New Citibank email scam spreads

A new spoofed Citibank spam email is doing the rounds in an attempt to part unwitting victims from their credit card details, PIN number and email account details.

Citibank warned customers last month about a spam email scam that informed recipients their Citibank account would be suspended unless they accepted new terms and conditions. A link in the email directed them to a fake, but convincing, Citibank website that requested the customer's name and bank card details.

Citibank took the unusual step of issuing a statement to all its customers saying: "Although the e-mail appears to come from Citibank regarding 'Your Checking Account at Citibank,' it does not, and Citibank is in no way involved in the distribution of this e-mail."

But one silicon.com reader, Remo Cornali from Italy, has forwarded on a new fraudulent Citibank scam, which has begun to spread over the weekend.

It uses a new twist on the traditional 'phishing' technique of spamming thousands of users with a scam email that links people to a fake banking website to steal their personal and financial details. Instead, it says the person has received a payment of $217 via Citibank's online wire service, c2it.com. One giveaway that all might not be as it seems, however, is the appalling spelling and grammar.

The email seen by silicon.com said: "Your email is not registred [sic] with us, you need to setup [an] account with us and verify your identity. Please fill this form to be enrolled to c2it.com service. Once you register, the money will appear in your c2it's account balance in your overview page. You can withraw [sic] the outstanding balance to your credit or debt [sic] card's bank account."

As ever, there is a twist, and anyone foolish enough to enter their details can probably expect their card to cleaned out fairly swiftly and their email account used for further scams. Cornali said the server set up to collect the financial details is in South Korea.

Chris McNab, technical director of security consultancy Matta, said spoofing is easy because of the inherent insecurity of messaging and internet protocols and that user education and the use of spam filters are the only ways to combat this type of scam.

"The only way to mitigate that risk is to teach users to be more vigilant. You should never be asked for credit card details by email. And I'm pretty sure a good spam filter would stop many of these messages," he said.

A spokeswoman for Citigroup said the company is working with law enforcement to investigate the email fraud and have the fake site shut down, and warned customers not to be fooled into giving out their account details.

"Citibank does not ask customers to provide sensitive details in this way. We believe no customer information or systems have been compromised," she said.