Email Identity Theft

There has been an increase in fake unau­tho­rized emails from crim­i­nals pos­ing as cor­po­ra­tions claim­ing to pro­tect theft iden­tity. Often these emails look legit­i­mate as they usu­ally include the com­pany let­ter­head and a mes­sage warn­ing you of impend­ing doom on your iden­tity. The ironic aspect of these emails is that the mes­sage, warn­ing you of iden­tity theft, is a bla­tant attempt at retriev­ing your per­sonal information.

For expe­ri­enced users and prop­erly con­fig­ured email servers, these mes­sages are fil­tered and imme­di­ately deleted. For the inex­pe­ri­enced, how­ever, it can lead to a dan­ger­ous sit­u­a­tion where your iden­tity and account infor­ma­tion is lit­er­ally handed over to a crim­i­nal. How do they accom­plish this? It’s sim­ple, they cre­ate a form using the spe­cific com­pany let­ter­head (CitiBank, Amer­i­can Express, Wash­ing­ton Mutual, etc.) ask­ing for your account infor­ma­tion. This usu­ally means your name and address and more impor­tantly your user­name and pass­word, which gives the crim­i­nal easy access to your bank­ing or credit account.

As I men­tioned, the tar­get is the inex­pe­ri­enced user, who in an attempt to avoid “account ter­mi­na­tion or sus­pen­sion” fork over their infor­ma­tion think­ing they are doing the right thing. Recently, I received an email from a per­son claim­ing to be in charge of Iden­tity Theft Solu­tions from CitiBank.

Here is the email in its full context:

CitiBank fake email example

It was easy to iden­tity the email as fake using the fol­low­ing visual indicators:

The sender email was from CITIBANK [identdep_op7216172929@citibank.com], which apon first glance looks legit­i­mate. How­ever, one must real­ize that any email address can be eas­ily spoofed using a vari­ety of meth­ods includ­ing mask­ing the email address. Gen­er­ally, spam­mers spoof email addresses to pre­vent peo­ple from find­ing out who they really are. This also applies to crim­i­nals on the look­out for account infor­ma­tion who would rather not be caught by the law.

In this case, if the email were legit­i­mate, CitiBank would not state “Do not reply to this email”. It’s a good habit, if you’re sus­pi­cious, to go ahead and reply to the orig­i­nal sender about the legit­i­macy of the email and be sure to check the mes­sage header. In Out­look, Right-click the email and select Options. A “Mes­sage Options” win­dow will popup show­ing you the detailed mes­sage header. It’s impor­tant to take a look at the Received: infor­ma­tion, as shown below (it indi­cates the orig­i­nal sender loca­tion and IP address):

CitiBank fake email header

Another red flag for this email is that the con­tent itself is rep­re­sented by one graphic; in this case the Citibank logo and mes­sage text beneath the logo. There is absolutely no text in the email itself, every­thing is instead rep­re­sented by the image. If this was a legit­i­mate email from Citibank, it would include a let­ter­head and actual text in the mes­sage body. Unless it’s a promo from Citibank adver­tis­ing some­thing like cheap account fees, then dis­card the mes­sage and do not reply under any circumstances. 

  • http://atomicplayboy.net/ Johan Svens­son

    I get tons of those to my old Yahoo mail account (since aban­doned in favor of Gmail, though I never relly use web­mail at all). All of them had the usual obfus­cated titles like “Cïïïtib4nk” to try to get past spam filters.

    I did once get one that, shock and gasp, didn’t con­tain a sin­gle spelling error!

  • http://www.kartooner.com kar­tooner

    This email, in par­tic­u­lar, seemed to be the most coher­ent of the bunch. The graphic attach­ment was a dead giveway.

  • http://www.maxriffner.com max

    I set (Apple) Mail to not dis­play any images on incom­ing mes­sages, so these are usu­ally pretty easy to spot. I tend to get a good deal of bogus Pay­pal messages.

  • http://www.kartooner.com kar­tooner

    Max: I think it’s cheap to use an image for the entire con­text of the email, regard­less if its legit­i­mate or not. Pay­pal, Con­stant Con­tact and Brain­bench will peri­od­i­cally send out legit­i­mate emails mostly com­prised of images and lit­tle to no text.

