Claim:   Citibank is sending out notices asking customers to log in and verify their accounts.

Status:   False.

Example:   [Collected on the Internet, 2004]

Origins:   The notice reproduced above is yet another redirection scam (also known as "phishing") intended to deceive recipients into disclosing their credit card numbers, bank account information, Social Security numbers, passwords, and other sensitive information. Citibank customers were the target of at least two similar scams in 2003 (covered on our site here and

In this case the fraudulent message appears to be coming from Citibank itself, falsely announces that Citibank has had to "block some accounts connected with money laundering, credit card fraud, terrorism and check fraud activity," and urges recipients to log in using the provided link and "check their checking and savings accounts" to verify that the accounts are still active and the current balances are correct. However, the page the user is taken to after clicking the link does not reside on Citibank's site; it's a phony page hosted on a Korean web site and camouflaged to look like a real Citibank page. After the user attempts to log in through the phony page (supplying his ATM or credit card number and PIN in the process), he's presented with an error message proclaiming that the login failed due to a "system overload" and is then redirected to the real Citibank site (thus helping to obscure that he supplied sensitive account information to a non-Citibank site).

Scams that trick the trusting into revealing private information by having them "confirm" details presumably already in the possession of the one doing the asking fall under the broad heading of "social engineering," a fancy term for getting people to part with key pieces of information simply by asking them for it. The wary consumer's best defense to such maneuvers is a zipped lip (or, in the online world, an untapped keyboard). Protect yourself by volunteering nothing, even if you feel somewhat pressured by the one doing the inquiring. If someone on the telephone asks you to read off your checking account number for "verification," ask him instead to recite it to you from his records. If you get an e-mail announcing something dire has befallen one of your on-line accounts and requiring you to re-enter sensitive personal data to get things back on track, do not reply to it, and do not fill out any forms that accompany it or click through any hot links it provides. Instead, contact that service by telephone and ask them about the e-mail (or go directly to their web site — don't follow links provided in e-mail messages.)

The con artists are getting more sophisticated all the time, so do not be too quick to mistake the appearance of legitimacy or authority with legitimacy itself. Just because an e-mail looks like it comes from an entity you do business with doesn't mean it's genuine, and just because you're being directed to a web page that looks like that entity's home page doesn't mean you're not being sent somewhere else. Beware the wolf in sheep's clothing lest you end up his dinner.

Additional Information:

    Fraudulent E-mail Example   Fraudulent E-mail Example   (Citibank)

Last updated:   6 January 2008