On Sunday, a piece of e-mail purporting to be from Citibank was released into the spam-o-sphere. It notified the recipient that he or she needed to visit the corporate Web site and agree to new policies.

While Citibank has been criticized for lacking a standard naming convention for its URLs, the latest grift doesn't exploit the bank's vagaries of usage. It simply asks the recipient, as a Citibank customer, to click on a URL that begins with "www.citibank.com" to read and agree to the bank's new Terms & Conditions.

The missive is weirdly worded however, saying, "Click here to access our Terms & Conditions page and not allow your Citibank checking account suspension."

While one link within the e-mail went to the real Citibank's privacy policy page, the link that supposedly led to the new terms and conditions page actually directed users to a crooked site, where they might be asked to reveal personal information in a practice known as phishing. By Monday morning, the link no longer worked.

In May, Citibank was the victim of a similar con, when a fraudulent e-mail targeted users of its c2it money transfer service, asking them to submit personal information via a form within the e-mail.

A statement e-mailed by a Citibank spokesperson to internetnews.com said both Citibank customers and non-customers had been falsely targeted.

"Citibank is working with law enforcement to aggressively investigate a fraudulent e-mail that has recently been sent as spam to numerous e-mail addresses," the spokesperson said. "The spoof site did not ask for social security numbers; it asked for the first four digits of the customer's ATM card and their name. Obviously, that information does not divulge the customer account number, nor the full ATM card number and is less sensitive than a Social Security Number."

However, the spokesperson had no information about how or whether it intended to alert its customers. Citibank's Web site has a link to its SafeWeb policy protecting customers from losses due to unauthorized transfers or withdrawals -- as long as the customer notifies Citibank within two business days.

On August 12, federal bank and thrift regulatory agencies issued proposed guidelines to require financial institutions to develop programs to respond to incidents of unauthorized access to customer information. In June, U.S. Sen. Dianne Feinstein introduced The Notification of Risk to Personal Data Act, which would require businesses or government agencies to notify individuals if a database has been broken into and personal data has been compromised. Neither would mandate warning customers of third-party attempts to get sensitive info directly from individuals.

Meantime, Citibank checking customers will have to keep an eye out for the bogus e-mail.