ONLINE BANKING SECURITY

Security Alerts and Information

Clients may check this page regularly for the latest security alerts and/or news. If you are unsure whether any call, email or SMS is genuinely from Citibank, please contact us immediately and refrain from taking any further action. Whilst Citibank strives to provide you with the latest security alerts and/or news, please note that this webpage and the examples of scams/phishing listed here are not exhaustive.

---

 

New Security Update on the Citi Mobile^® App

Date: 18^th September 2023

WHAT CITI IS DOING FOR YOU

We will be detecting the following 4 potential risky permission settings on apps/tools attempting to access the Citi Mobile^® App on your device:

• Anti Remote Desktop Access
• Suspicious Accessibility Services
• Android Debugging via Developer Options
• Screen Overlay

HOW TO PROTECT YOURSELVES FROM MALWARE?

• Be Vigilant — Stay Safe and Not Sorry: If the price of an offer is too good to be true, it probably is. Be vigilant and verify the legitimacy of the offer with the company via official sources. Consult your family, friends, or colleagues if you are unsure.
• Avoid Installing Unknown Apps: Refrain from downloading apps from third-party websites and only download from official app stores like Apple AppStore and Google Play Store. Malicious apps may request for permissions, such as “Accessibility Services”, that are unrelated to their intended functionalities. Review app permissions carefully during installation and reject any suspicious requests.
• Be Wary of Unusual Payment Requests: Be cautious if the offers require you to use unconventional payment methods, such as gift cards or cryptocurrency. These methods are often favoured by scammers because they are difficult to trace and reverse.
• Share with Care: Always verify the legitimacy of the offer before sharing with your family, friends, and colleagues. If in doubt, avoid sharing it or enlist their assistance in helping you verify the legitimacy.



WHAT TO DO IF YOU FALL VICTIM TO A SCAM?

• Switch your Device to Flight Mode: If you suspect your device has been infected by malware, switch your device to the flight mode immediately to disconnect from the Internet. This will prevent the scammers from further accessing your device remotely.
• Activate Kill Switch immediately: On a secondary/uncompromised device, login to the Citi Mobile^® App > Settings & More > Security & app > Kill Switch. Alternatively you can login to Citibank Online or call our 24 hour CitiPhone banking immediately at +65 6224 5757 to activate Kill Switch. Click here for more information on activating Kill Switch.
• Identified Unauthorised Transactions: If there are any unauthorised transactions detected in your bank account(s), contact our 24 hour CitiPhone banking immediately at +65 6224 5757.
• Report the incident to the police: Reach out to the police and lodge a report.
• Run an anti-virus scan on your device: Use an anti-virus software which you have downloaded from verified or legitimate sources to scan and remove any malware detected in your device to ensure that known malware in your device is identified and removed.



Find out more here




---

Don't be lured by phishing scams

Date: February 2024

Phishing scams are on the rise and becoming more sophisticated. It could be a WhatsApp message from a bogus business account, a friendly call from an acquaintance you don’t remember, or an alarming message from someone claiming to represent a government agency.Learning more about scams and how they work will help you stay alert and protected. Let’s get started.








How do you spot a scam?
Look out for these signs.











Ready to protect yourself?
Heed these precautions.




	Do not click on links in unsolicited emails and text messages
	Do not disclose your banking details, OTP, or any personal/ sensitive information to anyone
	Type in the web address in your browser’s address bar to avoid falling for fake links
	Access your bank’s website through the official app (e.g. Citi Mobile® App)





---

Tips to protect from scams

Date: October 2023

Scam cases are growing in numbers and scammers are becoming increasingly sophisticated with their tactics. Whether you know it or not, you may have received a form of scam call, message or email. To target victims, scammers will impersonate Citibank or any other official organisations.

Find out what you should do if you think you’ve encountered a scam and take the right steps to protect yourself.

What should you do if you think you've encountered a scam?











Security Tips




	Do not click on URL links in unsolicited messages. Please note that Citibank does not send any SMSes and emails to our customers with clickable website links.
	Verify any claims directly with the source on the official website before responding or sharing any of your personal details.
	Be wary of SMSes with Spoof headers by looking out for grammatical errors, spelling errors and website links.
	Do not reveal your banking details (e.g. log-in credentials, security token, unlock code, one-time PIN (OTP), ATM and credit card PIN, banking statement, etc.) or any personal information to anyone.
	Be alert and always read the full text message when you have received SMSes sent from Citibank regarding notifications relating to OTPs or transactions.
	Be cautious when downloading third party mobile applications as it may allow scammers to remotely control your personal devices and extract your stored credentials.
	Keep your devices updated to enjoy the latest security updates and be cautious when surfing the web.








What should you look out for?




	Be vigilant and stay alert on the latest scam tactics by following our security page below.
	Ensure your push notifications are enabled to stay up to date on important alerts from us.
	Check if your contact details with the bank are updated so that we can contact you immediately in the case of fraudulent activity.
	Check if your CitiAlerts are enabled via Citibank Online to receive notifications on your account and credit card transactions.





