- Home
- |
- Security and You
At Citibank, we constantly update our security technology to protect your privacy and confidentiality. It is important that you take the necessary measures to safeguard yourself.
As phishing scams are on the rise, never provide your banking credentials/One-Time PIN to anyone. Always check your Citibank SMS/email alerts and report any unauthorized transactions to us immediately.
Here are some of the security features and tips customers should be aware while ensuring a pleasant and secure online banking experience.
To report a fraud or scam, please contact us immediately at:
(1) Citibank Fraud hotline: +65 6337 5519
OR
(2) 24 Hour CitiPhone Banking: +65 6224 5757
Click here for more details.
Safeguard yourself while banking online
When accessing Citibank Online, always look out for the padlock symbol for your browser to ensure that the website has a valid certificate marked to Citigroup Inc.
Steps to take to protect yourself
Scenarios | What should you do? |
---|---|
Scenario 1: If you receive an SMS from Citibank, to authorize a charge on your Citi Card/account, with sender number in "short code" 72484 or "long code" +65 9657 2484, |
Reply "1", if the charge was authorised by you. Reply "2", if the charge was not authorised by you. If you are overseas or holding onto an overseas mobile number, please send your reply to +65 9657 2484. You may also call Citibank at +65 6337 5519 |
Scenario 2: If you receive any suspicious communications claiming to be from Citibank, |
Step 1: Please do not click on any links provided or provide any personal and banking information to anyone over unsolicited calls or on a suspicious website. Step 2: Contact the CitiPhone hotline at |
Scenario 3: If you suspect or detect that your account is being compromised, |
Step 1: If you suspect that your card details have been compromised, please temporarily lock your card via the Citi Mobile® App so that no one else can use it. To lock your card, click “Manage” on your card on the Citi Mobile® App. Step 2: Contact the Citibank Fraud hotline at
|
Scenario 4: If you misplaced your card or your card is lost or stolen, |
Step 1: Temporarily lock your card via the Citi Mobile® App so that no one else can use it. You may unlock your card easily on the Citi Mobile® App when you need to. Step 2: Report as lost or stolen via the Citi Mobile® App To lock your card or report as lost or stolen, click “Manage” on your card on the Citi Mobile® App. |
|
Security Alerts and Information
Clients may check this page regularly for the latest security alerts and/or news. If you are unsure whether any call, email or SMS is genuinely from Citibank, please contact us immediately and refrain from taking any further action. Whilst Citibank strives to provide you with the latest security alerts and/or news, please note that this webpage and the examples of scams/phishing listed here are not exhaustive.
New Security Update on the Citi Mobile® App
Date: 18th September 2023
WHAT CITI IS DOING FOR YOU
We will be detecting the following 4 potential risky permission settings on apps/tools attempting to access the Citi Mobile® App on your device:
- Anti Remote Desktop Access
- Suspicious Accessibility Services
- Android Debugging via Developer Options
- Screen Overlay
HOW TO PROTECT YOURSELVES FROM MALWARE?
- Be Vigilant — Stay Safe and Not Sorry: If the price of an offer is too good to be true, it probably is. Be vigilant and verify the legitimacy of the offer with the company via official sources. Consult your family, friends, or colleagues if you are unsure.
- Avoid Installing Unknown Apps: Refrain from downloading apps from third-party websites and only download from official app stores like Apple AppStore and Google Play Store. Malicious apps may request for permissions, such as “Accessibility Services”, that are unrelated to their intended functionalities. Review app permissions carefully during installation and reject any suspicious requests.
- Be Wary of Unusual Payment Requests: Be cautious if the offers require you to use unconventional payment methods, such as gift cards or cryptocurrency. These methods are often favoured by scammers because they are difficult to trace and reverse.
- Share with Care: Always verify the legitimacy of the offer before sharing with your family, friends, and colleagues. If in doubt, avoid sharing it or enlist their assistance in helping you verify the legitimacy.
- Switch your Device to Flight Mode: If you suspect your device has been infected by malware, switch your device to the flight mode immediately to disconnect from the Internet. This will prevent the scammers from further accessing your device remotely.
