A phishing email appears to be from "Bank of America". We did a "View Source" on the email and found the following link:

http://www.bankofamerica.com.onlinebankingid30344740.kaswert.info/session.cgi

This is a phishing site, which is in fact a subdomain of the domain kaswert.info, and not bankofamerica.com. Unsuspecting or careless victims may often read just the first part of the link after the http:// and failed to notice the end. In fact, it is important to determine the full domain name to be safe.

The full header of the email is attached. Note that the return path or the originator email address may "appear" to come from the valid domain name. But this is not the trick. The scammers does not care if you actually reply to the email directly (i.e. press the reply button on your email client). All they want is for you to click on the link to their phishing website. The "originator" email address is just faked to make it looks like it comes from the real website. By the looks of it, the mail probably came from a compromised server in Malaysia.

Return-path: <accsupport-546519ib@bankofamerica.com>
Delivery-date: Mon, 22 Jan 2007 17:32:55 -0700
Received: from [210.5.198.149] (helo=210-5-198-149.reverse.newskies.net)
Received: from [111.225.20.80] (HELO malaysia.net)
From: "Bank of America" <accsupport-546519ib@bankofamerica.com>
X-Sender: services-778608110240609ib@bankofamerica.com
User-Agent: Pegasus Mail for Win32 (v2.53/R1)
X-Mailer: Pegasus Mail for Win32 (v2.53/R1)
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/related;
    boundary="0R5INIL.WGUOQSTK"
Subject: [Norton AntiSpam] Please confirm your information! -Mon, 22 Jan 2007 16:32:26 -0800