"The emails include a link and an attachment. While the link is harmless, taking receivers to the legitimate Citi page, the attachment is a password stealer that opens a backdoor for remote attackers. Some instances appear to also download components of the BlackHole or ZeuS exploit kits," explains Bitdefender's Loredana Botezatu.
The email is a pretty good fake - good English and grammar - and it tries to reassure users by offering a phone number (more than likely manned by the scammers) for checking its validity.
According to Bitdefender, this particular spam campaign is conducted by the same group of scammers that was behind the recent Better Business Bureau and DocuSign-themed campaigns.