- Activate Kill Switch immediately: On a secondary/uncompromised device, login to the Citi Mobile® App > Settings & More > Security & app > Kill Switch. Alternatively you can login to Citibank Online or call our 24 hour CitiPhone banking immediately at +65 6224 5757 to activate Kill Switch. Click here for more information on activating Kill Switch.
- Identified Unauthorised Transactions: If there are any unauthorised transactions detected in your bank account(s), contact our 24 hour CitiPhone banking immediately at +65 6224 5757.
- Report the incident to the police: Reach out to the police and lodge a report.
- Run an anti-virus scan on your device: Use an anti-virus software which you have downloaded from verified or legitimate sources to scan and remove any malware detected in your device to ensure that known malware in your device is identified and removed.
- requires additional delivery fee before product can be sent out.
- requests for conversations to be taken off shopping platform.
- insists on bank transfers instead of using the platform's payment options.
- Verify the social media account’s legitimacy by checking with your contacts offline, e.g. contacting them via their mobile phone number.
- Verify the website URL’s legitimacy.
- Insist on cash-on delivery where possible, or use the platform’s secure payment option.
- Disclose your personal particulars, OTPs and banking and credit card details to anyone, including family and friends.
- Act hastily upon seeing a flash deal. Always confirm the source.
-
Agree to private bank transfers to sellers before
delivery.
WHAT TO DO IF YOU FALL VICTIM TO A SCAM?
Find out more here
Don't be lured by phishing scams
Date: February 2024
Phishing scams are on the rise and becoming more sophisticated. It could be a WhatsApp message from a bogus business account, a friendly call from an acquaintance you don’t remember, or an alarming message from someone claiming to represent a government agency.Learning more about scams and how they work will help you stay alert and protected. Let’s get started.
How do you spot a scam?
Look out for these signs.
Ready to protect yourself?
Heed these precautions.
Do not click on links in unsolicited emails and text messages | |
Do not disclose your banking details, OTP, or any personal/ sensitive information to anyone | |
Type in the web address in your browser’s address bar to avoid falling for fake links | |
Access your bank’s website through the official app (e.g. Citi Mobile® App) |
Tips to protect from scams
Date: October 2023
Scam cases are growing in numbers and scammers are becoming increasingly sophisticated with their tactics. Whether you know it or not, you may have received a form of scam call, message or email. To target victims, scammers will impersonate Citibank or any other official organisations.
Find out what you should do if you think you’ve encountered a scam and take the right steps to protect yourself.
What should you do if you think you've encountered a scam?
Security Tips
Do not click on URL links in unsolicited messages. Please note that Citibank does not send any SMSes and emails to our customers with clickable website links. | |
Verify any claims directly with the source on the official website before responding or sharing any of your personal details. | |
Be wary of SMSes with Spoof headers by looking out for grammatical errors, spelling errors and website links. | |
Do not reveal your banking details (e.g. log-in credentials, security token, unlock code, one-time PIN (OTP), ATM and credit card PIN, banking statement, etc.) or any personal information to anyone. | |
Be alert and always read the full text message when you have received SMSes sent from Citibank regarding notifications relating to OTPs or transactions. | |
Be cautious when downloading third party mobile applications as it may allow scammers to remotely control your personal devices and extract your stored credentials. | |
Keep your devices updated to enjoy the latest security updates and be cautious when surfing the web. |
What should you look out for?
Be vigilant and stay alert on the latest scam tactics by following our security page below. | |
Ensure your push notifications are enabled to stay up to date on important alerts from us. | |
Check if your contact details with the bank are updated so that we can contact you immediately in the case of fraudulent activity. | |
Check if your CitiAlerts are enabled via Citibank Online to receive notifications on your account and credit card transactions. |
Be Wary of Job Scams
Date: October 2023
There are scammers sending unsolicited job offers via messaging apps or social media, offering high-paying jobs that require little effort and no experience but victims are required to pay fees or transfer monies before earning commissions. Be wary of unsolicited job offers and stay vigilant by learning about different job scams and what to look out for.
What are the different types of job scams?
