Citibank e-mail looks phishy: Consultants

Citibank e-mail looks phishy: Consultants

Summary: A seemingly innocent e-mail from Citibank Australia introducing a new online banking process has been mistaken for a phishing attack.The e-mail was sent last month and described a new sign-on procedure that promised to be "even more secure".


A seemingly innocent e-mail from Citibank Australia introducing a new online banking process has been mistaken for a phishing attack.

The e-mail was sent last month and described a new sign-on procedure that promised to be "even more secure". As part of a security upgrade, customers were asked to update their log-in credentials (see image below).

The message also asked recipients to log on to the bank's Web site and authenticate themselves by entering their Citicard or credit card number, and ATM PIN.

citibank phishing

Click here to enlarge.

The bank has a strict policy to safeguard customers from such scams. Its online security section says: "Customers should understand that Citibank will never send e-mails to customers to verify personal and/or account information... It is important you disregard and report e-mails which... request any customer information - including your ATM PIN or account details."

Unlike many other phishing e-mails, Citibank's didn't contain active URLs bar a link to its privacy policy but the logo and format raised a few eyebrows.

Bronwyne Edwards, a consultant at management services firm SMS Management & Technology, said when she first saw the message she presumed it was a phishing attack.

"It had all the classic signs ... it was an e-mail asking the customer to go to a Web site and enter their ATM or credit card number, their ATM PIN and their account number. It then asked them to enter some answers to security questions such as their mother's maiden name and create a username and password," Edwards told ZDNet Australia.

"The content of the e-mail even contradicted itself -- the warning at the bottom stated it would never ask for details such as account numbers in e-mail."

A spokesperson for Citibank was surprised that the e-mail was confused for a possible scam and denied the bank had contradicted its security statements.

"These are all online banking customers and are used to receiving e-mails from us. I don't believe we have contradicted ourselves ... there is only a link to the privacy policy and we always tell people to type in the URL," the spokesperson told ZDNet Australia.

Joel Camissar, a manager at security provider Websense Australia and New Zealand, said this was an example of how banks were confused about communicating with customers.

"On the one hand, they are educating their users not to click on links ... and on the other hand, they have a need to communicate with their customers swiftly and cost efficiently," Camissar told ZDNet Australia.

"E-mail is increasingly becoming a mistrusted tool for banks to communicate with clients precisely because the authenticity of the sender is in doubt," he said.

SMS Management & Technology's Edwards added that the e-mail could be copied by fraudsters in order to launch future attacks: "I think it's a great example of a professional looking e-mail that could be copied very easily".

She also criticised Citibank for "undoing all the work companies have been desperately trying to do to train their users not to respond to communications of this kind".

The Citibank spokesperson, who admitted the reaction was worrying, said it was a good thing customers and analysts were being precautious and promised the matter would be investigated by the bank's technical and fraud departments.

So far this year, Citibank's global customer base has been targeted by phishers on at least 28 separate occasions, according to UK-based phishing archive site MillerSmiles.

Topics: Collaboration, Malware, Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • HSBC Emails

    I recently complained to HSBC in regards to an marketing email they sent their customers which contained links which appeared to go to but actually re-directed through a external marketing provider

    In the same email it detailed the "Disclaimer" which contained sentences such as "We maintain strict security standards and procedures to prevent unauthorised access to information about you."

    When I sent feedback including "How can you expect normal customers to know the difference between
    this and a carefully crafted scam email?" The reply came from the marketing department (wrong department) and in my opinion showed a lack of understanding "Please be assured that any email from HSBC will not ask you for any personal banking information and will always have a legitimate phone number that the customers can call."
  • copy of hsbc e-mail

    hi there, if you have a copy of the e-mail, could you please send it to

    thanks in advance
  • There is a solution to the problem is it OK to follow a link - Link Advisor

    Link advisor from CallingID ( lets you see where you will go if you follow a link and if it is safe. If there is a problem you get an immidiate indication. You can also see if you will really visit the bank site or you will be redirected to a different site.
  • Why not sign emails?

    GPG / PGP is commonly available in any decent email client. Why don't banks use it to sign their emails and instantly verify the source? If we can train users to watch out for phishing attacks surely we can train them to verify a simple key.
  • Not workable.

    Banks have enough trouble getting users not to go to phishing sites or open attachments in emails.

    I really think the idea that the majority of customers will be ready to work with signed emails is laughable!