AR&D - Audience Research and Development

The First Word in AR&D is Audience

Terry Heaton's PoMo Blog

"Postmodernism is a change-or-be-changed world. The word is out: Reinvent
yourself for the 21st century or die! Some would rather die than change."

Leonard Sweet, cultural historian.

07/06/2004 Entry: "Citibank identity theft scam"

I get these kinds of things all the time, but this one is especially sneaky and legitimate looking. Here's an email I received this afternoon — allegedly from the address admin@citi.com — threatening the potential loss of my CitiBank debit card unless I changed the password immediately.

The email sounds serious:

Recently there have been a large number of identity theft attempts targeting CitiBank customers. In order to safeguard your account, we require that you update your Citibank ATM/Debit card PIN.

This is, of course, a scam to get CitiBank debit card numbers and PIN numbers. What follows will seem elementary to most who read this blog, but I'm doing this for the sake of those who aren't familiar with this stuff.

One way to check the validity of any of these scam emails is to open the email and click "View" and "Options". This reveals a pull-down screen:

This gives you a look at the message "Headers," the language that the Internet uses to deliver the message. Unfortunately, these can be manipulated, but there's always a giveaway. Here are the headers from the scam email:

Return-Path:
Received: from adsl-68-253-48-46.dsl.ipltin.ameritech.net ([68.253.48.46])
by egret (EarthLink Mail Service) with SMTP id 1bHSZ33J33NZFmj0
for ; Tue, 6 Jul 2004 09:39:53 -0700 (PDT)
Received: from 151.162.141.67 by 207.217.120.53; Wed, 07 Jul 2004 03:36:45 -0200
Message-ID:
From: "Citi Identity Theft Solutions" >
Reply-To: "Citi Identity Theft Solutions" >
To: terry@donatacom.com
Subject: Citibank: For Your Security
Date: Wed, 07 Jul 2004 03:35:45 -0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--1727158503021390875"
X-Priority: 3
X-CS-IP: 146.75.170.156

At the very bottom of the headers above, notice two lines that begin with an X. These "X parameters" will not look this way on a valid email. Here's an example of how they look on an email just I sent myself.

Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Importance: Normal

If you're ever concerned about the validity of an email, always begin your investigation here.

There's another sneaky giveaway on this one. The scam email contains a link that looks like it goes to the Citibank Website. Take a look:

https://www.citibank.com/signin/citifi/scripts/login2/update_pin.jsp

Here's the html code for that link:

This is the actual URL that the link is going to:

Once you get there, a nice, official looking Citibank page with a pop-up appears, where the unknowing are supposed to fill in their account and PIN numbers:

The only way to really protect yourself against Internet crime is to be knowledgeable about it. Consider yourself informed.

Replies: 1 Comment

Great public service Terry! I received that same email and was very surprised at its appearance. Looks incredibly authentic.

Posted by Cory @ 07/07/2004 02:23 PM CST

"The future is not something we enter. The future is something we create."

Leonard Sweet