The scam, known as "phishing," happens when thieves send consumers E-mails that appear to come from major corporations and direct them to bogus Web sites that look just like the company's real sites. The fake sites typically ask individuals to verify or update certain account information with personal data--in this case, Social Security numbers--which they then can use to obtain phony credit cards and other items.
Citigroup said it is working with law enforcement officials to investigate the fraudulent E-mails, adding that it doesn't ask customers to provide sensitive information in this way.
Though the E-mail's salutation reads, "Dear Citibank customer," several noncustomers received the E-mail--the first clue that it is fake. Still, at first glance, the E-mail looks authentic: It uses Citigroup's red and blue corporate logo and has a link to the official Web site. A closer look, however, shows that the sender isn't from Citigroup but from Juno.com and Yahoo.com addresses.
"We are seeing a lot of this, and it's been my contention that this is one of the biggest threats to brands and consumer confidence that we've seen over the Internet," said Stephen Cobb, senior vice president of research and education at ePrivacy Group, an anti-spam technology company in Philadelphia. "It's very distressing, and it can't help but have an impact on your assessment, not necessarily of the bank, but of online banking with the bank."
Cobb said his firm, along with several others, makes technologies that work to sort legitimate E-mails from fakes.
The fake Citigroup E-mail asks its so-called customers to "become acquainted" and "agree" to its new terms and conditions. If not, the unsigned E-mail says, it "will have to suspend (their) Citibank checking account." It then asks customers to click on a link to post their consent.
Federal officials, along with the National Consumers League and EarthLink Inc., the nation's No. 3 Internet service provider, recently warned consumers about this increasingly common scam. In addition to EarthLink, Citibank, Morgan Stanley's Discover unit, online auction company eBay Inc. and its PayPal unit, Wachovia Corp.'s First Union unit and the Massachusetts State Lottery reported previous phisher scams in recent months, according to The Wall Street Journal. The term "phishing" arose from the hacker community's frequent substitution of "ph" for the letter "f" in "fishing" for private data, the Journal said.
Citigroup, which is based in New York, is urging recipients of the E-mail to delete it immediately and report it to the company's customer service department.
The financial-services giant also assured that its systems haven't been compromised in any way. It urges customers not to send sensitive personal or financial information online unless it is encrypted on a secure Web site. Regular E-mails are not encrypted and are more like sending a post card, the bank said. Customers should look for the padlock symbol on the bottom bar of the browser to ensure the site is running in a secure mode before entering any sensitive information. It also urges customers to "use strong passwords or personal identification numbers" on Internet accounts.