Be Wary of Job Scams

Date: October 2023

There are scammers sending unsolicited job offers via messaging apps or social media, offering high-paying jobs that require little effort and no experience but victims are required to pay fees or transfer monies before earning commissions. Be wary of unsolicited job offers and stay vigilant by learning about different job scams and what to look out for.




What are the different types of job scams?




Affiliate Marketing Job Scam This is a job scam requiring victims to complete easy tasks such as liking social media posts to earn commissions. Victims are instructed to sign up for job packages by making upfront payments but will not receive further commissions after the initial commission.

---

Fake Mobile App Job Scam This is a job scam requiring victims to download a fake mobile application and top up funds into their accounts for buying and selling products or transferring money or cryptocurrency to bank accounts. Victims will not be able to withdraw their money or commission reflected on the fake mobile app.

---

Warning Letter Job Scam This is a job scam evolving from the fake mobile app scam where victims who try to quit the job and withdraw money from their accounts, will receive a fake warning letter with a letterhead of local authorities stating that their accounts would be frozen with legal implications. Victims will then be further pressured to make more fund transfers to avoid claimed legal action.

---








Here are just two examples of job scam offers that victims have received via SMS, Whatsapp or Telegram:















What should you look out for?





You are contacted for a job you did not apply for.	You are promised a large sum of money for very little work or if the salary range is way out for your experience, then be wary. Easy jobs that offer lucrative commissions are simply too good to be true.
You receive an offer from a free email account eg., @yahoo •com, @gmail •com.	You are asked to transfer funds to bank accounts or cryptocurrency wallets belonging to individuals that you have not met in person.
You are asked for confidential information, including bank and credit card details over messaging apps or emails.	You are hired directly without an interview or meeting your potential employer.
Do not use your bank account to conduct transactions on behalf of others.





---

Beware of Malware Scams

Date: September 2023

There has been an increase in malware and technical support related scams where scammers are utilising scam applications to infect victims’ personal devices and access sensitive personal and banking information. Some scammers may even disguise as technical support or merchants for home services or sale of food items and instruct you to download third-party screen sharing applications to fix the issues, to book services or to make payments for commonly used items like food and groceries you thought you were purchasing.

From the scam applications, scammers will be able to control the victims’ personal devices, monitor activity and gain control of their banking accounts to perform unauthorised transactions. In most cases, the victims would not be aware that this was happening on their personal devices, as it can go on even when the device is not being used or in active mode.

How do Malware and Technical
Support Scams happen?






Surfing unsolicited websites and
clicking on pop ups on such websites



---



Opening links from suspicious
emails or text received via SMS or
other messaging apps

---

Instructions from scammers to victims
to download fictitious applications










Tips to protect yourself from Malware and Technical Support Scams:




	Be vigilant when surfing websites. You may turn on ad blockers to not receive pop up ads
	Disable “Install Unknown App” or “Unknown Sources” in your settings
	Ensure your devices’ operating systems (Apple IOS or Android AOS) and applications are updated regularly to be protected by the latest security patches
	Ensure that your devices are installed with updated anti-virus/anti-malware applications that can detect and remove malware
	Never download any unknown third-party application under the instructions of anyone or without first verifying the authenticity of the application
	Do not grant permission to persistent pop-ups that request for access to your device’s hardware or data




If your account or card has been compromised, please activate Kill Switch on the Citi Mobile^® App or contact our fraud hotline, which is available on our Citibank website, immediately. Find out more here.

---

Beware of scams involving e-wallets

Date: April 2023

There has been an increase in scams involving e-wallets where scammers have been collecting the credit/debit card credentials of victims via phishing websites. Scammers typically send unsolicited communications and direct victims to a spoofed website where they will be prompted to enter their credit/debit card details and One-Time PIN (OTP) to make payment. Once the OTP has been provided, the scammer would be able to successfully add the victim’s credit/debit card into the scammer’s own e-wallet to make purchases.

Tip: An e-wallet (e.g. Apple Pay) is a digital wallet that can be used to make online transactions and contactless in-store purchases using a credit card that had been added to the e-wallet. If your card details and OTP are compromised, a scammer can use your credit card via the e-wallet to make transactions freely.







Tips to protect yourself against phishing scams




	Do not click on URL links in unsolicited messages.
	Be wary of phishing SMSes with Spoof headers by looking out for grammatical, spelling errors and links.
	Do not reveal your banking details (e.g. log-in credentials, security tokens, unlock codes, OTPs, ATM and credit card PINs, banking statements, etc.) or any personal information to anyone.
	Verify any claims directly with the source on the official website before responding or sharing any of your personal details.
	Be alert and always read the full text message when you have receive any SMS sent from Citibank on notifications relating to OTPs and when a card has been added to an e-wallet.








What to look out for




	If you receive a notification from Citibank that your credit/debit card has been added to an e-wallet (e.g. Apple Pay) but it was not initiated by you.
	If you receive a notification of a transaction that you do not recognise from Citibank.




What should you do if you suspect your card details have been compromised?





