Email about Citibank Payment: Is It Legit?

For what are obvious reasons, there are few targets scammers find more enticing than banks and online banking. Get someone’s bank login info and a criminal can quickly transfer all the savings and zero out every account balance into a complex network of offshore accounts. You log back in a few days later, perhaps after a check bounces or a credit card transaction fails, and – horror! – all your money is gone. That’s why it’s critically important to be highly skeptical of any email that’s ostensibly from any sort of financial institution. Not sure? Log directly into your account by typing in the URL into your Web browser, not clicking on a link from an email message or text message and check your inbox to see if the message shows up. Odds are, it won’t.

All that is just online banking 101 in the modern era, however, and where your particular email message is interesting is that it’s not actually a phishing attempt trying to get your Citibank credentials at all. In fact, it never even asks for your login or account information, because its goal is to infect you with malware. Now that malware might well sniff out account passwords or worse, but let’s follow the path to see how it all works.

To start out, here’s the email message itself (I got the same message. Coincidence? Nope, just a bulk mailing):

The more you look at this closely, the more there should be warning alarms in your head. For example, why is it emailed from “fb.sup@marriottmcy.net.ve”? The VE domain is Venezuela. Pretty darn sure that Citibank isn’t going to be sending notification emails from a server in Venezuela. At least, not unless you’re based in Venezuela.

Of course the 7817 is a random four digit sequence, but people who receive this email aren’t going to stop and wonder if that matches their account, because the center of the message demands attention: $3,426.48 paid out?

Then again, you can’t have the same transaction show up as both a credit and debit because those cancel each other out. Again, though, people aren’t going to spend the time to consider that. What are most people going to do? Click on the link.

But instead of doing that, your email program should pop up or otherwise indicate where that link will take you, because what it shows and where you go can be two very different URLs. As this one is, demonstrated in Gmail by the tiny preview URL window on the lower left of the email program when I have the cursor over this “secmail.citibank.com” URL:

Well, kids-education-support.com definitely does not sound like a Citibank secure email server, does it? 🙂

But… let’s say you didn’t slow down, you didn’t check, you weren’t cautious and just blindly clicked on the link. In this case a sophisticated email environment like Gmail is your friend, popping up this warning:

But maybe your email program doesn’t do that. Time to switch. Really.

So where do you go if you end up at kids-education-support.com? Turns out that it’s actually a download link, and the next thing that transpires is that you end up with a Word document in your Downloads folder:

I really, really hope you’re savvy enough to know never open unknown Word docs because it’s guaranteed that they’re going to have Word macro viruses or worse. This one we can safely preview, however, just to check its contents:

You caught what it says, yes? It’s telling you to “Enable content” so you can “see what’s inside”. What that really does is enable macros which then lets the document infect your Microsoft Word or Office installation or, worst case, infect your whole computer.

Just. Say. No.

As with so many other spam messages I’ve disassembled here on my site, this is intended to help remind you that every time, every single time, you need to be skeptical of any email from a financial institution. Indeed, it’s about time banks stopped using email at all, or at least stopped including any clickable links at all in their email messages. Regardless, be careful out there!

Pro Tip: I have been writing computer tips for years and they’re all here on the site for your perusal. Please spend a few minutes to check them out!