Bank's e-statement should not be attached with email
Shame on Citibank. It violated the security practice promulgated by the banking authority in HK. Over the past 12 months, I found that Citibank attached a monthly e-statement pdf to me via email though the attached pdf was password protected. Fraudsters can disguise themselves as a bank and attach malicious code in pdf. The chance of success is high as e-statements are so important that target recipients will open and read them to see how much they need to pay. As far as I know, other banks just alert their users that e-statements are ready online without providing any clickable links in the email. Until today, Citibank notified me about a new arrangement of no more e-statement attachment. Unfortunately, Citibank did not offer apology to its customers for ignoring this important security matter previously.