Online Security Tips.

Your online protection.

Online Security Tips by Citibank IPB

At Citibank, we constantly update our security technology to protect your privacy and confidentiality. It is important that you take the necessary measures to safeguard yourself.

As phishing scams are on the rise, never provide your banking credentials/One-Time PIN to anyone. Always check your Citibank SMS/email alerts and report any unauthorized transactions to us immediately.

Here are some of the security features and tips customers should be aware while ensuring a pleasant and secure online banking experience.

Safeguard yourself while banking online

When accessing Citibank Online, always look out for the padlock symbol for your browser to ensure that the website has a valid certificate marked to Citigroup Inc. [US].


When accessing Citibank Online, always check that the website has a valid certificate marked to Citigroup Inc. [US]. We recommend that you enter the bank's address ( in your browser URL field to access and login to your account.

secure Never provide the One-Time PIN (OTP) that is sent to your mobile phone to anyone, including people claiming to be from Citibank.
secure Always check SMS alerts from Citibank for any unauthorised transaction in particular, any unauthorised registration of Citi Mobile® Token or unauthorised addition of new payee via Citibank Online.
secure Ensure that your contact number and email address are always updated, so that we can send you alerts that may prevent fraudulent activity.
Latest Security Alert

Security Alerts and Information

Clients may check this page regularly for the latest security alerts and/or news. If you are unsure whether any call, email or SMS is genuinely from Citibank, please contact us immediately and refrain from taking any further action. Whilst Citibank strives to provide you with the latest security alerts and/or news, please note that this webpage and the examples of scams/phishing listed here are not exhaustive.

Loan Scam

Date: 19th October 2020

We have been alerted of customers receiving unsolicited text messages from unlicensed moneylenders offering loan and loan services.

The message may purport to be sending from "Citibank" or other financial institutions to convince you that they are legitimate. Victims were instructed to transfer monies to the fraudster as a deposit before the loan can be disbursed. After the victims have transferred the monies, the victims find that the fraudsters are no longer contactable.

Examples of loan scam messages

What you should do

Ignore the message

Block and report the numbers on the platform where you received the message

For more information, you may refer to

Social Media and E-Commerce Scams

Date: 18th September 2020

There has been an increase in phishing scams cases involving emails and text messages since January 2020.

Victims of such phishing scams received emails or text messages by scammers impersonating entities the victims know or trust, such as banks, government agencies, trade unions, or companies such as Netflix, PayPal and DHL. These emails and text messages make fake offers or claims to trick recipients into clicking on an URL link. Such fake offers or claims include outstanding payment for parcel delivery, disruptions to services or subscriptions, refunds, or promotions. Upon clicking on the URL links, victims will be redirected to fraudulent websites where they are tricked into providing their credit/debit card details and One-Time PIN (OTP). Victims only realised that they have been scammed when they discovered unauthorised transactions made using their credit/debit card.

Impersonation Scam

Scammers will impersonate the victim’s friends or followers on social media like Facebook or Instagram using spoofed or compromised accounts and reach out to the victims. The scammers will ask the victims for their contact numbers, images of their credit/debit cards and One-Time PIN (OTP) on the pretext of signing them up for fake lucky draws or promotions on online shopping platforms.

What does it look like?
Below is the typical flow of a social media impersonation scam

An impersonator poses as someone you know/follow on your social media (e.g. Facebook or Instagram) and sends you a personal message.

The impersonator claims to have lost his/her contact list, asks for personal details such as your mobile phone number to sign you up for contests or promotion campaigns on e-commerce sites.

The impersonator then claims that you have won a lucky draw and asks for your credit card details and OTP in order for him/her to credit the cash prize.

You later discover that the impersonator has made unauthorised fraudulent transactions from your bank account or mobile wallet without your consent.

What should you look out for?

Contact claiming to be someone you know sends you a personal message asking for your mobile phone number and credit card details to sign you up for contests or promotion campaigns on an online shopping platform.
Contact claims that you have won a lucky draw and asks for your credit card details in order to credit the cash prize to you.
Contact asks for the OTP sent to your mobile phone number.
Social media account impersonating your existing contacts sends new friend/follower request to you.

E-Commerce Scam

Scammers will tout a good deal for a gadget, amusement park or concert tickets online, usually pricing these way below market-price and for a limited time period. Victims lured by the attractiveness of the offer will transfer payment to the “seller” who promises to deliver the item which never arrives.

What does it look like?
Below is the typical flow of an e-commerce scam:

An advertisement shows up on your social media (e.g. Facebook or Instagram) selling a product at an attractive price over a flash deal ending in an hour.

You visit the “seller’s” social media account page and follow the URL linking to their “official” webpage. Positive comments from buyers make you think that the “seller” is legitimate.

You hastily decide to make the purchase before the flash sale ends and follow the instructions on the webpage to key in your credit card details.

You receive a confirmation email with the “seller” requiring an additional delivery fee before sending out the product. You are promised delivery within 3 weeks from the purchase.

