A seemingly innocent e-mail from Citibank Australia introducing a new online banking process has been mistaken for a phishing attack.
The e-mail was sent last month and described a new sign-on procedure that promised to be "even more secure". As part of a security upgrade, customers were asked to update their log-in credentials (see image below).
The message also asked recipients to log on to the bank's Web site and authenticate themselves by entering their Citicard or credit card number, and ATM PIN.
The bank has a strict policy to safeguard customers from such scams. Its online security section says: "Customers should understand that Citibank will never send e-mails to customers to verify personal and/or account information... It is important you disregard and report e-mails which... request any customer information - including your ATM PIN or account details."
Bronwyne Edwards, a consultant at management services firm SMS Management & Technology, said when she first saw the message she presumed it was a phishing attack.
"It had all the classic signs ... it was an e-mail asking the customer to go to a Web site and enter their ATM or credit card number, their ATM PIN and their account number. It then asked them to enter some answers to security questions such as their mother's maiden name and create a username and password," Edwards told ZDNet Australia.
"The content of the e-mail even contradicted itself -- the warning at the bottom stated it would never ask for details such as account numbers in e-mail."
A spokesperson for Citibank was surprised that the e-mail was confused for a possible scam and denied the bank had contradicted its security statements.
Joel Camissar, a manager at security provider Websense Australia and New Zealand, said this was an example of how banks were confused about communicating with customers.
"On the one hand, they are educating their users not to click on links ... and on the other hand, they have a need to communicate with their customers swiftly and cost efficiently," Camissar told ZDNet Australia.
"E-mail is increasingly becoming a mistrusted tool for banks to communicate with clients precisely because the authenticity of the sender is in doubt," he said.
SMS Management & Technology's Edwards added that the e-mail could be copied by fraudsters in order to launch future attacks: "I think it's a great example of a professional looking e-mail that could be copied very easily".
She also criticised Citibank for "undoing all the work companies have been desperately trying to do to train their users not to respond to communications of this kind".
The Citibank spokesperson, who admitted the reaction was worrying, said it was a good thing customers and analysts were being precautious and promised the matter would be investigated by the bank's technical and fraud departments.
So far this year, Citibank's global customer base has been targeted by phishers on at least 28 separate occasions, according to UK-based phishing archive site MillerSmiles.