Some enterprising Romanian scammer has come up with a disconcertingly clever way to take advantage of the financial crisis. I got a couple of variations of this email in one of my more spam-targeted accounts today:

Dear Citibank Customer, As you may already know, by voting down the proposed $700 billion financial bailout package - and causing a spectacular stock market rout - a majority of members in the House of Representatives made a clear statement that they didn't want to put taxpayers on the hook for the failures of financial institutions.

But there's a catch: taxpayers are already on the hook for the failures of financial institutions, and it's possible that the bill will actually be larger without bailout legislation than with it. That's because the regulators who mind the financial industry - the Federal Reserve, Treasury and FDIC - will keep doing what they've been doing: stepping in to prevent the chaotic failure of banks and other large financial institutions. This means continuing to put hundreds of billions of taxpayer dollars at risk, but in a way that adheres to no clear plan of action and doesn't require members of Congress to explicitly approve their actions.

Because we value you as our customer and share your concerns about your financial assets, we now offer you the option to have your account moved on our servers abroad. This will prevent any financial loss from your account in case the U.S. financial system collapses. This option is free of charge and you will still have easy and secure access your money in the same way as before.

Please click here (http://mail.ahkrumaenien.ro/temp/1/ct/wv/home.do.htm) and follow the instructions to secure your financial assets by moving your account to our servers located abroad in countries that do not have any connections, strong or weak, to the American financial system.

Also, to better protect you against phishing attacks and prevent identity theft, we will manually verify the provided information. Before filling the form, please have ready a scanned copy of your ID or driving license and a copy of your Citi Card to prove that you are the true owner of the account.

After successfully completing the required steps, your account will be moved on our new servers located abroad. You won't feel any negative impact of account movement and you won't have any problems accessing your money from anywhere in the world.

Sincerely,Citigroup Financial Security SpecialistsCiti Credit Cards 1-800-950-5114 (TTY: 1-800-325-2865) Outside the U.S. 1-605-335-2222 (call collect)

I clicked the link, and it doesn't actually take you to a faked form to "transfer your account." They were more clever than that - the link was to a Romanian URL (explained because you're moving your money overseas!) with a PHP redirect (one that gives you the page and doesn't actually redirect you via URL) to citicards.com .

So basically people will see their normal login page at citicards.com (with everything the same, including legit links within) and enter their normal login information to learn more, which - when the form information posts - probably logs them in normally while conveniently handing their username and password and/or CC# over to the scammer without them suspecting a thing.

Gave me chills.

This is why I don't do any banking online. The banker may not smile at me or come to my house for my convenience, but there is 0 chance that there is some doppleganger banker who will take my debit card and PIN and run away with all my money.

How adorably naive of you!

This is why I don't do any banking online. The banker may not smile at me or come to my house for my convenience, but there is 0 chance that there is some doppleganger banker who will take my debit card and PIN and run away with all my money.


This is silly for two reasons --

1) Just because you bank online doesn't mean you have trust and click links in suspicious online banking related emails that are sent to you. I just ignore any email I get from any financial institution, even the ones that are legit from my bank and/or credit card issuers I deal with online. I just blanket assume they are phishing mails and toss them. When I want to bank, I don't go in through links in my email, I go straight to the bank's website with my browser address bar. I don't use online links to get there. Ever. All smart banks realize this is the best policy and while they still might send you the occassional mailing list email, they've wised up to the fact that they should never require you to take any sort of action through email links as the spammer/phisher emails often suggest.

2) Most of the time someone's banking info or credit card numbers are stolen it is an inside job. You might never run into a doppleganger banker, but assuming you're smart about online banking you're more likely to have your identity stolen by some jagoff bank teller at your local branch who has access to carbon copies of your deposit slips than the russian internet phishing mafia.


I've been banking online for 10 years and never a problem. Yes, sometimes people's identities are stolen online, but it happens offline all the time too and it is actually much easier to protect yourself online than off if you aren't a complete retard.

