This is a sophisticated phishing email that impersonates TD Bank to steal banking credentials.
Email Details
Key Findings
Email claims to be from TD Bank (noreply@td.com) but was actually sent from a Gmail account, indicating sender impersonation
Multiple "Log in" buttons redirect to https://onlinebanking.tdbank.com/ which was flagged as SUSPICIOUS due to "brand name 'bank' in subdomain of unrelated domain"
Uses urgent financial threat tactics (overdraft fees, account overdrawn) to pressure immediate action and credential entry
Detailed Analysis
The email appears to be forwarded from a compromised or fake TD Bank notification, but the actual sender is a Gmail account - a clear red flag since legitimate TD Bank emails would never originate from Gmail accounts. The forwarded message structure is likely used to obscure the true malicious origin and make the email appear more legitimate.
The phishing attack uses classic urgency tactics by claiming the recipient's account is overdrawn by -$863.00 and at risk of overdraft fees, creating financial anxiety to prompt quick action. The professional HTML formatting, legitimate-looking TD Bank branding, and detailed account information (ending in 8199) are designed to appear authentic.
The technical indicators strongly support the phishing verdict. While the DKIM authentication passes for the Gmail domain (confirming it came from Gmail servers), this actually proves the email is fraudulent since TD Bank would never send official communications through personal Gmail accounts.
Recommended Actions
- •
Do not click any links in this email, especially the "Log in" buttons
- •
Report this email to TD Bank's fraud department and delete it immediately
- •
If you have recently provided credentials to any TD Bank login page accessed via email, contact TD Bank immediately to secure your account