Affiliate Marketing Job ScamThis is a job scam requiring victims to complete easy tasks such as liking social media posts to earn commissions. Victims are instructed to sign up for job packages by making upfront payments but will not receive further commissions after the initial commission. |
Fake Mobile App Job ScamThis is a job scam requiring victims to download a fake mobile application and top up funds into their accounts for buying and selling products or transferring money or cryptocurrency to bank accounts. Victims will not be able to withdraw their money or commission reflected on the fake mobile app. |
Warning Letter Job ScamThis is a job scam evolving from the fake mobile app scam where victims who try to quit the job and withdraw money from their accounts, will receive a fake warning letter with a letterhead of local authorities stating that their accounts would be frozen with legal implications. Victims will then be further pressured to make more fund transfers to avoid claimed legal action. |
Here are just two examples of job scam offers that victims have received via SMS, Whatsapp or Telegram:
What should you look out for?
You are contacted for a job you did not apply for. |
You are promised a large sum of money for very little work or if the salary range is way out for your experience, then be wary. Easy jobs that offer lucrative commissions are simply too good to be true. |
You receive an offer from a free email account eg., @yahoo •com, @gmail •com. |
You are asked to transfer funds to bank accounts or cryptocurrency wallets belonging to individuals that you have not met in person. |
You are asked for confidential information, including bank and credit card details over messaging apps or emails. |
You are hired directly without an interview or meeting your potential employer. |
Do not use your bank account to conduct |
Beware of Malware Scams
Date: September 2023
There has been an increase in malware and technical support related scams where scammers are utilising scam applications to infect victims’ personal devices and access sensitive personal and banking information. Some scammers may even disguise as technical support or merchants for home services or sale of food items and instruct you to download third-party screen sharing applications to fix the issues, to book services or to make payments for commonly used items like food and groceries you thought you were purchasing.
From the scam applications, scammers will be able to control the victims’ personal devices, monitor activity and gain control of their banking accounts to perform unauthorised transactions. In most cases, the victims would not be aware that this was happening on their personal devices, as it can go on even when the device is not being used or in active mode.
How do Malware and Technical
Support Scams happen?
Surfing unsolicited websites and
clicking on pop ups on such websites
Opening links from suspicious
emails or text received via SMS or
other messaging apps
Instructions from scammers to victims
to download fictitious applications
Tips to protect yourself from Malware and Technical Support Scams:
Be vigilant when surfing websites. You may turn on ad blockers to not receive pop up ads | |
Disable “Install Unknown App” or “Unknown Sources” in your settings | |
Ensure your devices’ operating systems (Apple IOS or Android AOS) and applications are updated regularly to be protected by the latest security patches | |
Ensure that your devices are installed with updated anti-virus/anti-malware applications that can detect and remove malware | |
Never download any unknown third-party application under the instructions of anyone or without first verifying the authenticity of the application | |
Do not grant permission to persistent pop-ups that request for access to your device’s hardware or data |
If your account or card has been compromised, please activate Kill Switch on the Citi Mobile® App or contact our fraud hotline, which is available on our Citibank website, immediately. Find out more here.
Beware of scams involving e-wallets
Date: April 2023
There has been an increase in scams involving e-wallets where scammers have been collecting the credit/debit card credentials of victims via phishing websites. Scammers typically send unsolicited communications and direct victims to a spoofed website where they will be prompted to enter their credit/debit card details and One-Time PIN (OTP) to make payment. Once the OTP has been provided, the scammer would be able to successfully add the victim’s credit/debit card into the scammer’s own e-wallet to make purchases.
Tip: An e-wallet (e.g. Apple Pay) is a digital wallet that can be used to make online transactions and contactless in-store purchases using a credit card that had been added to the e-wallet. If your card details and OTP are compromised, a scammer can use your credit card via the e-wallet to make transactions freely.
Tips to protect yourself against phishing scams
Do not click on URL links in unsolicited messages. | |
Be wary of phishing SMSes with Spoof headers by looking out for grammatical, spelling errors and links. | |
Do not reveal your banking details (e.g. log-in credentials, security tokens, unlock codes, OTPs, ATM and credit card PINs, banking statements, etc.) or any personal information to anyone. | |
Verify any claims directly with the source on the official website before responding or sharing any of your personal details. | |
Be alert and always read the full text message when you have receive any SMS sent from Citibank on notifications relating to OTPs and when a card has been added to an e-wallet. |
What to look out for
If you receive a notification from Citibank that your credit/debit card has been added to an e-wallet (e.g. Apple Pay) but it was not initiated by you. | |
If you receive a notification of a transaction that you do not recognise from Citibank. |
What should you do if you suspect your card details have been compromised?
