Citibank Impersonators Send Fake Account Update Alert from Spoofed Address in Credential Phishing Attempt
In this phishing attack, cybercriminals impersonate Citibank by using a spoofed email address to send a fraudulent notification regarding an account change. The subject line, “Primary Email Updated :Success! Your information has been updated,” is designed to mimic a legitimate alert from Citibank. The message informs the recipient that their email address has been successfully updated and includes a verification link in case the update was unauthorized. The link, labeled “Sign-On My Account,” directs the user to a malicious website with the goal of harvesting login credentials or personal information. This phishing tactic is particularly effective because it impersonates a well-known financial institution and preys on the recipient’s concern over unauthorized account activity. The email’s formatting and tone closely resemble genuine Citibank communications, increasing the likelihood that users will act without verifying the message’s authenticity.
Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a spoofed email address, doesn’t use malicious attachments, and includes impersonated branding. Modern, AI-powered email security solutions flag that the sender domain does not match any domains in the message, detect the presence of links leading to suspicious domains, and recognize the mismatch between the sender name and the sender domain to correctly identify this email as an attack.
To stay protected, users should never click on account-related links in unsolicited emails. Instead, they should verify any changes directly by logging into the institution’s official website. Organizations should implement modern, AI-based email security tools and regularly train users to recognize spoofed alerts and other social engineering tactics.
Malicious email posing as Citibank notification with impersonated footers from legitimate correspondence to build trust and ultimately steal information
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Lack of Malicious Attachments: By not including suspicious attachments such as HTML attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Legitimate-Looking Email Footer: The email includes a footer at the bottom that appears similar to Citibank's, lending an air of legitimacy that can bypass traditional security solutions.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal AI's system might include proprietary techniques and methodologies not disclosed here.