The elaborate scam involves sending the victim a security code via SMS, mimicking the real process used by the bank for online transactions.
It’s a highly unusual inclusion – and an indicator that online scams are becoming increasingly sophisticated.
MailGuard immediately intercepted the email before it reached any MailGuard customers, but only one of 64 traditional antivirus vendors is detecting the malicious link as suspicious today, according to VirusTotal.
The criminals behind the scam tell victims their Citibank account has been ‘temporary limited’ due to invalid online log-in attempts. They direct them to click a link to sign into their account and restore their access.
The fraudsters use a highly realistic replica of the real Citibank website to persuade victims to hand over their User ID and password.
Victims who fall for the scam and type the security code into the replica Citibank website are then asked to hand over additional personal information such as date of birth and mobile phone number.
Next is when things get interesting.
A new page advises that a ‘One-time PIN Authentication’ has been sent via SMS.
This mimics a real two-factor authentication security measure taken by Citibank. The ‘Citi OTP’ is a randomly-generated six-digit password used for authenticating online transactions, which is sent via SMS to customers’ phones.
The fraud website asks victims to input the security code, and advises that it might take up to five minutes to arrive via text message.
Presumably, this allows the scammers a few minutes to log in to the real Citibank website disguised as the victim. Using the fraudulently-obtained User ID and password, they can then make any transaction, triggering the correct security code to the victim’s phone via SMS.
Back on the fake site, when the victim inputs that security code, they’re in fact handing it over to the scammers.
This final step paves the way for them to make any transaction they like – putting the victim’s bank account in serious jeopardy.
Signs this Citibank message is a fake
One of few hints that the email is a scam is that while the email purports to be sent from Citi Australia, the reply address is an unrelated domain that appears to have been compromised.
While the landing page looks exactly like the real Citi Australia website, the URL reveals this is not the case.
The scammers try to trick visitors into thinking it’s the real Citibank.com.au site by appending a subdomain with matching letting. But the real website or domain in this particular scam is a compromised overseas-based site.
Hint: your internet browser should highlight in bold letters the page’s true website address or domain, in this case rtcproduction.cz – a Czech Republic company that hosts children’s parties.
Advice from Citibank about email fraud
Citi’s website suggests forwarding any suspicious emails to firstname.lastname@example.org. The bank also suggests ways customers can protect themselves:
- Go directly there: The best way to get to any site is to type its address (URL) into your browser and then bookmark it.
- Set up a login cookie: Some sites like Citibank.com let your computer remember your User ID. This way, when you return to the site from an email to sign on, your User ID will be visible in the sign-on box. A spoof, or fake, website will not be able to display your User ID. (Never use the Remember Me feature on a public or shared computer.)
For a few dollars per staff member per month, add MailGuard's cloud-based email and web filtering solution to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network.
Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.