As if e-mail spam and viruses weren’t enough to contend with on a daily basis, consumers must also continue to be wary of e-mail identity theft methods that are using trusted company names to lure victims.
Case in point: On Monday, an IT World Canada editor received an e-mail claiming to be from Citibank, a global financial services firm.
The e-mail’s subject line read “Citi: Important Message,” and stated that due to recent identity theft attempts targeting Citibank customers, the company was providing a link to its Web site where customers could “safeguard” their accounts.
“We require that you update your Citibank ATM/Debit card PIN,” the e-mail stated. “This update is requested of you as a precautionary measure against fraud. Please note that we have no particular indications that your details have been compromised in any way. This process is mandatory, and if not completed within the nearest time your account may be subject to temporary suspension.”
The e-mail contains a hot-linked URL, which opens a browser window where users can input their information. (The link produced a File 404 error message when IT World Canada attempted to open it.)
Citibank officials were unreachable at press time, but the company did confirm that the e-mail was, in fact, a scam and said it does not send e-mails requesting personal information from its clients.
According to Pete Simpson, ThreatLab Manager at e-mail filtering specialist Clearswift Ltd., banks simply aren’t doing enough to alert users to the existence of fake e-mails.
“There should be a prominent URL on bank home pages alerting users to the hoax e-mails and a dedicated helpline where users can go for advice,” he said.
Citibank appears to be following that advice. The bank offers an information page on its Web site (www.citibank.com) where recipients of these e-mail phishing attempts can read frequently asked questions, view reported fraudulent e-mails — some dating back to December 2003 — and report the receipt of a fraudulent e-mail.
Typically trusted sources, two Canadian banks found themselves in the middle of similar phishing scams last year. Toronto-based BMO Financial Group and Montreal-based Mouvement des Caisse Desjardins said in November that hackers sent out mass e-mails hoping to target legitimate bank customers. The e-mails told consumers to click on a link to verify e-mail addresses, customer numbers, passwords and memorable data — all the information needed to access someone’s bank account.
BMO, which learned of the scam from customers, contacted the Internet service provider hosting the spoof site, which immediately shut it down. Mouvement des Caisse Desjardins tracked down an ISP in Pennsylvania and had it close the other spoofed site.
—With files from IDG News Service