Phishing is a way to illegally acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication (web site, email, etc). Those fake websites are hosted on compromised sites without the owner's permission and are sent to the victims using mailing scripts, hosted or not in the same server where the phishing page is.
Phishing pages are often complex and rely on several files to run. They will be hosted on a specific directory ressembling the phishing target.
This scam targets clients of Citibank, trying to collect usernames, passwords and other personal information and using e-mail scripts to send them to the attacker.
Look for any script that uses mail functions and are not part of your site.