1. Lock your Citi Card on the Citi Mobile® App immediately
2. Report it to the fraud hotline available here
Fake Friends
Date: 3rd November 2022
There have been scammers calling and messaging victims, pretending to be a friend, family member or colleague, and requesting for loans from unsuspecting victims. These scammers will use scam tactics to gain your trust, claiming to have financial difficulties and citing the need for funds due to a medical emergency or to pay for their business. Scammers can also contact victims via WhatsApp, Telegram, Viber Call, Facebook, and Instagram, with their display picture as the friend they claimed to be.
What should you look out for?
Beware of unusual requests received over the phone or via messages, even if they appear to be from someone you know. | |
Hang up immediately if you are suspicious or if the caller cannot identify themselves properly. | |
Be wary of calls with the ”+“ prefix as they are international calls and common numbers that appear to be fraudulent. | |
Always verify requests with your friends, family and colleagues via physical meet-ups or previously established contact details. | |
Never send money to people you do not know or have not met in person before. |
Phising Scams
Date: 29th September 2022
There are scammers sending a fake SMS with a spoof Citibank header informing victims that their account or credit card has been suspended due to security reasons. The link in the fake SMS leads to a fake Citibank website which will request victims to log in to activate their card. Please do not click on the link or log in to these fake websites as scammers may use the information to conduct fraudulent transactions on your account.
How to look out for fake SMS and websites?
RED FLAG #1
Improper punctuation and grammar errors are key factors in identifying scams. Additionally, Citibank will not put clickable links in SMSes and emails sent to you.
RED FLAG #2
Look out for suspicious website URLs. Always log in via your Citi Mobile® App or the official Citibank Website.
Important things to take note of:
Be wary of fake SMS messages with spoof Citibank headers by checking for grammatical and/or spelling errors. Authentic Citibank SMSes will not contain links as we no longer send out clickable links in emails and SMSes.
Do not reveal your banking details (e.g. login credentials, security token, unlock code, one-time PIN (OTP), ATM and credit card PIN, banking statement etc.) or any personal/sensitive information to anyone or on any authorised websites.
Please check if any Citibank website links are legitimate by ensuring the links start with
If you receive any communications you are unsure about or if you would like to report on a fraud or scam, please contact our 24-Hour CitiPhone Hotline immediately.
Keep your cards safe when travelling abroad
Date: 15th August 2022
Thinking about travelling abroad any time soon? With the ease of travel restrictions in many parts of the world, we would be able to travel abroad more easily. If you are planning to travel abroad, please be reminded to stay vigilant during your travels and to keep your credit and debit cards safe to avoid any fraud or theft.
Follow these tips while travelling abroad:
Do not leave your handbags/wallets and cards unattended (e.g. in the overhead compartments of planes or coaches etc.). Use your hotel’s safe to store important documents such as your passport or spare credit card. If your hotel does not provide this option, you can use a lockable suitcase – always remember to lock your suitcase when left unattended. |
Beware of strangers and always check that your wallets/cards are in your possession. |
Be aware of common scams at your travel destination (e.g. elaborate begging or street vendor scams, taxi scams). |
Ensure that the correct card is returned to you after any purchase |
Be alert at crowded places (e.g. trains, markets, shopping centres, airports etc.). Be wary of where you keep your wallet and watch out for people who bump into you, as they may be trying to swipe it. |
Your credit card information may be stolen digitally via radio-frequency identification (RFID) skimmers. You can consider protecting yourself using RFID-blocking travel wallets during your travels. |
What should you look out for?
For Debit Cards:
If you would like to terminate your card and request for a replacement, please call our CitiPhone hotline available on the Citibank website. |
For Credit Cards:
Step 1: Lock your credit card immediately via the Citi Mobile® App so no one else can use it.