    For peo­ple like you (and I) who dis­able images in emails, their mar­ket­ing cam­paigns are cer­tainly not hav­ing the effect they would want. Some peo­ple even dis­able HTML emails entirely, so it’s advis­able for these com­pa­nies to send two ver­sions; both a plain-text bare­bones email and a full on HTML email.

  • Dad

    Good job.…nice work

  • http://www.ooler.com Don­nie

    Why do peo­ple do online bank­ing if they barely know how to use a computer?

  • http://www.qviri.net/ Jarek Piórkowski

    The dead give­away is ALWAYS the link which is spoofed only if you’re using an unpatched Inter­net Explorer.

    If you ARE using an unpatched Inter­net Explorer, be advised that I am bor­der­ing on decid­ing you’re get­ting what you deserve.

  • http://www.dzinelabs.com Luc

    Mmmm, i may be a bit naiveve here but… are there really idiots out there who actu­ally do click on that link????

    Never mind, .…. i think i know the answer to that one already

  • Pingback: 9rules Network: Weblog()

  • http://www.juicedthoughts.com Bryan

    Lately, I have been get­ting email FROM MY OWN EMAIL ADDRESS, being sent back to me. When I open it, it’s always a blank email.

    Weird.

  • http://www.betobeto.com beto

    Great post and timely advice Erik. Some­times it’s eas­ier to detect a phish­ing scam if you see give­aways such as poor Eng­lish spelling, URL link hov­er­ing (I have dis­cov­ered many pseudo-Paypal emails being from Russ­ian ori­gin instead), and check­ing full header mes­sages as you put above. Other times, how­ever, is not that sim­ple, and even being a web geek won’t save you from being fooled if you don’t take your time to ver­ify the message’s authen­tic­ity. You have a pretty nice check­list up there.

    If you ARE using an unpatched Inter­net Explorer, be advised that I am bor­der­ing on decid­ing you’re get­ting what you deserve.

    Well for me I’d save a few words and leave it at “if you ARE using Inter­net Explorer” instead, but who’s quibbling. 😉

  • Dovet

    What is equiv­a­lent to attach­ing a brick to the email and putting it in return mail? Shouldn’t we actu­ally be respond­ing to these with bogus infor­ma­tion? Couldn’t the right infor­ma­tion actu­ally trap them somehow?

  • http://AOL Damari Strat­ford

    The let­ter I’ve included with this email is from a con­cerned client of Citibank.

    My ques­tion is will the teller be fired and if not why not? This teller left out about $10,000.00 in the unlocked front drawer 2 dif­fer­ent times with in a two week period and had two short­ages in one year, one for $100.00 and the other for $450.00.

    Where the cash drawer is con­cern two employ­ees signed the vault book stat­ing they wit­ness her put the cash away, obvi­ously not true. One of these two employ­ees had the bank pay for her daugh­ters over­drafts and the man­age was aware, against com­pany pol­icy. This teller entered false refer­rals into the sys­tems to make the banks num­bers look bet­ter and this was done under the super­vi­sion and direc­tion of the super­vi­sor, when I brought this up to the man­ager none of the three tellers which input false refer­rals were writ­ten up, fal­si­fy­ing bank doc­u­ments and no write up but I get writ­ten up for miss­ing a Sat­ur­day, why? Unfair and unequal treat­ment by the manager.

    Where are the ethics? As I’ve stated, the uneth­i­cal employ­ees still have jobs and I get fired after the man­ager receives my email on 12÷13÷05 at about 1:45 p.m., and he acknowl­edges receiv­ing it, it clear­ing answers his question/comment that he was call­ing to see if I was com­ing. The email states that my doc­tor had called in and spoke to Kath­leen: as well as fax­ing in my doc­tors note which the man­ager returned to me with my ter­mi­na­tion let­ter received two days after I had been fried with no check, with no break down expla­na­tion, no vaca­tion pay, mis­lead­ing infor­ma­tion and so on, note clearly stat­ing my dis­abil­ity time off. Did he read the doc­tors note? Did he let upper man­age­ment know that my doc­tor had call and faxed information?

    The man­ager called I returned his call but he was with a client.

    I requested to com­mu­ni­cate via email and I emailed him, Kath­leen and Human Resource, so why was I fired some­time after he received my email and the end of the day if he was just call­ing to see if I was com­ing in and if not to con­tact HR? Unfair and unequal treatment.

