Mountain Sports. (For a much greater understanding of this point, read our Member's articles How to Surf Safely by Understanding Website Domain Names and 7 Tips for Recognizing Scam Emails.)
- A mouse-over of the "Activate Coupon" link points to the EMS.com domain (THIS IS THE MOST IMPORTANT REASON!)
The link points to "click.email.ems.com." The first two words reflect subdomains and are not important. The "ems.com" is the most important part of that web address ONLY if it appears BEFORE the first / (forward slash), which it does. (Again, to learn more about this, read our Member's articles mentioned above.) And though you cannot see it from the graphic we provided, ALL the links in the email pointed to a page somewhere at EMS.com.
- The email provides a verifiable address and phone number.
If you call the number it will connect you to EMS. (Warning: Just because a phone number and address are provided doesn't mean it IS NOT a scam.)
So why are the other two emails scams? Let's break it down starting with the email from Bank of America:
- The email contains no personal information identifying the recipient other than the email address
For something so important as a security alert from your bank, you would like to think they would identify the recipient by name or last four digits of the account number. (We've seen some bank scams identify the LAST digit!)
- A mouse-over of the link "sign in to Online Banking" does not point back to any verifiable Bank of America website.
Mouse-over skills are so important to identifying fraud online! (Check out our video to learn more.) Instead of a legitimate Bank of America website, the link points to an IP address listed as 22.214.171.124. (Members can learn how to figure out where these strange web addresses lead to and who owns them by reading our SuperSleuth Series video IP Checking. This IP is located in Thailand!)
- The email contains several grammatical errors.
Don't underestimate good spelling and grammar. English is not the first language for many scammers and we often see poor grammar, awkward sentences, misspelled words and the like in scams. These things should make everyone very suspicious! Look at the first sentence in the email to see what we mean: "Bank of America security team identify irregular activities with your online access, to ensure you identity is secured."
- The email is missing important information.
On the left side of the email is the line "Remember: Always look for your SiteKey before you enter your passcode during Sign In." Great! So where's the SiteKey?
NOTE: Notice that the "from" email address is correctly spoofs a legitimate email for BankofAmerica.com.
- The email is "from" the strange address "ZeroClosing@fealins.me"
The 2-letter ending of the email address is a country code. This one is for the country Montenegro. Why would a legitimate mortgage business be sending emails from a website in Montenegro? (Check out our video about 2-letter country code scams!)
- It isn't clear what company is represented by this email
The email came from "fealins.me" yet "terms and conditions" reference "Bills.com." The address and phone listed in the fine print at the bottom are for a company called Bills.com and Google can locate this website. But a mouse-over of the link in the email leads back to "fealins.me." Google cannot find any reference whatsoever to this website.
- The email contains awkward language.
Again, don't underestimate good spelling, grammar and a well written sentence. Look at the first sentence in the email to see what we mean: "If you can't inspect our Adv-ertisement in this mail? You may browse this url". This is awkward.
NOTE: A common trick by spammers to avoid anti-spam servers that might block an email based on specific words is to break those words up or spell them in an unconventional way... like "Adv-ertisement" instead of "Advertisement."