1. Lock your Citi Card on the Citi Mobile^® App immediately






2. Report it to the fraud hotline available here

---

Fake Friends

Date: 3^rd November 2022

There have been scammers calling and messaging victims, pretending to be a friend, family member or colleague, and requesting for loans from unsuspecting victims. These scammers will use scam tactics to gain your trust, claiming to have financial difficulties and citing the need for funds due to a medical emergency or to pay for their business. Scammers can also contact victims via WhatsApp, Telegram, Viber Call, Facebook, and Instagram, with their display picture as the friend they claimed to be.






What should you look out for?




	Beware of unusual requests received over the phone or via messages, even if they appear to be from someone you know.
	Hang up immediately if you are suspicious or if the caller cannot identify themselves properly.
	Be wary of calls with the ”+“ prefix as they are international calls and common numbers that appear to be fraudulent.
	Always verify requests with your friends, family and colleagues via physical meet-ups or previously established contact details.
	Never send money to people you do not know or have not met in person before.

---

Phising Scams

Date: 29^th September 2022

There are scammers sending a fake SMS with a spoof Citibank header informing victims that their account or credit card has been suspended due to security reasons. The link in the fake SMS leads to a fake Citibank website which will request victims to log in to activate their card. Please do not click on the link or log in to these fake websites as scammers may use the information to conduct fraudulent transactions on your account.

How to look out for fake SMS and websites?



RED FLAG #1

Improper punctuation and grammar errors are key factors in identifying scams. Additionally, Citibank will not put clickable links in SMSes and emails sent to you.

RED FLAG #2

Look out for suspicious website URLs. Always log in via your Citi Mobile® App or the official Citibank Website.






Important things to take note of:






Be wary of fake SMS messages with spoof Citibank headers by checking for grammatical and/or spelling errors. Authentic Citibank SMSes will not contain links as we no longer send out clickable links in emails and SMSes.



Do not reveal your banking details (e.g. login credentials, security token, unlock code, one-time PIN (OTP), ATM and credit card PIN, banking statement etc.) or any personal/sensitive information to anyone or on any authorised websites.



Please check if any Citibank website links are legitimate by ensuring the links start with





If you receive any communications you are unsure about or if you would like to report on a fraud or scam, please contact our 24-Hour CitiPhone Hotline immediately.

---

Keep your cards safe when travelling abroad

Date: 15^th August 2022

Thinking about travelling abroad any time soon? With the ease of travel restrictions in many parts of the world, we would be able to travel abroad more easily. If you are planning to travel abroad, please be reminded to stay vigilant during your travels and to keep your credit and debit cards safe to avoid any fraud or theft.




Follow these tips while travelling abroad:




Do not leave your handbags/wallets and cards unattended (e.g. in the overhead compartments of planes or coaches etc.). Use your hotel’s safe to store important documents such as your passport or spare credit card. If your hotel does not provide this option, you can use a lockable suitcase – always remember to lock your suitcase when left unattended.

---

Beware of strangers and always check that your wallets/cards are in your possession.

---

Be aware of common scams at your travel destination (e.g. elaborate begging or street vendor scams, taxi scams).

---

Ensure that the correct card is returned to you after any purchase

---

Be alert at crowded places (e.g. trains, markets, shopping centres, airports etc.). Be wary of where you keep your wallet and watch out for people who bump into you, as they may be trying to swipe it.

---

Your credit card information may be stolen digitally via radio-frequency identification (RFID) skimmers. You can consider protecting yourself using RFID-blocking travel wallets during your travels.








What should you look out for?





For Debit Cards:




If you would like to terminate your card and request for a replacement, please call our CitiPhone hotline available on the Citibank website.




---




For Credit Cards:

Step 1: Lock your credit card immediately via the Citi Mobile® App so no one else can use it. • To lock your card, click on “Manage” on your card on the Citi Mobile® App. You may unlock your card just as easily when you need to. • While your card is locked, you will not be able to use it for point-of-sale transactions. However, any recurring payment instructions that you may have established on your card will not be affected.

Step 2: If you would like to terminate your card and request for a replacement, please call our CitiPhone hotline available on the Citibank website.






Getting ready for your trip? Here are some pre-travel preparation tips:






Check if your contact details with the bank are updated

Ensure that all your contact details with the bank are updated so that we can contact you immediately in the case of fraudulent activity. Do note that if you change your SIM card whilst overseas, Citibank will not be able to contact you.

To update your contact details, you may log in to the Citi Mobile^® App and navigate to “Profile and Settings”. Alternatively, you may also log in to Citibank Online and select “My Profile”.



Enable your Citialerts to stay updated on your transactions

Ensure that your Citialerts are enabled via Citibank Online so that you can be notified on any transactions on your card(s) and account(s). You will be notified on online outgoing funds transfer from your banking accounts which is S$1 and above.

Note: If you have opted to receive SMS for your Citi Alerts, please ensure that you do not swop out your SIM card with the phone number registered with Citi.

If you detect any unauthorised transactions on your card(s) and account(s), please report it to us immediately by calling our CitiPhone hotline available on our Citibank website.



Lock your credit card via the Citi Mobile^® if you are not intending to use it overseas

To lock your card, click on “Manage” on your card on the Citi Mobile^® App. You may unlock your card just as easily when you need to.




Loan Scam

Date: 19^th October 2020

We have been alerted of customers receiving unsolicited text messages from unlicensed moneylenders offering loan and loan services.

