"The emails include a link and an attachment. While the link is harmless, taking receivers to the legitimate Citi page, the attachment is a password stealer that opens a backdoor for remote attackers. Some instances appear to also download components of the BlackHole or ZeuS exploit kits," explains Bitdefender's Loredana Botezatu.
The email is a pretty good fake - good English and grammar - and it tries to reassure users by offering a phone number (more than likely manned by the scammers) for checking its validity.
According to Bitdefender, this particular spam campaign is conducted by the same group of scammers that was behind the recent Better Business Bureau and DocuSign-themed campaigns.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.