And you're even more likely to have someone steal you account info from your mail, trash, or when you use your card at a store or restaurant. Frankly, banking online just means you can catch a problem that much faster if one ever occurs. Just, you know, don't be a dumb ass and believe an email claiming that your bank wants to move your funds off shore.

Yeah dude, literally every single time you use your credit card to pay for something not on the internet, you're giving someone an opportunity to steal it and/or your identity. The truth is that most people generally aren't as bad as we've been led to believe.

You know, I spent 2 hours trying to convince my stepmother of this and she just would not get it. She couldn't understand that her payment went to the same place the online payments went to and were just as vulnerable to theft.

That letter is pretty nasty though. I tell everyone who doesn't seem to be real familiar with a computer to be sure never to click on links in an email. Always type them in the browser bar.

I don't trust my computer, to be honest (spyware, viruses, trojans, etc.)

I know all of the employees at my bank, and I'm pretty sure if there is some sort of inside job the bank will cover it. That would be their fault.

I don't even own a credit card, I use a friend's account to do all internet related buying. And I use my debit sparingly. Sure, I'll check my balance online from time to time, but if I have to move funds from account to account, make withdrawals or deposits, or pay bills, I do it in person.

Don't you have to log in to check the balance? That puts you at just as much risk as actually doing any transactions online.

if you aren't a complete retard.

And therein lies the rub.

This is why I don't do any banking online. The banker may not smile at me or come to my house for my convenience, but there is 0 chance that there is some doppleganger banker who will take my debit card and PIN and run away with all my money.
Don't click on email links and always type in the URL yourself when online banking.

Problem solved.

Like I've said in other threads, when I worked behind a register I was able to memorize all the details of a card and enter it into the machine by memory. I could easily have written down all the data I needed to use the card online immediately after the customer walked away. And I can't even remember which hand is my left one or what I ate for breakfast.

Hell, plenty of places I worked at used a computer attached to a register, and I could have just pulled up notepad and typed in every card I saw, then emailed it to myself. Not like the customer would have known what the hell was going on. I didn't, but that has more to do with my morales and my fear of jail than anything else. Just like I don't pirate games or steal shit from convenience stores more because of my beliefs than because it's hard.

So, every time your plastic leaves your hand in the real world, you're vulnerable to fraud. At least online you can take some easy precautions to keep other people from taking your info.

For that matter, every time you cut a check on old-fashioned paper, your account and routing numbers are right there for anyone to steal. The safest thing to do is barter livestock and salt for all goods and services.

For that matter, every time you cut a check on old-fashioned paper, your account and routing numbers are right there for anyone to steal. The safest thing to do is barter livestock and salt for all goods and services.

That would be a bit drastic, don't you think?

If you want to say that the risks online and offline are equal, then I'll agree with that. The potential risks of using a debit card in a store are high, but the odds are low that an employee would actually go for it. I don't use credit cards, as Aeon says, he(she?) can simply memorize the number and go buy a TV after his shift. With my debit card however, he has a limited window to screw me. Without the card, the machine only saves the last transaction. So Aeon would have to look at my PIN (at which point I'd tell him to fuck off), then use his work computer/cash till to make another purchase with my card, then pocket the equivalent amount of money. I'd notice this on my bank statement, I'd go to the store, the store would look at Aeon's records (correct me if I'm wrong, but employee's working a till usually have to sign into the till), I get my money back, Aeon gets criminally charged.

For that matter, every time you cut a check on old-fashioned paper, your account and routing numbers are right there for anyone to steal. The safest thing to do is barter livestock and salt for all goods and services.

I don't write checks, and most stores don't accept them. I'm not even sure where you would use a check, outside of a personal exchange of money between friends/family.

Most debit cards (here in the US, anyway) are Visa/MC branded and can be used as credit cards without your PIN, as long as the person uses them marked as credit transactions and not debit transactions.