The message may purport to be sending from "Citibank" or other financial institutions to convince you that they are legitimate. Victims were instructed to transfer monies to the fraudster as a deposit before the loan can be disbursed. After the victims have transferred the monies, the victims find that the fraudsters are no longer contactable.




Examples of loan scam messages






What you should do






Ignore the message

Block and report the numbers on the platform where you received the message





For more information, you may refer to www.scamalert.sg.




---




Social Media and E-Commerce Scams

Date: 18^th September 2020

There has been an increase in phishing scams cases involving emails and text messages since January 2020.

Victims of such phishing scams received emails or text messages by scammers impersonating entities the victims know or trust, such as banks, government agencies, trade unions, or companies such as Netflix, PayPal and DHL. These emails and text messages make fake offers or claims to trick recipients into clicking on an URL link. Such fake offers or claims include outstanding payment for parcel delivery, disruptions to services or subscriptions, refunds, or promotions. Upon clicking on the URL links, victims will be redirected to fraudulent websites where they are tricked into providing their credit/debit card details and One-Time PIN (OTP). Victims only realised that they have been scammed when they discovered unauthorised transactions made using their credit/debit card.




Impersonation Scam

Scammers will impersonate the victim’s friends or followers on social media like Facebook or Instagram using spoofed or compromised accounts and reach out to the victims. The scammers will ask the victims for their contact numbers, images of their credit/debit cards and One-Time PIN (OTP) on the pretext of signing them up for fake lucky draws or promotions on online shopping platforms.




What does it look like?
Below is the typical flow of a social media impersonation scam





An impersonator poses as someone you know/follow on your social media (e.g. Facebook or Instagram) and sends you a personal message.	The impersonator claims to have lost his/her contact list, asks for personal details such as your mobile phone number to sign you up for contests or promotion campaigns on e-commerce sites.
The impersonator then claims that you have won a lucky draw and asks for your credit card details and OTP in order for him/her to credit the cash prize.	You later discover that the impersonator has made unauthorised fraudulent transactions from your bank account or mobile wallet without your consent.




What should you look out for?



	Contact claiming to be someone you know sends you a personal message asking for your mobile phone number and credit card details to sign you up for contests or promotion campaigns on an online shopping platform.
	Contact claims that you have won a lucky draw and asks for your credit card details in order to credit the cash prize to you.
	Contact asks for the OTP sent to your mobile phone number.
	Social media account impersonating your existing contacts sends new friend/follower request to you.




E-Commerce Scam

Scammers will tout a good deal for a gadget, amusement park or concert tickets online, usually pricing these way below market-price and for a limited time period. Victims lured by the attractiveness of the offer will transfer payment to the “seller” who promises to deliver the item which never arrives.

What does it look like?
Below is the typical flow of an e-commerce scam:





An advertisement shows up on your social media (e.g. Facebook or Instagram) selling a product at an attractive price over a flash deal ending in an hour.	You visit the “seller’s” social media account page and follow the URL linking to their “official” webpage. Positive comments from buyers make you think that the “seller” is legitimate.
You hastily decide to make the purchase before the flash sale ends and follow the instructions on the webpage to key in your credit card details.	You receive a confirmation email with the “seller” requiring an additional delivery fee before sending out the product. You are promised delivery within 3 weeks from the purchase.
You do not receive the product and attempt to contact the “seller”. However, there are no responses given once your payment transaction has gone through.



What should you look out for?



	Advertisements on your social media show deals from e-commerce that are way below market-price, disguised as limited-time-only or flash deals.
	Lack of information on the products or unstated terms and conditions.
	Reviews/comments on the product that are only positive.
	Seller: requires additional delivery fee before product can be sent out. requests for conversations to be taken off shopping platform. insists on bank transfers instead of using the platform's payment options.




How to protect yourself against social media scams:




ALWAYS Verify the social media account’s legitimacy by checking with your contacts offline, e.g. contacting them via their mobile phone number. Verify the website URL’s legitimacy. Insist on cash-on delivery where possible, or use the platform’s secure payment option.

NEVER Disclose your personal particulars, OTPs and banking and credit card details to anyone, including family and friends. Act hastily upon seeing a flash deal. Always confirm the source. Agree to private bank transfers to sellers before delivery.

 

Impersonation and Technical Support Scam

Date: 24^th July 2020

In the first 3 months of 2020, at least S$41.3 million were lost to scammers, based on cases that were reported to the Singapore Police.

As of 5 June 2020, it was reported in the news that more than S$7 million has been lost to scammers who were posing as technical support staff from January to April 2020, an increase of more than 40 times from the same period in 2019.

We would like to remind our customers to be wary of phone calls or SMSes claiming to be from banks, government agencies, courier or telco companies or any technical support teams requesting for you to provide them with your banking or log in credentials, perform funds transfers or asking you to update your information with them.

These calls/SMSes prey on your fears by making you think that your data/accounts have been compromised or that there are illegal activities linked to you, your account or your IP address.

In these calls:

We set out below, a step-by-step flow of the latest impersonation and technical support scams that have been reported. Please take some time to read this and share with your family and loved ones.

Here is a typical flow of impersonation scam:

Below is a typical flow of a technical support scam.