• To lock your card, click on “Manage” on your card on the Citi Mobile® App. You may unlock your card just as easily when you need to. • While your card is locked, you will not be able to use it for point-of-sale transactions. However, any recurring payment instructions that you may have established on your card will not be affected. |
|
Step 2: If you would like to terminate your card and request for a replacement, please call our CitiPhone hotline available on the Citibank website. |
Getting ready for your trip? Here are some pre-travel preparation tips:
Check if your contact details with the bank are updated
Ensure that all your contact details with the bank are updated so that we can contact you immediately in the case of fraudulent activity. Do note that if you change your SIM card whilst overseas, Citibank will not be able to contact you.
To update your contact details, you may log in to the Citi Mobile® App and navigate to “Profile and Settings”. Alternatively, you may also log in to Citibank Online and select “My Profile”.
Enable your Citialerts to stay updated on your transactions
Ensure that your Citialerts are enabled via Citibank Online so that you can be notified on any transactions on your card(s) and account(s). You will be notified on online outgoing funds transfer from your banking accounts which is S$1 and above.
Note: If you have opted to receive SMS for your Citi Alerts, please ensure that you do not swop out your SIM card with the phone number registered with Citi.
If you detect any unauthorised transactions on your card(s) and account(s), please report it to us immediately by calling our CitiPhone hotline available on our Citibank website.
Lock your credit card via the Citi Mobile® if you are not intending to use it overseas
To lock your card, click on “Manage” on your card on the Citi Mobile® App. You may unlock your card just as easily when you need to.
Loan Scam
Date: 19th October 2020
We have been alerted of customers receiving unsolicited text messages from unlicensed moneylenders offering loan and loan services.
The message may purport to be sending from "Citibank" or other financial institutions to convince you that they are legitimate. Victims were instructed to transfer monies to the fraudster as a deposit before the loan can be disbursed. After the victims have transferred the monies, the victims find that the fraudsters are no longer contactable.
Examples of loan scam messages
What you should do
Ignore the message |
Block and report the numbers on the platform where you received the message |
For more information, you may refer to www.scamalert.sg.
Social Media and E-Commerce Scams
Date: 18th September 2020
There has been an increase in phishing scams cases involving emails and text messages since January 2020.
Victims of such phishing scams received emails or text messages by scammers impersonating entities the victims know or trust, such as banks, government agencies, trade unions, or companies such as Netflix, PayPal and DHL. These emails and text messages make fake offers or claims to trick recipients into clicking on an URL link. Such fake offers or claims include outstanding payment for parcel delivery, disruptions to services or subscriptions, refunds, or promotions. Upon clicking on the URL links, victims will be redirected to fraudulent websites where they are tricked into providing their credit/debit card details and One-Time PIN (OTP). Victims only realised that they have been scammed when they discovered unauthorised transactions made using their credit/debit card.
Impersonation Scam
Scammers will impersonate the victim’s friends or followers on social media like Facebook or Instagram using spoofed or compromised accounts and reach out to the victims. The scammers will ask the victims for their contact numbers, images of their credit/debit cards and One-Time PIN (OTP) on the pretext of signing them up for fake lucky draws or promotions on online shopping platforms.
What does it look like?
Below is the typical flow of a social media impersonation scam
An impersonator poses as someone you
know/follow on your social media (e.g. Facebook or
Instagram) and sends you a personal message. |
The impersonator claims to have lost his/her contact list, asks for personal details such as your mobile phone number to sign you up for contests or promotion campaigns on e-commerce sites. |
The impersonator then claims that you have won a lucky draw and asks for your credit card details and OTP in order for him/her to credit the cash prize. |
You later discover that the impersonator has made unauthorised fraudulent transactions from your bank account or mobile wallet without your consent. |
What should you look out for?
Contact claiming to be someone you know sends you a personal message asking for your mobile phone number and credit card details to sign you up for contests or promotion campaigns on an online shopping platform. | |
Contact claims that you have won a lucky draw and asks for your credit card details in order to credit the cash prize to you. | |
Contact asks for the OTP sent to your mobile phone number. | |
Social media account impersonating your existing contacts sends new friend/follower request to you. |
E-Commerce Scam
Scammers will tout a good deal for a gadget, amusement park or concert tickets online, usually pricing these way below market-price and for a limited time period. Victims lured by the attractiveness of the offer will transfer payment to the “seller” who promises to deliver the item which never arrives.