In any case, the only time I've ever had an issue with a credit card of any type was actually with my Wells Fargo debit card (which is Visa branded and works as a Visa credit card, without a PIN). The people at Wells Fargo called me before I even realized there was an issue because their system picked up some kind of activity that threw a red flag. They immediately removed all charges I didn't legitimately make on the card, cancelled it and sent me a new one. The guy I talked to in their fraud dept. was basically convinced that the bad guys got my number via using the card at a retail establishment and not online because according to him that's usually the way it goes down. In my situation that made perfect sense since I hadn't used that card online in quite some time before the incident.

Anyway, long story short, I didn't have to pay any of the charges I didn't really make with the card, the bank contacted me extremely proactively and having online banking made it way easier for me to deal with the Wells Fargo fraud dept since I could go in and look at a near-realtime snapshot of my recent charges and tell them which were really mine and which weren't.

Most stores (again in the US, YMMV elsewhere) accept checks still. Believe me, I always get caught in the line behind the 80 year old lady who wants to pay by check and takes 3 hours to fill it out.

I'm not even sure where you would use a check, outside of a personal exchange of money between friends/family.
I'm curious, if you don't use credit cards and don't do online banking - how do you pay bills without writing checks?

Really? Everywhere I go there are signs that say "No cheques". I figured it was because of the potential of it bouncing, and if I was a business owner, I wouldn't accept checks. If it's a large amounf of money use debit or credit cards (your risk), if it's small, use cash. I don't understand the need to write an amount on a piece of paper and hand it to someone.

To the debit = CC post, shit. I'll need to talk to my banker the next time I go in about making sure that payments are rejected unless accompanied by my PIN. What's the point of a PIN if the unscrupulous employee can just set the mode to "no PIN"?

Really? Everywhere I go there are signs that say "No cheques". I figured it was because of the potential of it bouncing, and if I was a business owner, I wouldn't accept checks. If it's a large amounf of money use debit or credit cards (your risk), if it's small, use cash. I don't understand the need to write an amount on a piece of paper and hand it to someone.

Again, I have no idea where you live but around here most businesses still take checks. Most of them have fancy check processing systems in place that handle the checks semi-electronically to reduce fraud.

To the debit = CC post, shit. I'll need to talk to my banker the next time I go in about making sure that payments are rejected unless accompanied by my PIN. What's the point of a PIN if the unscrupulous employee can just set the mode to "no PIN"?


I have no idea if that applies to YOUR debit card. There are pure debit cards that aren't associated with credit card companies, they are just pretty rare here in the US these days. If your card doesn't have the logo of a major credit card issuer on it, it probably doesn't apply to you and there are some differences between using the card in credit mode vs debit card mode anyway (eg. can't withdraw cash using the credit processing feature, you can only make purchases).

Back on topic: I thought the scam email in the OP was really damned clever, and I applaud their superior spelling and grammar skills. I think they deserve a little money.

So you sent them some, right?

EFG, you really need to stop defending your OP. You're headed toward the Digg frontpage with a headline of 'GUY MAKES DUMB POST, DEFENDS IT WITH DUMB POINTS!'.

To the debit = CC post, shit. I'll need to talk to my banker the next time I go in about making sure that payments are rejected unless accompanied by my PIN. What's the point of a PIN if the unscrupulous employee can just set the mode to "no PIN"?
Because using it in credit card mode affords you the same protections that a regular credit card does. I don't believe debit card mode does that.

That's why many people advocate using a debit card but doing transactions on it in credit card mode (the cashier will ask you which way you want to use it, generally). CC mode == better protection. The net result to you is the same - the money comes out of your account then and there.

Because using it in credit card mode affords you the same protections that a regular credit card does. I don't believe debit card mode does that.