Customers are reminded to exercise caution at all times.
Take note of the following important pointers:

 

Customer Advisory – 3^rd Party Mobile Applications / Websites

Date: 24^th April 2019

Description: Do not use 3^rd Party Mobile Applications / Websites for viewing Online Banking Details

We are aware that there are 3^rd Party Mobile Applications / Websites that allow customers to have a consolidated view of their financial expenses / transactions across multiple banks, credit card, investments, equity trades, and loan accounts in one place.

Citibank would like to remind our customers not to download any 3^rd Party Mobile Applications / Websites to view / access your Citibank Online accounts. There is a potential risk of your online banking credentials being compromised as Username and Password has been shared with the application.

To protect yourself, always exercise the following precautions:

• Do not download any 3^rd Party Mobile Applications to view your online banking details.
• Do not input your Citibank Online Username and Password when requested by such applications / websites.
• If already inputted, immediately change Username and Password.

Use of Citibank Online is personal to you and no third party should be allowed to access/view your account/account information via Citibank Online, whether or not you have consented to such third party’s access. This is to prevent any unauthorized access or use of your account and account information. You are responsible for keeping any of your log-in credentials (including User ID and Password) confidential and you cannot reveal your log-in credentials to any third party.

Where you have revealed your log-in credentials to a third party, please note that Citibank is not liable for and you have to compensate us for any losses arising out of any use of your log-in credentials. In such an event, we also have the right, from a risk management perspective, to suspend your access to Citibank Online at any time.

 

Customer Advisory

Date: 5^th September 2018

Description: Be alert to emails and SMS scams.

We would like to remind our customers to remain vigilant when responding to emails and SMS messages from senders masquerading as popular brands, often requesting for you to:

• Complete a survey or a quiz, with the promise of cash prizes, loyalty points or air miles.
• Provide your card number, in order to participate in the survey or quiz.
• Provide your mobile phone number.

As a further tactic to convince victims of the authenticity of these scams, a One-Time Pin (OTP) will be sent to the mobile phone number that you've just provided. Unfortunately, with the successful solicitation of this information, the scammer would have gathered the necessary details to perform unauthorized transactions on your Citi Cards.

To protect yourself, always exercise the following precautions:

• When clicking on a link from an email, always check that the internet address that you are directed to is legitimate by verifying it in the web browser. If you're unsure, please check this with the brand or merchant.
• Never disclose your card numbers on merchant websites that have internet addresses that look incorrect.
• Check if the web browser displays a Locked Padlock icon. Reputable sites would have these.
• Never disclose your OTP to websites that you might be unfamiliar with.
• Always check your account statements regularly to detect any unauthorized transactions. For a real-time view of your transactions, login to the Citi Mobile® App.

Phishing Emails

Date: 7^th August 2018

Description: We have detected phishing emails and webpages targeting Citi customers. These phishing emails comes from a non-Citi email address and requests Citi customers click on a hyperlink to unlock / update their online banking / credit card account.

If a customer falls victim to the phishing email and clicks on the hyperlink, they will be redirected to a page URL that is not official Citi website, requesting for a user's information (Username and Password), followed by a request to provide an SMS OTP. Such websites are used to conduct card not present transactions but may also be utilized in order to steal personally identifiable data, username-password combinations, OTPs or infect a user's device as well as fraudulent enrollment of Citi © Mobile Token (which may be used to carry out payments to these fraudsters).

How can you protect yourself from this?

• Be alert. Minimize clicking on links in emails as these may not be legitimate.
• Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application.
• Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

 

 

 

 

 

 

Customer Advisory

Date: 20^th July 2018

Description: A group of healthcare institutions has reported a data breach affecting more than 1.5 million patients. Patient data stolen included personally identifiable information such as names, addresses, birthdays, and national identification numbers. Approximately 160,000 patients had details of medical prescriptions stolen. Stolen credentials may be used to conduct social engineering and phishing scams. Such scams utilize personally identifiable information to appear legitimate.

How can you protect yourself from this?

• Be alert. Do not provide personal or bank information to unsolicited callers.
• Never give out any sensitive personal information (including login passwords or one-time passwords) over the phone or via email. Our staff will never ask you for such information.
• Contact Citiphone immediately if you are in any doubt of a call, SMS or email's validity.

 

SMS Phishing

Date: 20^th May 2018

Description: We have detected multiple Phishing Emails. The sender email addresses varies from those ending with @gmail.com, @hotmail.com, @yahoo.com, etc. They contain messages including the requirement to update account details due to system maintenance or "New Message from Citibank". A hyperlink that purports to be a Citibank hyperlink (but is not) is also included in the message and takes customer to URLs that does not belong to official Citibank. The site has the same look and feel of that of Citibank Online. Such websites are designed to trick users into providing their online banking and credit card details to conduct fraudulent / unauthorized bank transfers and / or credit card transactions. Credit Card details provided could also be used to enroll for Payment Wallets such as Samsung Pay, Android Pay, Google Pay and Apple Pay.

How can you protect yourself from this?