What does it look like?
Below is the typical flow of an e-commerce scam:
An advertisement shows up on your social media (e.g. Facebook or Instagram)
selling a product at an attractive price over a flash
deal ending in an hour. |
You visit the “seller’s” social media account page and follow the URL linking to their “official” webpage. Positive comments from buyers make you think that the “seller” is legitimate. |
You hastily decide to make the purchase before the
flash sale ends and follow the instructions on the
webpage to key in your credit card details.
|
You receive a confirmation email with the “seller” requiring an additional delivery fee before sending out the product. You are promised delivery within 3 weeks from the purchase. |
You do not receive the product and attempt to contact the “seller”. However, there are no responses given once your payment transaction has gone through. |
What should you look out for?
Advertisements on your social media show deals from e-commerce that are way below market-price, disguised as limited-time-only or flash deals. | |
Lack of information on the products or unstated terms and conditions. | |
Reviews/comments on the product that are only positive. | |
Seller:
|
How to protect yourself against social media scams:
ALWAYS |
NEVER |
Impersonation and Technical Support Scam
Date: 24th July 2020
In the first 3 months of 2020, at least S$41.3 million were lost to scammers, based on cases that were reported to the Singapore Police.
As of 5 June 2020, it was reported in the news that more than S$7 million has been lost to scammers who were posing as technical support staff from January to April 2020, an increase of more than 40 times from the same period in 2019.
We would like to remind our customers to be wary of phone calls or SMSes claiming to be from banks, government agencies, courier or telco companies or any technical support teams requesting for you to provide them with your banking or log in credentials, perform funds transfers or asking you to update your information with them.
These calls/SMSes prey on your fears by making you think that your data/accounts have been compromised or that there are illegal activities linked to you, your account or your IP address.
In these calls:
We set out below, a step-by-step flow of the latest impersonation and technical support scams that have been reported. Please take some time to read this and share with your family and loved ones.
Here is a typical flow of impersonation scam:
Customer receives a call from someone claiming to be from a Bank/Telco/Government agency/ Courier company, informing him/her that his/her internet account has been hacked and used for illegal activities.
The call is then transferred to a Police/Interpol/Cybercrime police etc.
Customer is advised by the impersonator to download a screen sharing software and then log in to his/her Citi account during the screen sharing, in order to catch the fictitious hacker.
During screen sharing, impersonator is able to see customer’s User ID, Password and One-time PIN (OTP). Impersonator then the OTP to download Citi Mobile® Token, a payee and fund transfer or advises customer to add payee and perform fund transfer to the payee.
Customer is told to ignore all SMS alerts from Citi as that is the bank’s practice. Any amount transferred will be refunded to him/her as it is used as a “bait” to catch the hacker. The impersonator will assure the customer that the money will be returned the customer.
When customer tries to call the impersonator to check on the return of funds, the impersonator is uncontactable. Monies would have already been transferred out of his/her banking accounts.
Below is a typical flow of a technical support scam.
Customers are reminded to exercise caution at all times.
Take note of the following important pointers:
Treat them like your ATM PIN.
Customer Advisory – 3rd Party Mobile Applications / Websites
Date: 24th April 2019
Description: Do not use 3rd Party Mobile Applications / Websites for viewing Online Banking Details
We are aware that there are 3rd Party Mobile Applications / Websites that allow customers to have a consolidated view of their financial expenses / transactions across multiple banks, credit card, investments, equity trades, and loan accounts in one place.
Citibank would like to remind our customers not to download any 3rd Party Mobile Applications / Websites to view / access your Citibank Online accounts. There is a potential risk of your online banking credentials being compromised as Username and Password has been shared with the application.
To protect yourself, always exercise the following precautions:
- Do not download any 3rd Party Mobile Applications to view your online banking details.
- Do not input your Citibank Online Username and Password when requested by such applications / websites.
- If already inputted, immediately change Username and Password.
Use of Citibank Online is personal to you and no third party should be allowed to access/view your account/account information via Citibank Online, whether or not you have consented to such third party’s access. This is to prevent any unauthorized access or use of your account and account information. You are responsible for keeping any of your log-in credentials (including User ID and Password) confidential and you cannot reveal your log-in credentials to any third party.
