Yesterday, this email message arrived in my inbox:
Date: November 9, 2010 5:37 PM
Subject: View Your Account (Action Required)
Citibank Fraud Prevention
Due to your recent account activity, you need to confirm that the last transactions were made by you or another authorized user of the account. You can do this by following the link below:
Once your activity is confirmed, you can continue using your account normally.
Thank you for banking with Citibank!
Citi Online Banking Security"
Do you think that this email message was real? I hope not because it was a fake... a fraud, a phishing email that tried to trick me into clicking on the link to reveal my financial account sign-in credentials (e.g., ID and password). It was easy to recognize this phishing email:
- I don't rely on the sender's email address in the From line. Email addresses can be faked. A closer inspection of the email message is always wise
- The subject line is blatant: "Action Required"
- A bank or financial institution would never send an email message like this asking me to verify transactions. My bank does send alerts which I setup and customized myself for my own account management. The alerts from my bank look nothing like this and are triggered by a different set of factors
- Usually spelling mistakes and grammatical errors are tip-offs to phishing email messages. This one was pretty good, but a tipoff was the insistence that I had to verify something
- While the destination website address looked like areal CitiBank website address, it wasn't. I always mouseover a link first to see the actual destination in the bottom of my email message window. The real website destination is a page at Benburns.com. I don't do banking at BenBurns.com and I doubt that you do either
- The message implies my account was suspended: "Once your activity is confirmed, you can continue using your account normally." My bank wouldn't do this.
- There are websites that track phishing messages. If you aren't sure, you can search a website like PhishTank, which clearly lists the BenBurns.com destination site as a phishing site
- I don't have a bank accoount with CitiBank
The phishing message was easy for me to spot. Some are more difficult, as crimminals create messages that appear to come from a friend, an employer, or a website you use regularly (e.g., eBay, PayPal). If you use the Internet, you need to develop you skill at recognizing phishing email messages. Phishing is a popular tool of identity thieves. Recently, phishing crimminals have targeted U.S. military members and their families.
How did the fraudster get my email message? Most likely, a fraudster collected my email address since it is displayed on my I've Been Mugged blog. To learn more about how to spot phishing email messages, visit these resources:
I scored 100% correct on the PayPal quiz. How did you do?