The following is a sample of what you can receive (first time for me!) from who knows who asking you to go change your password or something like that...

This is a scam, it will actually reproduce the screens from the bank and of course it will expect you to type in your account information. After that, the person can transfer whatever money to wherever...

This is most certainly why CitiBank blocks access to their login screens from outside of the US. Now that's not a solution since hackers have access to thousands of computers in the U.S. and hackers have much better to go via 100 or more computers before to reach their destination.

First the full header of the email I got

X-Apparently-To:	alexis_wilke@yahoo.com via 206.190.38.202; Sun, 11 Jul 2004 22:43:01 -0700
X-YahooFilteredBulk:	220.55.152.14
X-Originating-IP:	[220.55.152.14]
Return-Path:		<488r4324@earthlink.net>
Received:		from 220.55.152.14 (220.55.152.14) by mta296.mail.scd.yahoo.com
			with SMTP; Sun, 11 Jul 2004 22:43:01 -0700
From:			"Citibank" <user-support4@citibank.com>
To:			alexis_wilke@yahoo.com
Subject:		Citibank informs you. [Mon, 12 Jul 2004 02:40:34 +0900]
Date:			Mon, 12 Jul 2004 02:40:34 +0900
MIME-Version:		1.0
Content-Type:		multipart/related; type="multipart/alternative"; boundary="----2cq7811609198u0992U6788107613851"
X-Mailer:		Mutt/1.5.1i
X-MimeOLE:		Produced By Microsoft MimeOLE V8.00.2500.1106
Content-Length:		9212

And here is the image they used to fake the link and logos (I added a red border to signal the fact that it is a fake.)

Note that not only the English is incorrect, but really, the bank wouldn't talk to you like that!

On the other hand, I'm pretty sure it works. Some people most certainly fall for it when they see this type of email.

To be complete, the email included a link on that image so you have the impression to click the link. The link goes to a numbered IP address (versus a named one such as citibank.com). For those interested, the IP address was 213.10.60.73. This is most certainly a modem. dig -x 213.10.60.73 gives me an address in Netherland:

73.60.10.213.in-addr.arpa. 86400 IN PTR ipd50a3c49.speed.planet.nl.

The complete address was like this (I don't put a link for (a) it doesn't work already at this time and (b) what would be the point for you to go visit a copy of a bank website?!):

http://213.10.60.73/cit/index.html

Funny enough, they didn't even bother to put the complete name of the bank nor tried to use the fake server on a secure server (HTTPS).

Yes! By the way, always verify the address in your location bar (did you have it closed?!?) Whenever you use an account on the Internet dealing with your money (or your company's) you need:

• The address must starts with HTTPS:// -- if it doesn't it isn't secure. (some sites ask you your credit card details on a standard HTTP:// server; these transactions may be legitimate, but they are NOT protected meaning that your information will travel on the Internet as is, without any encryption)
• Right after the HTTPS://... and before the next '/' you have the address to the company you are dealing with. For citibank.com, it ends with citibank.com ALWAYS, though it starts with lots of weird names, that's still Citi Bank.
• Use the same amount of caution when using you credit card details on the Internet as you would in a restaurant or a shop. Would you leave your card in the hands of someone who doesn't work there?

Now you really are informed. Note that at this time (2004) CitiBank.com is providing lots of information about these scams (but not showing very well at all how these emails look like, afraid of hackers using their "own" images to attract clients? I think these images are available all over the place.)

Note that they say: the English is usually bad in such emails. Watch out, one day, the English may just be perfect... The IP however won't lie (that name in your location bar.)