    It makes no sense. Why weren’t the labor codes fol­lowed? Did he get HR per­mis­sion to fire me? Why then wasn’t my check included with my let­ter of ter­mi­na­tion? Aren’t I to be fired at the loca­tion which I work? Were my rights vio­lated when he had Kevin send me my ter­mi­na­tion let­ter, did he know I was get­ting fired prior to me receiv­ing my letter?

    March 252006

    Dear Ms. Deloney,

    I would like to take a moment and thank you for respond­ing to my com­ments regard­ing Damari and the man­ager. I am sure that you are a very busy and impor­tant per­son and I appre­ci­ate your time. Damari is truly missed at the bank, since her unfair ter­mi­na­tion by the manger, the atmos­phere at the bank is bor­ing to say the least. Damari added life and laugh­ter and she enjoyed serv­ing the cus­tomers. I feel deeply, that the man­ager made a huge mis­take in dis­miss­ing her while she was ill. What kind of a man­ager would dis­miss an employee while they are ill?

    As I say this, I now have fur­ther con­cerns about another teller name Andrea. I was in the bank and was told that she has injured her knee and will be out of work for about six weeks. I’m sure that Andrea has a doc­tors note as Damari did, I hope that the man­ager doesn’t make the same mis­take and decides to ter­mi­nate her and mail her a let­ter before she returns as he did Damari when he ter­mi­nated her instead of wait­ing for her to get well and return to work. Although I would under­stand if he were let her go as she spends most of her time at work doing her home­work , read­ing and she isn’t avail­able every­day. Andrea will move on, on her own to become a teacher, this is what she goes to school for two days a week. By her going to school, I feel this puts a strain on the staff. I under­stand that the rest of the tellers along with Kath­leen are now hav­ing to work six days a week and Kath­leen is run­ning a win­dow: she doesn’t have the charm or cus­tomer ser­vice skills which Damari offered the bank.

    We go into the bank often and we rarely see that man­ager. I feel that it would be in the best inter­est of the bank to find a per­ma­nent man­ager as soon as pos­si­ble, one whom appre­ci­ates com­pe­tent employ­ees as Damari. Frankly, I don’t under­stand how a tem­po­rary man­ager was given the author­ity to dis­miss an employee such as Damari with her won­der­ful skills , tal­ents and ded­i­ca­tion to her job. There­fore my con­cerns are now for Andrea whom doesn‘t com­pare with the kind of ser­vice Damari offered your cus­tomers. As I stated before, the other tellers spend too much time speak­ing to cus­tomers about per­sonal things and shop­ping on the com­puter instead of bank­ing con­ver­sa­tions. I fre­quently wit­ness them read­ing and eat­ing while at their win­dows: this is very unprofessional.

    I feel it would be in the best inter­est to Citibank to launch a com­plete inves­ti­ga­tion on the man­ager, as you stated would be done and seri­ously con­sider remov­ing him from Carmel. In my opin­ion since he arrived the atmos­phere is tense and if I can sense it I am sure that other cus­tomers do. This man­ager has taken all the per­sonal touch and charm out of the bank and I feel the employ­ees fear for their jobs: no one should have to work under those con­di­tions. Keep­ing this man­ager at this or any branch is sure to destroy you busi­ness. Again, thank you for your let­ter and tak­ing the time to look into this situation.

    Sin­cerely, Clif­ford Bag­well

    In a let­ter dated 01÷06÷06, Citibank states, Pur­suant to Sec­tion 1089 of the Ca. Unem­ploy­ment insur­ance Code, regard­ing noti­fi­ca­tion of changes in employ­ment sta­tus, please be advised that your employ­ment was ter­mi­nated on 12÷13÷5 for fail­ure to fol­low call in pro­ce­dures RE Section1089 and other codes which Citibank may have vio­lated
    Other codes they may have vio­lated labor code sec­tion 208, 226, 226.3,201.25,2441, 2800,2802,2926,2927,6400,3602(6),3852,2922,civil code 47©
    I was fired on 12/13/05,it states that each employer shall notify the employee imme­di­ately, yet I didn’t find out until 12/15 as I received my notice of ter­mi­na­tion via UPS on 12/15.