• Be alert. Minimize clicking on links in SMSs as these may not be legitimate.
• Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application.
• Never reply to unsolicited SMSs. Responses to such SMSs could be used by fraudsters to socially engineer information or trick users into performing unwanted actions.
• Only provide your credit card details if you're making a direct purchase. Always check that you intend to conduct a credit card transaction and do not provide an OTP to authorize payment if you are not.
• Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

 

 

 

Protect Yourself from Fraud

Here are few types of fraud and the preventive steps that you can take to prevent yourself from becoming a victim.

Impersonation Scam

Impersonation scams are calls from people claiming to be government officials or staff members of any agency asking for personal details. Callers may claim your identity was used for suspicious activity and may intimidate you into giving them personal information such as your passport, bank account number, internet banking credentials or One-Time PIN (OTP).

How to protect yourself against impersonation scams:

Do not follow the caller’s instructions, including allowing remote access to your electronic or mobile devices. In some cases, scammers may threaten you not to talk to anyone about your situation so that you are unable to verify if it is a scam.	Do not disclose your banking or card credentials and One-Time PIN (OTP), and do not lend your ATM/ Credit Card/ Hardware Token to anyone.
Read carefully the content of any OTP received and never disclose your OTP to anyone over the phone or to unfamiliar websites.	Always review any SMS or email notifications from Citibank relating to your account and report any unauthorised transactions to Citibank immediately.

Phishing

Phishing emails, also known as hoax or spoof emails, are fraudulent emails that appear to be sent from a trusted source but are in fact, designed to trick you into revealing valuable data such as your User ID, password, card details and One-Time Pin (OTP).

Your Role and Responsibility

In September 2018, the Monetary Authority of Singapore (“MAS”) issued the e-Payment User Protection Guidelines (the “Guidelines”), which essentially set out the expectations of MAS of any responsible financial institution that issues or operates a protected account. It also covers duties of account holders and account users of protected accounts and provide guidance on the liability for losses arising from unauthorised and erroneous transactions. The Guidelines are effective 30 June 2019 and last updated on 5 September 2020.

The Guidelines define:

• (1) a "payment account" as:
  • (a) any account, or any device or facility (whether in physical or electronic form), that —
  • (i) is held in the name, or associated with the unique identifier, of any person, and is used by that person for the initiation of a payment order or the execution of a payment transaction, or both; or
  • (ii) is held in the names, or associated with the unique identifiers, of 2 or more persons, and is used by any of those persons for the initiation of a payment order or the execution of a payment transaction, or both; and
  • (b) an account which includes a bank account, debit card, credit card or charge card.
• (2) a “payment transaction” as the placing, transfer or withdrawal of money, whether for the purpose of paying for goods or services or for any other purpose, and regardless of whether the intended recipient of the money is entitled to the money, where the placing, transfer or withdrawal of money is initiated through electronic means and where the money is received through electronic means;
  • (a) the placing, transferring or withdrawing of money for the purposes of making payment for goods or services; and
  • (b) the placing, transferring or withdrawing of money for any other purpose.
• (3) a “protected account” as any payment account that:
  • (a) is held in the name of one or more persons, all of whom are either individuals or sole proprietors;
  • (b) is capable of having a balance of more than S$500 (or equivalent amount expressed in any other currency) at any one time, or is a credit facility;
  • (c) is capable of being used for electronic payment transactions; and
  • (d) where issued by a relevant payment service provider is a payment account that stores specified e-money.
• (4) an "unauthorised transaction" (in relation to any protected account) as any payment transaction initiated by any person without the actual or imputed knowledge and implied or express consent of an account user of the protected account.

In accordance with the Guidelines, Citibank would like to inform customers and account users of protected accounts about (a) their duties set out in section 3 of the Guidelines, and (b) Citibank’s duties set out in section 4 (excluding paragraph 4.3) of the Guidelines. You should note that except for paragraph 4.4 (which relates to the sending of transaction notifications i.e. Citi Alerts), section 4 of the Guidelines do not apply to Citibank in respect of any credit card, charge card or and debit card issued by Citibank. Please carefully review the Guidelines.

We would like to draw your attention to para 3.3 of the Guidelines which provides that it is the customer/account user’s responsibility to enable transaction notifications (i.e. Citi Alerts) on any device (used to receive transaction notifications from Citibank). Customers/Account users are required to opt to receive transaction notifications for all outgoing transactions of (any amount) made from your protected account, and to monitor the transaction notifications sent to you or the designated account contact. (For this reason, Citibank will assume that you will monitor such transaction notifications without further reminders or repeat notifications.)

If you had previously chosen your threshold for receiving such alerts, the existing threshold will continue to apply. Otherwise, the default threshold set by the Bank will apply. If you wish to select threshold amounts for outgoing transaction alerts, simply login to Citibank Online with your User ID and Password and select 'Manage Alerts' found on the right menu under ‘Useful Links’. You will be able to amend your alerts preferences as well as your preferred mode of notification.

Please ensure that your contact information maintained with Citibank is accurate.

Some of your other duties are to protect the Unlock Code you use to authenticate any payment transaction or your identity (e.g. your password or OTP) and to protect access to your protected account such as by ensuring you have strong passwords and keeping your software updated.

