The SecurityFix reports on this clever two-factor authentication phishing attempt. They were looking for Citibank Business customers and in addition to username password information they were looking to verify a supplied token. The bottom line is that phishers will look to find any way possible to social engineer you out of your information credentials, whether they’re one-factor, two-factor or three factor, etc….. It appears as though it was a well done phish with a few exceptions and that it even checked some credentials by the citicard site giving an error message if you entered invalid login info.