    When I was fired I was not sup­plied with “copies of printed state­ments or mate­ri­als relat­ing to claims for ben­e­fits by Citibank. Citibank claims that I didn’t fol­low the call-in pro­ce­dure yet my doc­tor called on 12/12 & faxed in a notice which stated that I would be out from the 12th-16th. Jeff claims that he called me to see if I was com­ing in on 12/13 at 10:25am,almost 2hrs after my shift started, he states that if I wasn’t com­ing in that he wanted me to con­tact HR to inform them of my extended absence. How does one go from call­ing to see if I’m com­ing in & ask me to call HR to Jeff stat­ing & decid­ing that I should be fired yet in my email to him at 1:45pm on 12/13 it states that the doc­tor had spo­ken to Kath­leen & faxed in my doc­tors note which he returns to me w/letter of termination.

    How does he jus­tify ter­mi­nat­ing me? I was out on work related stress and my blood pres­sure, my doc­tor called for me to keep my stress & blood pres­sure down, as far as not call­ing in I had my doc­tor call: the call was made for me to pro­tect my health. Why wasn’t it stated in my ter­mi­na­tion let­ter that I failed to fol­low the call in pro­ce­dure. Why does Citibank state to the DFEH that I called in on 11/15 & said that I would be out the rest of the week yet I worked on the that day & the super­vi­sor approved my time­card on 11/22. What else are they not being hon­est about?

    Why are the employ­ees which fal­sify bank doc­u­ments & break pol­icy still have jobs?
    Reply to Damari Strat­ford 1291 Ord Grove Ave, Sea­side 93955 8315839077

    CITIBANK IS NOT BEING HONEST WITH DFEH
    THIS ISLETTERSENT MY GOVERNOR

    Dear Gov­er­nor, First Lady and staff,

    I have been awake since 1:05 a.m. I was hav­ing a dif­fi­cult time sleep­ing again due to my con­ver­sa­tion with Ann Lueck­e­man from the DFEH. Ann and I spoke on 3÷08÷06, Citibank appar­ently faxed in their reply on 3÷07÷06. Ann read to me some of the state­ments that Citibank made on their reply Citibank states: that I called in on 11÷15÷05 and that I stated that I would be out the rest of the week, this is a lie!!! I hap­pen to have my time card for the week end­ing 11÷19÷05 and it clearly shows that I worked the 15th, I was off the 16th and I worked the 17th and that I was out sick on the 18th and 19th and that the man­ager approved my time. Citibank states that I refused to work on Sat­ur­days but they don’t men­tion that I, unlike them, was will­ing to meet them half way. Citibank is not telling the truth. To fur­ther sup­port that I was at work on the 15th and 17th I have my jour­nal notes with spe­cific times of things that occurred on those two days.

    How does an hon­est and eth­i­cal per­son fight against uneth­i­cal peo­ple who lie? How can I pro­tect myself if I can’t afford an attor­ney and I can’t find one to work on a con­tin­gency basis? The other night, on TV, my hus­band and I heard that the gov­ern­ment spends 4 mil­lion to train wasp and I can’t get help from The White House or our Sen­a­tors or Con­gress, to defend myself against a cor­po­ra­tion which is tak­ing advan­tage and lying about this sit­u­a­tion? The only one that has offered to help is the Gov­er­nors office and although I appre­ci­ate the let­ter and the call from the Gov­er­nors office this does not get me an attor­ney. I have dili­gently search for assis­tance to no avail. I am now beg­ging for help, I can’t con­tinue to loose sleep and live on anx­i­ety med­ica­tion; this sit­u­a­tion is wear­ing on me. Again, please, is there any­thing more that you or our gov­ern­ment can do to help my fam­ily and I, for this wrong­ful ter­mi­na­tion? Why is Citibank lying? I feel like I am going to have another panic attack and I had to resign to tak­ing med­ica­tion to calm down. This is totally and com­pletely unfair, unjust, wrong and no one should have to go through what Citibank has put my fam­ily and I through. I only won­der how many other wrong­ful termination’s Citibank has got­ten away with because peo­ple are afraid to go up against them or just don’t have the money to fight and pro­tect them selves? My hus­band and daugh­ter are wor­ried about me and so am I.

    PLEASE HELP US. I don’t know what else to do and I don’t want to give up.

