This. When it comes to fishing, there is one rule: don't change your TLD. When I log in to PayPal I am always getting redirected from paypal.com to paypal-deutschland.de (the german tld), how is someone who is not internet savvy supposed to know whether he is getting phished or not, when even the companies use different TLDs?

Be consistent - using citibank.com and citibank.secure does not help at all, it will only confuse customers even more.