An account user would be responsible for actual loss arising from an unauthorised transaction if such account user’s recklessness was the primary cause of loss. Recklessness would include the situation where the account user deliberately did not comply with the duties set out in section 3 of the Guidelines, which includes the duty to enable transaction alerts. It is therefore important to understand that the preferences you set for transaction alerts (including how low or high your selected threshold amount is, and the types of transactions for which you elect to receive notifications) would affect how the liability framework in section 5 of the Guidelines would be applied and how any claim by you in relation to an unauthorised transaction would be resolved.

You are also required to report any unauthorized transactions as soon as possible after receiving a transaction alert and to provide information on such unauthorized transactions to Citibank within a reasonable time.

Liability Framework for Unauthorised Transactions under the Guidelines

The Guidelines set out in section 5, a liability framework relating to unauthorized transactions effected on a protected account. For the avoidance of doubt, the section 5 liability framework does not apply in respect of any Citibank credit card, charge card or debit card (this issue being addressed in the relevant cardholder agreements). Further, Customers should note that the Guidelines provide that “where any account user knew of and consent to a transaction (“authorised transaction”), such a transaction is not an unauthorised transaction, notwithstanding that the account holder may not have consent to the transaction.

The information set out below has been distilled from section 5. However, Customers are advised to read the Guidelines.

Scenario (1): Customer is liable for actual loss

The customer will be liable for the actual loss arising from an unauthorized transaction on a protected account if the customer/account user’s recklessness was the primary cause of the loss. Recklessness would include the situation where any account user deliberately did not comply with section 3 of the Guidelines.

Scenario (2): Account holder is not liable for any loss

The customer is not liable for any loss arising from an unauthorized transaction if the loss arises from any action or omission by Citibank and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.

Any action or omission by Citibank includes the following:

• (a) fraud or negligence by Citibank, its employee, its agent or any outsourcing service provider contracted by Citibank to provide Citibank's services through the protected account;
• (b) non-compliance by Citibank or its employee with any requirement imposed by MAS on Citibank in respect of its provision of any financial service; and
• (c) non-compliance by Citibank with any duty set out in section 4 of the Guidelines.

Scenario (3): Loss resulting from any action or omission of any independent third party

The customer is not liable for any loss arising from an unauthorized transaction that does not exceed S$1,000, if the loss arises from any action or omission by any third party not referred to in scenario (2) above, and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.

Note:
^**Under the Citibank cardmember agreements, a cardmember’s liability for all unauthorized transactions on his/her Citibank credit card which are effected prior to such cardmember notifying Citibank shall be limited to S$100 provided that certain conditions are complied with, including inter alia, the following:- (a) the cardmember has exercised due care in preventing his/her card from being stolen and has immediately notified Citibank; (b) the cardmember assists in the investigations and recovery; and (c) Citibank is satisfied that such unauthorized card transactions are not due to the cardmember’s negligence or fraud.

Always make sure that you have entered your User ID and Password and other confidential information in the legitimate Citibank Website by entering Citibank's Website address https://www.ipb.citibank.com.sg directly onto your Web browser.

To ensure you are on a secure website,

• Check the beginning of the Web address in your browser's address field - it will be "https://" rather than "http://". Secure websites will also contain a padlock icon on the status bar at the top of the browser. Double-click to view details of the security certificate, which is issued to Citibank.

• To verify that the website is authentic, check for the following details:

  • The certificate is issued to http://www.ipb.citibank.com.sg
  • The certificate is issued by Verisign.
  • The certificate has a valid date.

• All data sent to and from Citibank is "scrambled" and "reassembled" between Citibank and your personal computer using 128-bit encryption, the highest level of encryption commercially available.

  Right-click on the page > Select Properties

  URL: https://www.ipb.citibank.com.sg/SGIPB/JSO/signon/DisplayUsernameSignon.do?locale=en_SG

  Connection: TLS 1.0, RC4 with 128 bit encryption (High); RSA with 2048 bit exchange

Do not save your online banking login details on the browsers by clearing your browser's cache and history after each session. Click here for steps to clear browsers' cache. Always remember to log out when you have completed your internet banking session.

Always update the bank whenever you have changed your contact details so that you can be contacted in a timely manner should we detect any unusual transactions.

Ensure that your computer has the latest anti-virus software as they help to guard against new viruses. Your computer's operating system and browser software should be updated with the latest security patches. All these will help prevent unauthorized access to your computer.

Keep your User ID and Password confidential

Internet banking users should never disclosed their User ID and Password and they should also ensure that no one is watching you while you enter your User ID and Password or any confidential information. Memorize your User ID and Password and do not record it anywhere. Under no circumstances should you reveal your User ID and Password to anyone even if they purport to be a staff of Citibank.

Do not use a shared computer or device that cannot be trusted for internet banking such as the computer at an Internet café. These devices may be installed with certain software that could capture your personal information prior to your approval.

Your Online Security Device (OSD) should be kept with you at all times and not be used or tampered with by anyone. The One-time PIN(OTP) generated with OSD or via an SMS should also not be compromised to anyone else.

