Fake bank notice claiming unusual activity was detected and requiring identity verification within 24 hours to prevent account suspension — credential-harvest phishing; real banks never request full credential re-entry via cold email link under a 24-hour suspend-or-verify deadline.

Fake bank security notice (impersonating a generic bank, Chase, Bank of America, Wells Fargo, Citibank, or regional institutions) claiming unusual or suspicious activity was detected on the target's account and requiring identity verification within 24 hours via email link to prevent account suspension — credential-harvest phishing. Real banks never request full login credential re-entry via a cold inbound email link under a 24-hour suspend-or-verify ultimatum; account security actions are handled exclusively through the bank's authenticated online banking portal, official mobile app, or verified customer-service phone number. The "unusual activity detected — verify identity within 24 hours to prevent suspension" pattern is one of the most persistent phishing templates across APWG phishing reports since 2018 and accounts for a significant fraction of all financial-sector phishing volume. Distinct from bank-account-suspension-phish (account already suspended / restoration pretext) — this targets the unusual-activity-detected / 24-hour verification window / prevent-suspension pretext specifically. Detection: unusual/suspicious activity detected + verify identity within 24 hours + prevent account suspension vocabulary + no List-Unsubscribe + no In-Reply-To + not protected sender. Trash score: +4. Source: GC1-R28; APWG phishing report Q1 2026 (banking sector); FTC bank impostor scam advisory 2025; CISA banking phishing consumer guidance; OCC phishing threat alert.