    Sin­cerely.
    Damari Stratford

    A BETTER EXPLANATION — Mother fired by Citibank for no good reason.

    I am search­ing for an Employ­ment Attor­ney will­ing to work on a con­tin­gency basis. I was fired while I was out sick, the man­agers states in a note added to my per­son­nel file that he had called me to see if I would be com­ing into work on Dec. 13th but yet with my let­ter of ter­mi­na­tion he returned to me the faxed in doc­tors note, faxed in at 3:44p.m. on 12÷12÷05 by my doc­tor, which clearly stated that I would be out from 12÷1212÷16÷05.

    He sent me my let­ter of ter­mi­na­tion thru UPS, which arrive on 12÷15÷05. The man­ager knew that I was out on work related stress and I had a work­ers comp case pend­ing. The man­ager states that I was fired for not com­ply­ing with my warn­ing and I asked how I could com­ply if I wasn’t there to com­ply so then I get a let­ter from HR stat­ing that I was fired for fail­ure to fol­low the call in process but my doc­tor had called in for me on the 12th due to my stress level and blood pres­sure. The doc­tor had spo­ken to the super­vi­sor on the 12th so they were aware that I wouldn’t be in on the 13th and my doc­tor has the notes on my file that she had made a call in for me. Citibank did not fol­low their own pro­ce­dures when they fired me. The EEOC has given me the right to sue and the let­ter arrived on 2÷17÷06 so my 90 days have started. The DFEH has also launched their own inves­ti­ga­tion which Citibank received notice on 1÷23÷06 and should be respond­ing to the notice any day now, (as of 3/8/06they haven’t responded). I had an out­stand­ing per­for­mance his­tory with the bank; I had worked there for 4 years 2 months 6 days. I was the head teller one of the notary and the only Spanish-speaking teller. I have at least 40 let­ters of sup­port from Citibank clients and I can prove that the man­ager was not equal with all the employ­ees and although he was aware of the teller cook­ing the books under the direc­tion of the super­vi­sor none of them were put on cor­rec­tive action yet I was writ­ten up for miss­ing my first Sat­ur­day and then again when I missed my 2nd Sat­ur­day although I had a doc­tors note to be out of work due to my blood pres­sure and stress brought on by the man­age and the unfair­ness in treat­ment. I had been threaten with job aban­don­ment but at that time I hadn’t missed any work long enough to be accused for this. Citibank vio­lated code 132A of the worker comp law and I do have an attor­ney for that but they are unable to deal with all the other issues.

    I have a strong feel­ing that the man­ager never told HR that my doc­tor had called in for me nor did he share my doc­tors note with them, he is to get approval from HR before fir­ing me yet fired me by 4:30 pm or so, I had also emailed him that day at 1:45 pm and explained that my doc­tor had spo­ken to the super­vi­sor and faxed in a note, again he was aware that I wouldn’t be in. The man­ager had called my cell phone and left a mes­sage at about 10:25 am, he states that he called because I hadn’t called in a half an hour prior to my shift, which started at 8:30 a.m., why did it take him 2 hours before call­ing me? And I would bet that the super­vi­sor had made arrange­ments to have a teller there to cover my shift since my doc­tor called her. Please help my fam­ily and I.
    Sin­cerely, Damari Stratford

    Home 8315839077 all calls to this num­ber are screen due to tele­mar­ket­ing calls and my cur­rent sit­u­a­tion so once you hear my voice say­ing that all calls are screened please leave a mes­sage, once I hear who is call­ing I pick up the phone.

    Cell phone 8312360112 this is the best num­ber to leave a message.

    Again please help us.

  • Chris

    Hey I got that e-mail a few days ago!

    Fight the good fight but pleeeeease next time summarize!

  • Pingback: IT Help Central - The Report On Identity Theft and Attacks On …()

  • http://identityprotectionreviews.org/ IDTheftRe­view

    With all that’s being reported about scams in the inter­net, some peo­ple can’t be blamed for stick­ing to good old fash­ioned trans­ac­tions. These iden­tity thieves hardly have any scru­ples and they will stoop down to the absolute low just to steal from peo­ple. Being hit with this kind of scam is a ter­ri­ble thing but it would be best to do some ver­i­fi­ca­tion the next time.