Terms of Use 

Fraudulent E-Mails and Phishing

There is a rapidly growing Internet fraud called “phishing.” Phishing (pronounced "fishing") is a slang IT term which refers to fishing for personal information such as account numbers, passwords, PINs, credit card account or Social Security numbers online.

Phishing is fast becoming one of the most insidious online identity theft scams where fraudulent email messages (spam) are sent to unsuspecting victims' email addresses requesting them to supply confidential information. The email message may include a warning that there is a problem with your account or that the account will be closed unless you reconfirm confidential information.

These emails and links to so-called official sites appear to be quite authentic, but are really baiting you to give up valuable information. Phishers' latest ploy involves using multiple channels to try to get at your private information, asking people to call in instead of using email to obtain user IDs and passwords.

So how do spammers "phish?" These scammers take advantage of a security hole inherent in SMTP email logic to impersonate another's domain. A phisher falsifies the domain in the email header and copies the look and feel of a company's web site to make you believe the email is from an authentic site.

Identity theft is estimated to rob over half a million people of their identities each year. Once someone steals your personal information, it can be used to establish credit, borrow money, purchase goods and services, and even commit crimes -- ruining your good name and your credit.

How can you protect yourself?

Here is a list of steps you can take to protect yourself from being the next victim of phishing scams:

  • Install a SPAM filter to reduce the number of fraudulent and malicious emails you receive.

  • Don't trust any email urgently requesting personal information, such as checking account or credit card numbers, Social Security numbers, user names, passwords, PIN codes or other financial information.

  • When clicking links in an email, watch the “address bar” of your browser to ensure you're directed to the authentic, branded domain. It is easy for a phisher to spoof a web link and redirect it to another web site.

  • Rather than using hyperlinks in an email that you suspect may not be authentic, instead you should directly type in the URL in the Internet browser address bar. Certificates for the site ensure that the site you type in is where you're going. In an email, hyperlinks may appear to be going to one site, but are really directing you to another.

  • When entering personal information on secure sites, look for the locked padlock on the Internet browser's status bar or https:// at the start of the URL in the address bar. This indicates SSL security is in place, although it does not guarantee the site's legitimacy. Without these, however, the web site is definitely not secure.

  • Be alert to scammers phishing using any channel and asking you to confirm using any channel (phone, fax, email, etc.)

  • Keep in mind that legitimate companies would never ask their customers for private information in an e-mail.

Will you know a phish when you see one?

Unfortunately, phishing is becoming more and more common, and the scammers are getting better at disguising themselves.

Here's one example of a real phish:

Subject: ATTN: Citibank Update

Dear Citibank Customer,

We recently noticed one or more attempts to log in to your Citibank account from a foreign IP address and we have reasons to believe that there was attempts to compromise it with brute forcing your PIN number. No successful login was detected and you have full protection by now. If you recently accessed your account while traveling, the unusual login attempts may have been initiated by you.

The login attempt was made from:
IP address:
ISP Host: cache-882.proxyserver.cis.com

By now, we used many techniques to verify the accuracy of the information our users provide us when they register on the Site. However, because user verification on the Internet is difficult, Citibank cannot and does not confirm each user's purported identity. Thus, we have established an offline verification system to help you evaluate with
whom you are dealing with. The system is called CitiSafe and it's the most secure Citibank wallet so far.

If you are the rightful holder of the account, click the link bellow, fill the form and then submit as we will verify your identity and register you to CitiSafe free of charge. This way you are fully protected from fraudulent
activity on all the accounts that you have with us.

Click to protect yourself from fraudulent activity! (Link disabled for this example)

To make Citibank.com the most secure site, every user will be
registered to CitiSafe.

NOTE! If you choose to ignore our request, you leave us no choice but to
temporally suspend your account.

* Please do not respond to this e-mail, as your reply will not be received.

Regards, Citibank Customer Support

If you receive a phishing email, make sure you report it to both of the following email addresses: reportphishing@antiphishing.org and uce@ftc.gov. You should also forward the email to the company that is being imitated or "spoofed." When forwarding these messages, be sure to include the original email with the complete header information.

If You Become A Victim Of Phishing (or any other form of identity theft):

  • File a police report. Get a copy of the report to submit to your creditors and others that may require proof of the crime.

  • Contact the fraud departments of any of the three major credit bureaus to place a fraud alert on your credit file. The fraud alert requests creditors to contact you before opening any new accounts or changing information on existing accounts. The credit bureau is required to notify the other two bureaus after confirming your fraud alert. You will then receive a copy of your credit report from all three credit bureaus. See below for contact information for all three major credit bureaus.

  • Contact your credit union or bank and notify all with whom you have a financial relationship.

  • Close immediately those accounts that you know or suspect have been tampered with or opened fraudulently.

  • File your complaint with the Federal Trade Commission (FTC). The FTC maintains a database of identity theft cases used by Law Enforcement agencies for investigation. Further information regarding identity theft can be obtained from the FTC website or 1-877-ID-THEFT.

  • Report the theft of your checks to check verification companies.

  • Check the Post Office for unauthorized change of address requests.

  • Follow-up your telephone contacts with letters and keep a copy of all correspondence.

Further information on Identity Theft and Internet Fraud can be found by clicking on the related articles.

Important Contact Information:

Credit Reporting Bureaus

Report Fraud

Order Credit Report

Equifax (www.equifax.com)



Experian (www.experian.com)


Option 3


Option 1

TransUnion (www.transunion.com)



Social Security Administration



Fraud Hotline



Order Benefit/Earnings Statements



Federal Trade Commission



Report ID Theft



Reporting Fraudulent Check Use



Global Payments (Check Rite)









Certegy (formerly Equifax)