A series of phishing campaigns masquerading as official Citibank correspondence caught the attention of Bitdefender Antispam Lab researchers last week.
According to our internal telemetry, cyber thieves are targeting bank customers with thousands of phony email messages that aim to steal personal information and online credentials. The ongoing campaigns focus on the US, with 81% of the fraudulent correspondence ending up in American inboxes. However, 7% of the emails have also reached the UK, 4% South Korea, and a limited number in Canada, Ireland, India and Germany.
40% of the bogus emails appear to have been sent from the US and 13% from IP addresses in Mexico.
Although some of the phishing emails use the Citibank logo to resemble official correspondence from the financial institution, the scammers put little effort into spoofing the sender’s email address and fixing punctuation errors in the email body.
Email subject lines are as follows:
- Account Confirm Confirmation Required
- Second Reminder: Your Account Is On Hold
- Security Alert: Your Account Is On Hold
- Urgent: Account Confirmation Required
- Urgent: Your Citi Account Is On Hold
In one version of the phishing attacks, fraudsters inform recipients that their accounts have been temporarily suspended due to “incomplete registration of account data.” They even cite fake transactions or payments, or suspicious logins to panic recipients into verifying their account.
The verify account button leads recipients to a nearly perfectly cloned website version of the Citibank online portal where customers can log in using their user ID and password.
A less convincing example of a similar Citibank phishing email can be seen below:
Campaign 2: Congratulations ‘you’ve won’ 10 million dollars
Fraudsters posing as financial institutions will go to any lengths to steal login information or financial data from victims. Additional attempts at defrauding consumers come in the form of more obvious phishing emails that notify recipients they’ve become millionaires.
Our researchers picked up the fraudulent emails between Feb. 11 and Feb. 15. 30% of the phishing emails seem to originate from IP addresses in India, 28% from Norway and 16% from the Netherlands. Distribution-wise, 36% of the emails reached users in the US, 34% in Denmark, 7% in Sweden, 7% in the UK, 4% in Ireland, and 3% in South Africa.
The scammers deploy two variants of the scheme, which closely resembles a lottery email scam. Instead of using the names of legitimate lotteries, or citing bogus online raffles you never signed up to, the phishing emails notify users they’ve been chosen to receive financial compensation from the United Nations.
In one example, you’re one of the ‘lucky’ 150 individuals chosen to receive $5 million via Citibank. Why? Because ‘you are listed and approved for this payment as one of the scammed victims to be paid this amount,’ the fraudulent email reads. Of course, the scammers want you to reply so they can continue the charade and ask for your personal data to finalize the transfer to your account.
Here’s a more obvious take on the scam:
Compelling phishing emails shouldn’t be so hard to follow. Either way, you get the gist. The scammers want you to fill out your personally identifiable information so they can wire you $10 million. You need to act quickly and send the crooks the main info that will allow them to steal your identity – full name, address, age, phone number, and, obviously, a scanned copy of your ID.
Protecting your identity and bank account
Responding to fake email alerts from banks can lead to serious consequences, including identity theft and fraud. Phishing correspondence generally mimics legitimate notes sent by your bank and are designed to pressure you into taking immediate action.
They can contain real bank logos and use genuine layouts, and always ask you to perform actions such as verify your data, access an attachment, or fill in an online form with personal and sensitive information such as your SSN, PIN, email address and password.
We advise users to remain vigilant and to reject any demands mentioned in unsolicited correspondence, and always check for warning signs, including the sender’s email address and embedded URLs.
Users should also keep in mind that urgent matters regarding suspicious transactions often require a phone call from the financial institution, which will never ask for your PIN or extra security codes.
Here at Bitdefender, we are committed to keeping your data and money safe from phishing and online scams of all kinds. If you’re wondering whether a website is trying to scam you, check out Bitdefender Total Security trial free of charge for up to 90 days. Our advanced anti-fraud and anti-phishing filtering systems warn you whenever you visit a fraudulent website to keep you out of danger. Phishing websites masquerading as trustworthy pages are automatically blocked, while the real-time data protection feature fends off new existing e-threats, including credential-stealing Trojans and ransomware.
Note: This article is based on technical information provided courtesy of Bitdefender Antispam Lab