Since I’ve been on the subject of Phishing email, I decided to look into a balance transfer offer I got from Citibank.
While I was looking into it, I ran into an excellent explanation and example at PhishTank:
What to look for in a phishing email
- Generic greeting. Phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like “First Generic Bank Customer” so they don’t have to type all recipients’ names out and send emails one-by-one. If you don’t see your name, be suspicious.
- Forged link. Even if a link has a name you recognize somewhere in it, it doesn’t mean it links to the real organization. Roll your mouse over the link and see if it matches what appears in the email. If there is a discrepency, don’t click on the link. Also, websites where it is safe to enter personal information begin with “https” the “s” stands for secure. If you don’t see “https” do not proceed.
- Requests personal information. The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt.
- Sense of urgency. Internet criminals want you to provide your personal information now. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim.
Here is my email (without and with images), purportedly from Citibank, and potentially a Phishing attempt:
How does this “offer” stack up?
- Generic greeting. Well, they address me by name and include the last four digits of my account. That’s good.
- Forged link. Not so good here. I guess this will be the point of the post.
- Requests personal information. Good here. There is no request for information in the body of the email, but what about the links?
- Sense of urgency. Good again. My suspicious nature is soothed. Somewhat.
The links in this message are really suspicious, IMHO. Roll over any of the links, and for every one of them you see something like http://citibank.r.delivery.net/r?2.1.3L8.2ll.11q1vM.C3spKI..H.C%5ffI.3Cg.bW42MQ%5f%5fCTSMFNF0. “something.Delivery.net” does not say “trusted bank” to me. In fact, whois shows that delivery.net is registered to Acxiom Corporation, a leading provider of email marketing solutions.
I assume that the trailing garbage is encoded information that identifies me. I tried to open several of the pages after changing a couple of bytes of the string, and every one of them took me to Citibank Japan.
Exploring the Site
I decided this was a legitmate offer with problems rather than a phish, so I clicked a link.
The links redirect, and I end up at https://www.accountonline.com. That also does not look like Citibank. However, there are clues that it is legitimate. Second, the whois record does show that accountsonline.com is owned by CitiBank, N. A.
First, the address bar changes to HTTPS, and in Firefox, a green security indicator appears.
This indicates that the session is now secure, and that the securing certificate belongs to the entity shown in green. Anyone can get a certificate and set up a secure site. If the name doesn’t match, you may be getting conned. Click on the green area to get more information about the certificate.
What is this “Email Security Zone”?
The message has an Email Security Zone box at the top with some personal information. This is enough to assure me that, if it is a scam, it is targeted directly to me. Since I’m feeling egotistical and free to assume that they are out to get me, I’ll assume this is fake. But, what is it?
I click on the text and get redirected to citicards.com.
The site contains these gems of wisdom:
Check Email for Security
The best way to verify a Citi email is to look for the Email Security Zone header at the top of the email. Every Citi Cards email includes your first name, last name, and the last 4 digits of your card number.
Please note that Citi will never ask you for your PIN number, and will never include your full account number, password or social security number in an email–only the last four digits. If you receive an email claiming to be from Citi that includes or asks for your full account number, password or social security number, do not respond to it. Instead, forward it to firstname.lastname@example.org.
Be careful – If I were a scammer, I would invent a security badge and give it to myself. Then I would point out how that indicates how secure you are. Note that it is the last four digits that are useful, not the first four. Some scammers will try to lull you into a sense of safety by giving the first four digits, which are used to identify the bank or type of card and are very easy to guess.
Examples of Phishing Emails:
Your Citibank account was temporarily suspended
Protect Your Citibank Account
Citibank for Your Information
Citi Identity Theft Solutions
I love this part. Every one of these examples has this to say at the top:
Below is a fraudulent email that was sent to a customer. Although it looks like it’s from Citibank, it is not. To visit us, always enter www.citicards.com.
Yet, their own email has clickable links and buttons that all go to citibank.r.delivery.net or get redirected to www.accountonline.com. Come on, Citibank.
One more point to watch out for
Phishing email is often taken from real emails like this one and modified slightly. All the images and wording come from the original, and often from the legitimate site itself. Most of the links, such as “privacy”, “security”, “pay your bill”, “contact us”, will direct to the original, legitimate site. Even if most of the links check out, there could still be a viper in the nest.