Citibank helps phishers improve their bait?

Citibank helps phishers improve their bait?

Summary: It took three security experts and almost a full working day to confirm Citibank Australia's e-mail wasn't a clever phishing attempt.


It took help from three security experts, Citibank's spokesperson, dozens of e-mails and almost a full working day of investigation to confirm that an e-mail I had seen from Citibank was not actually a clever phishing attempt.

This particular e-mail was sent by Citibank Australia at the end of October to inform customers that its online security system had been revamped so they should visit the Web site and update their log-in credentials.

However, around the same time this legitimate e-mail was being distributed by Citibank, the following phishing attacks were also taking place, according to UK-based phishing archive site MillerSmiles:

  • On October 23, in Indonesia, some people received e-mails telling them about an update to Citibank's security system. It asked them to update their log-in details
  • On October 25, this time in Texas, users received an e-mail saying: "Citibank has changed security screening procedures for online banking, please follow the given instructions in order to comply with our additional security requirements"
  • On October 30, an e-mail that seemed to come from Citibank asked French recipients to confirm their e-mail address
  • On November 4, some users reported an e-mail informing them that Citibank was updating its security systems: "Once you have enrolled in our security upgrade your pending Citibank account transactions will not be interrupted and will continue as normal," the e-mail said.

So how are online banking users supposed to tell the difference between a phishing e-mail and a real e-mail from their bank? Usually, the easiest way is to look for spelling mistakes and bad grammar.

Unfortunately, with the "flawless" e-mail that Citibank sent to Australian customers, fraudsters probably have the best template for future phishing attacks that they could ever hope for.

Phishing is not a new phenomenon and banks are losing more money than ever before because of this activity.

In the UK last week, the Association of Payment Clearing Services (APACS) said that phishing incidents have increased almost 1,500 percent year-on-year and UK banks lost around AU$56 million (22.5 million pounds) in the first six months of the year -- compared with AU$36 million (14.5 million pounds) during the same period last year.

So the problem is not going away.

The Australian Payments Clearing Association (APCA) does not release equivalent figures for the domestic market. However, I would be very surprised if the relative loss per user, or the increase in total losses, are any different.

What should banks do?
According to Neil Campbell, national security practice manager at Dimension Data, they should stop using e-mail altogether.

"In order to reduce the effectiveness of phishing e-mails I believe all banks should refrain from communicating with their customers via e-mail... In this case, Citibank may have been better off communicating this message to users via their Internet banking site either before or after they log on -- preferably after, in my opinion," Campbell said.

Patrik Runald, senior security specialist at antivirus firm F-Secure believes that banks should "think twice" before e-mailing customers and he suggests that maybe more traditional methods of communication should be revisited.

"My bank in Singapore, DBS, is switching from a username/password combo to two-factor authentication and they sent snail mails to all their customers," he said.

"They also promoted it on their ATMs for a few weeks before making the switch.

"It makes much more sense to me to do it this way than sending e-mails," said Runald.

What possessed Citibank to send such an e-mail? Bronwyne Edwards, the consultant who first brought this issue to my attention, probably has the most believable explanation: "It looks to me like a couple of marketing people came up with it after having too much champagne at lunch".

That would do it!

Do you have any ideas how banks can cost-effectively communicate with customers without raising security concerns? I would be very interested in hearing your views (please be sober). E-mail me at or talkback below.

Topics: Collaboration, Banking, Malware, Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • How bank should do it.

    Bendigo Bank uses a secure email built into your account. After logging on you can see if you have email. It's part of your account, and only allows you to read email from the Bank or send email to the bank. Totally closed system, only between you and the bank. It simple and effective and works.
  • Internal Messaging System

    Now a days almost all banks are introduced a closed integrated messaging system for their account holders. The messages are viewable only when then account holders logged in to their account. If there are any upgrades to their system, they could publish through their websites and branches/ATMs rather than sending emails. And also provide enough time to reach the message to account holders.
  • Citibank does have internal messaging

    I happened to be a client of Citibank's and couldn't beleive my eyes to see that email discussed in the article. I was absolutely sure it was a phish. Checking the source I was trying to figure out how the phishers used legitimate domain names to conduct their fraud until I realised that it has really been sent from Citibank.
    I can't agree with the Author that that was the marketing guys job. The idea of mass emailing customers is so silly that it has to come from no less than the A-P President himself.
  • Please help working moter

    Would you post this or may I?
    Please sign our petition at pray for justice.
    Please help us if you can along with the Senator, the letter below were sent to the Senator
    Go to---, then type in