Phishing and Inept Banks

John-Graham Cumming asks, ‘Are Citibank crazy?’:

I blogged a while ago about Thunderbird’s phishing filter trapping a seemingly innnocent mail. Now, a reader has forwarded to me a genuine email from Citibank that he says was trapped by Thunderbird. I’m not going to reproduce the email here because it contains private details of the user, but it is a valid Citibank message.

Thunderbird thinks it’s a scam because Citibank uses one of the oldest phishing tricks in the book. The have a URL displayed in the message then when clicked goes to a totally different URL.

Sadly, this has proven to be really quite common. We’ve investigated using this rule as a worthwhile phish-detection rule in SpamAssassin, several times, and without much luck. In fact, we’ve had to create a FAQ entry for it — since it’s such a superficially-attractive but ultimately useless, idea, many people have had long discussions on our lists about it!

The companies that produce these false positives in their mails include American Express, Bed Bath & Beyond, Universal Studios, Microsoft, Hilton Hotels — and now Citibank.

A couple of other examples from real mails:

  <a href="

  <A HREF=""></A>

By the way, it really is quite impressive for a bank as heavily phished as Citibank to still be making this kind of basic mistake in their mail-outs! It reinforces a point I made in a mailing list posting recently:

As far as I can see, the approach taken by pretty much all banks to their online services is simply too bureaucratic, hide-bound, and fundamentally driven by their marketing departments, to ever cope effectively with phishing. :(

(For what it’s worth, I know Citi have some smart techies working there; but the rest of the company needs to start paying attention to them.)

This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.


  1. Posted April 22, 2006 at 00:55 | Permalink

    Happily, some people are beginning to get it right. The McKinsey Quarterly got it wrong every week until a week ago; now they are getting it sort of right. They use full-html mails, which brings issues of its own though.

  2. Posted April 22, 2006 at 10:37 | Permalink

    Have you looked at MailScanner’s implementation? It produces practically zero false positives these days

  3. Posted April 24, 2006 at 12:24 | Permalink

    Michele — practically zero ;)

    have you got URLs? I’m sure I probably have seen it, but it’d be worth making sure.

  4. Posted April 24, 2006 at 12:55 | Permalink
  5. Posted April 24, 2006 at 12:56 | Permalink

    And why FF thinks my name is Bernard escapes me …..