Where you have revealed your log-in credentials to a third party, please note that Citibank is not liable for and you have to compensate us for any losses arising out of any use of your log-in credentials. In such an event, we also have the right, from a risk management perspective, to suspend your access to Citibank Online at any time.
Customer Advisory
Date: 5th September 2018
Description: Be alert to emails and SMS scams.
We would like to remind our customers to remain vigilant when responding to emails and SMS messages from senders masquerading as popular brands, often requesting for you to:
- Complete a survey or a quiz, with the promise of cash prizes, loyalty points or air miles.
- Provide your card number, in order to participate in the survey or quiz.
- Provide your mobile phone number.
As a further tactic to convince victims of the authenticity of these scams, a One-Time Pin (OTP) will be sent to the mobile phone number that you've just provided. Unfortunately, with the successful solicitation of this information, the scammer would have gathered the necessary details to perform unauthorized transactions on your Citi Cards.
To protect yourself, always exercise the following precautions:
- When clicking on a link from an email, always check that the internet address that you are directed to is legitimate by verifying it in the web browser. If you're unsure, please check this with the brand or merchant.
- Never disclose your card numbers on merchant websites that have internet addresses that look incorrect.
- Check if the web browser displays a Locked Padlock icon. Reputable sites would have these.
- Never disclose your OTP to websites that you might be unfamiliar with.
- Always check your account statements regularly to detect any unauthorized transactions. For a real-time view of your transactions, login to the Citi Mobile® App.
Phishing Emails
Date: 7th August 2018
Description: We have detected phishing emails and webpages targeting Citi customers. These phishing emails comes from a non-Citi email address and requests Citi customers click on a hyperlink to unlock / update their online banking / credit card account.
If a customer falls victim to the phishing email and clicks on the hyperlink, they will be redirected to a page URL that is not official Citi website, requesting for a user's information (Username and Password), followed by a request to provide an SMS OTP. Such websites are used to conduct card not present transactions but may also be utilized in order to steal personally identifiable data, username-password combinations, OTPs or infect a user's device as well as fraudulent enrollment of Citi © Mobile Token (which may be used to carry out payments to these fraudsters).
How can you protect yourself from this?
- Be alert. Minimize clicking on links in emails as these may not be legitimate.
- Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application.
- Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.
Customer Advisory
Date: 20th July 2018
Description: A group of healthcare institutions has reported a data breach affecting more than 1.5 million patients. Patient data stolen included personally identifiable information such as names, addresses, birthdays, and national identification numbers. Approximately 160,000 patients had details of medical prescriptions stolen. Stolen credentials may be used to conduct social engineering and phishing scams. Such scams utilize personally identifiable information to appear legitimate.
How can you protect yourself from this?
- Be alert. Do not provide personal or bank information to unsolicited callers.
- Never give out any sensitive personal information (including login passwords or one-time passwords) over the phone or via email. Our staff will never ask you for such information.
- Contact Citiphone immediately if you are in any doubt of a call, SMS or email's validity.
SMS Phishing
Date: 20th May 2018
Description: We have detected multiple Phishing Emails. The sender email addresses varies from those ending with @gmail.com, @hotmail.com, @yahoo.com, etc. They contain messages including the requirement to update account details due to system maintenance or "New Message from Citibank". A hyperlink that purports to be a Citibank hyperlink (but is not) is also included in the message and takes customer to URLs that does not belong to official Citibank. The site has the same look and feel of that of Citibank Online. Such websites are designed to trick users into providing their online banking and credit card details to conduct fraudulent / unauthorized bank transfers and / or credit card transactions. Credit Card details provided could also be used to enroll for Payment Wallets such as Samsung Pay, Android Pay, Google Pay and Apple Pay.
How can you protect yourself from this?
- Be alert. Minimize clicking on links in SMSs as these may not be legitimate.
- Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application.
- Never reply to unsolicited SMSs. Responses to such SMSs could be used by fraudsters to socially engineer information or trick users into performing unwanted actions.
- Only provide your credit card details if you're making a direct purchase. Always check that you intend to conduct a credit card transaction and do not provide an OTP to authorize payment if you are not.
- Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.