Beware of Online Threats

Online threats are very common nowadays and it tricks you into surrendering your confidential information. It is important to know its mechanisms and take preventive measures to safeguard yourself. Here are some of the examples of online threats:

1.Fraudulent emails - It is a forged email that alludes you to provide sensitive confidential information either by requesting you to reply to the email or it includes links to a 'fake' website that attempts to retrieve your personal data by requesting you to login to the 'fake' website.

Preventive Methods:

• Do not disclose your personal, financial or credit card information to unknown or suspicious websites.
• Do not open email attachments from strangers and unknown sources or by installing software or run programs from unknown origins.
• Remember, under no circumstances will Citibank ever send you an email requesting for your confidential information. You should not respond to the email or reveal your User ID and Password to anyone.

2.Spyware - It is a software inserted onto your computer that collects information about you and your internet traffic. It is usually get stored onto your computer unknowingly when you download software, games, screensavers, etc from unknown Websites and it claims to improve your computer's performance. It can be used maliciously to gain access to your confidential personal data such as your Passwords, PINs and Internet browsing history.

Preventive Methods:

• If you have installed any software that claims to speed up your internet connection, or have additional third-party toolbars on your browsers, then you may be using software that has the ability to track your internet sessions. We recommend that you uninstall this software.
• Refrain from logging onto Citibank Online until the problem has been resolved.

Email Fraud

Every Internet user should know about spoofing (a.k.a. phishing or hoax) emails and letters that appear to be from a well-known company. Although they can be difficult to spot, the emails or letters generally will request you to access a link that leads you to a spoof Website or to call a phone number to get you to update and confirm your confidential information. To bait you, they may allude to an urgent or threatening condition concerning your account.

You should always remember that under no circumstances will Citibank ever send you an email or letter asking for your account specific confidential information. You should never respond to such emails, letters and reveal your User ID, Password or any other confidential information to anyone. Keep your User ID and Password private and do not share this with anyone, particularly on written correspondence such as email or letters.

Do not give your account number away over the phone unless you know the recipient or if you've initiated the call.

Credit and Debit Card Advisory

You may have read or heard about a security breach at CardSystems Solutions, Inc., a third-party processor of payments for credit and debit card transactions, including Visa and MasterCard.

When we become aware of a breach, we take appropriate steps, above and beyond our normal prevention and detection actions, on any of your accounts that may have been impacted. Our detection actions include the use of Citi's sophisticated Fraud Early Warning System to monitor accounts, and our prevention actions include notifying you who we think may be at risk due to suspicious activity.

There is a low risk of identity theft in this situation since the data compromised, as we understand it, included only name, account number, card verification codes and expiration date. You as cardholders will not be held liable for these proven unauthorized transactions.

Citibank suggests you to monitor their monthly statements to ensure all activities are authorized on their account, and if they notice something suspicious please contact us at our 24-hour CitiPhone Banking on the back of their card immediately. Protecting our customers' accounts and personal information is one of our highest priorities.

We're constantly updating and improving our wide variety of security measures, providing you the confidence you need when using Citi Mobile or Citibank Online.

Web Security

• Our 128-bit SSL (Secure Sockets Layer) encryption engine provides industry standard levels of security, ensuring your information can't be accessed by anyone else.

  
• The green address bar on Citi websites indicates that the site has undergone extensive vetting by our security teams and has been granted a security certificate known as an Extended Validation SSL Certificate.
• For safety, we’ll suspend your online access if three failed login attempts are made. We’ll also block access to cash machines if the wrong PIN is entered three times.
• You are recommended to use supported and updated browsers to ensure your internet banking is secured at all times. Learn More
• Every time you sign in to Citibank Online, the date and time of your last visit are shown. If you didn't sign in then, this will indicate an unauthorised account access has occurred.

2-way SMS Notification

Citi Mobile^® Token

• Citi Mobile^® Token is a feature within the Citi Mobile^® App that authenticates transactions as an alternative to other authentication methods such as Online Security Device, or One-Time PIN (OTP) via SMS.

• The benefits of Citi Mobile Token are:

  

  SECURE

  Protected by a 6-digit Unlock Code chosen by you and restricted to one device of your choice.

  

  INSTANT

  Enter your unique Unlock Code to instantly authenticate your transactions initiated in Citi Mobile^® App on your Citi Mobile^® Token enabled device. No more waiting for an OTP via SMS, or worrying about misplacing your Online Security device.

  

  EASY

  Authenticates all online transactions such as payments and transfers, adding new payee and updating your contact details. It also generates OTP for online purchases.

• With the Citi Mobile^® Token, you can instantly authenticate all transactions initiated in the Citi Mobile^® App. You can also instantly generate OTP with your unique Unlock Code to authenticate transactions on Citibank Online or for online purchases. To learn more, click here
• After enrolling to Citi Mobile^® Token, you should not share or reveal your Unlock Code to anyone, including Citibank.

Misplaced your card? Lock your card on the Citi Mobile^® App

If you suspect there are unauthorised transactions on your account or you wish to report suspicious emails, SMS messages or phishing websites:

Step 1

Call

• CitiPhone banking: (65) 6224-5757
• Commercial Bank hotline: (65) 6238-8833

Email: spoof@citicorp.com.

 

Step 2

Change your Citibank Online User ID, Password and ATM PIN immediately.