I'm pretty certain it does, actually--it's just that the short-term consequences of fradulent transactions are more apt to be a pain in the ass. Someone steals your credit card number and jams a few thousand in charges on it, you're not liable for those charges. Short term consequence, you have to do the brief juggling of canceling the card, getting a new one, etc.

On the other hand, someone does that with your debit card, you're still not liable for those charges, but in the short term before things get squared away, that's actual cash (well, more actual than credit, anyway) that's gone temporarily goodbye. Which could be a serious pain depending on timing of it, if you need actual cash for anything else until it's back.

Which is why it's best to just go on credit and pay off in full every month. Plus the livestock and salt, of course.

Good banks have some kind of system that lets you verify you're at the right site anyway. Bank of America uses site key, and tells you not to enter your password unless you see the same picture you chose when you signed up. It's simple enough that non-internet savvy people can understand it.

When I was working at the furniture store, credit card fraud would have been extraordinarily easy to pull off. You could easily run a dump of every credit card transaction performed that day that would give you the name, CC#, date of expiration, and security code (not PIN) of everyone who had made a purchase. And no one would have regarded it as strange with how often we had to run those reports to make an adjustment to someone's payment. It would have been a matter of just not shredding it at the end of the day.

I didn't do it because I like not being in jail.

I will note that the store was the victim of check fraud much more frequently than credit card fraud.

Because using it in credit card mode affords you the same protections that a regular credit card does. I don't believe debit card mode does that.

That's why many people advocate using a debit card but doing transactions on it in credit card mode (the cashier will ask you which way you want to use it, generally). CC mode == better protection. The net result to you is the same - the money comes out of your account then and there.

This is another good point. Visa, Mastercard and your bank all have pretty complete fraud protection policies and procedures. If you lose your wallet or get mugged nobody is going to reimburse you for the cash you had on your person.

All this just goes to show you that being a Luddite with your finances puts you at more risk, not less.

For checks that we took at the liquor store that I worked at, we also had to take down addresses and driver's license #'s. And we didn't put that stuff in a vault or safe or something, no sir, we kept 'em inside the same registers that we had access to all day, most of the time without management supervision. And it's funny, because I asked some of the "younger" people (like, people who didn't look as if they were gonna keel over at any moment) who were handing me checks why they used em, and invariably the answer was "I'm scared of someone stealing my cc!" Doh!

Lax security is the norm at the point of retail, and it's just about guaranteed to be the place that you'll get burned. Unless you're so foolish that you'll hand over your account information to Nigerian Princes or incredibly handsome long haired cashiers.

Receipts for my university's book store used to show the buyer's name, credit card number, plus the card's expiration date. Every September, there would be a good number of these yellow slips of paper scattered around the adjacent parking lot. I often wondered if anyone ever gave into temptation, grabbed one and made a $500 purchase on CDNow (gratuitous period detail, check).

EFG, you really need to stop defending your OP. You're headed toward the Digg frontpage with a headline of 'GUY MAKES DUMB POST, DEFENDS IT WITH DUMB POINTS!'.

I stopped defending it 3 posts ago. I lost, whatever, I'll move on, the thread has. If you want to drag it back up for yuks, that's great, but I'll take no part.

They have a teletypewriter number!? These guys have balls.

Or is that just the bank's real TTY number and they assume 99% of people won't call it?

I stopped defending it 3 posts ago. I lost, whatever, I'll move on, the thread has. If you want to drag it back up for yuks, that's great, but I'll take no part.

I made that post yesterday, about 50m after you'd made your last post. So I'm not dragging anything back up. But you kind of are.

They have a teletypewriter number!? These guys have balls.

Or is that just the bank's real TTY number and they assume 99% of people won't call it?
I haven't checked, but I'm guessing that both the TTY number and the phone numbers are both the real ones for the bank.

I made that post yesterday, about 50m after you'd made your last post. So I'm not dragging anything back up. But you kind of are.

50 mins after the second post since I stopped defending it.