Back in September I wrote about a phish note I received on my Yahoo! account. Basically, it's an email puporting to be from some financial institution asking you to verify sensitive personal information by pointing you to what appears to be a webpage from that institution.

Today I received another phish note which I just have to share:

From: "_CITICARDS_"  
To: my-yahoo-address@yahoo.com
Subject: CITI E-mail Veerification - my-yahoo-address@yahoo.com 

Dear Citbiank Clients_,

_This email_ was _sent by the Online-Citibank _server_ to
veerify your _email_ adrress.
You musst clptmoee this pocesrs by clicking on the_ link
bellow and enntering in the little window your Citibank
Debit_ full Card Nummber and _PIN that you_use on_the local Atm 
machine.
That is done for_your perotction -I- becourse some_of our
membres no leognr have acsecs to their email addrssees
and we must verify it.

http://citibankcard.com:%49%74%75%66%6a%77%47%43@someencodedwebsite
 
To veerify _your_ _EMAIL_ adress and access _your_ Citibank
account, clic on_the_link _bellow_.

TKh2XkggBi8E 

I'm not posting all of the headers nor am I dissecting them, not worth my time. But whomever's sending these out either needs to pick their target language more carefully or learn to use a spell checker.

The one thing I will point out is the URL I'm supposed to click on. It tries to make use of a bug in various web browsers to mask where you're navigating to by encoding a website as the "userid" (above, it's citibankcard.com) followed by a bunch of strings with %nn where nn is a hexidecimal number. What happens is that your browser gets tricked into only displaying a portion of the URL in your address bar so you might think you really reached citibankcard.com, when in fact you're at the hacker's website.

If your bank or other financial institution needs you to update records they'll likely send you postal mail. They might send an email to you, solely to verify that you're email address still works. But in no way should you trust the links that come through email for submitting personal information.

Sooner or later one of these scammers is going to manage to make an authentic looking email and use SSL to make it look like it's secure.