You do not receive the product and attempt to contact the “seller”. However, there are no responses given once your payment transaction has gone through.

What should you look out for?

Advertisements on your social media show deals from e-commerce that are way below market-price, disguised as limited-time-only or flash deals.
Lack of information on the products or unstated terms and conditions.
Reviews/comments on the product that are only positive.
  • requires additional delivery fee before product can be sent out.
  • requests for conversations to be taken off shopping platform.
  • insists on bank transfers instead of using the platform's payment options.

How to protect yourself against social media scams:


  • Verify the social media account’s legitimacy by checking with your contacts offline, e.g. contacting them via their mobile phone number.
  • Verify the website URL’s legitimacy.
  • Insist on cash-on delivery where possible, or use the platform’s secure payment option.


  • Disclose your personal particulars, OTPs and banking and credit card details to anyone, including family and friends.
  • Act hastily upon seeing a flash deal. Always confirm the source.
  • Agree to private bank transfers to sellers before delivery.


Impersonation and Technical Support Scam

Date: 24th July 2020

In the first 3 months of 2020, at least S$41.3 million were lost to scammers, based on cases that were reported to the Singapore Police.

As of 5 June 2020, it was reported in the news that more than S$7 million has been lost to scammers who were posing as technical support staff from January to April 2020, an increase of more than 40 times from the same period in 2019.

We would like to remind our customers to be wary of phone calls or SMSes claiming to be from banks, government agencies, courier or telco companies or any technical support teams requesting for you to provide them with your banking or log in credentials, perform funds transfers or asking you to update your information with them.

These calls/SMSes prey on your fears by making you think that your data/accounts have been compromised or that there are illegal activities linked to you, your account or your IP address.

In these calls:

The fraudster may deceive you into revealing your banking or login credentials such as Username, Password, One-Time PIN ("OTP") and/or Transaction Authorisation Code ("TAC"). The fraudster may claim that he/she need the information to assist in investigations but this is all part of the ruse.

The fraudster may trick you into performing a funds transfer from your account to foreign bank accounts.

The fraudster usually works with other persons purporting to be from government/law enforcement agencies in Singapore or overseas to try to lull you into a sense of confidence.

We set out below, a step-by-step flow of the latest impersonation and technical support scams that have been reported. Please take some time to read this and share with your family and loved ones.

Here is a typical flow of impersonation scam:

Customer receives a call from someone claiming to be from a Bank/Telco/Government agency/ Courier company, informing him/her that his/her internet account has been hacked and used for illegal activities.

The call is then transferred to a Police/Interpol/Cybercrime police etc.

Customer is advised by the impersonator to download a screen sharing software and then log in to his/her Citi account during the screen sharing, in order to catch the fictitious hacker.

During screen sharing, impersonator is able to see customer’s User ID, Password and One-time PIN (OTP). Impersonator then the OTP to download Citi Mobile® Token, a payee and fund transfer or advises customer to add payee and perform fund transfer to the payee.

Customer is told to ignore all SMS alerts from Citi as that is the bank’s practice. Any amount transferred will be refunded to him/her as it is used as a “bait” to catch the hacker. The impersonator will assure the customer that the money will be returned the customer.

When customer tries to call the impersonator to check on the return of funds, the impersonator is uncontactable. Monies would have already been transferred out of his/her banking accounts.

Below is a typical flow of a technical support scam.

Customer experiences a technical fault on his/her device and a technical support hotline (e.g. from Microsoft) pops up on his/her screen. Customer proceeds to call the hotline.
Someone claiming to be from the customer support team answers and walks customer through the steps of installing a screen sharing software (e.g. the Ultraviewer), in order to recover his/her device.
Scammer will be able to see the User ID/Password & OTP and use the information to enable customer's Citi Mobile® Token and add payee and transfer funds out of customer's banking accounts.
Customer will be asked to submit his/her personal particluars in order to process the documents for the enhanced security protocols. Customer will be assured that his accounts are safe and told to ignore all SMS alerts from the bank.
When customer terminates the line and disconnects his/her devices from the network, monies had already been debited from his/her banking accounts.

Customers are reminded to exercise caution at all times.
Take note of the following important pointers:

Impersonators may use Caller ID spoofing technology to mask their actual number and instead display a name/number one that purports to be from a Bank/Telco/Government agency/Courier company.
No government agency will request for your personal and banking details, or request for you to transfer money over the phone or through automated voice machines.
Do not act under the instructions of anyone suspicious.
Always verify the identity of the caller. You can do so by calling the official contact number of the relevant entity. Do not assume that the caller is genuine.
Do not give out any personal and banking information (i.e. User ID, password or OTP) to anyone.

Treat them like your ATM PIN.


Customer Advisory – 3rd Party Mobile Applications / Websites

Date: 24th April 2019

Description: Do not use 3rd Party Mobile Applications / Websites for viewing Online Banking Details

We are aware that there are 3rd Party Mobile Applications / Websites that allow customers to have a consolidated view of their financial expenses / transactions across multiple banks, credit card, investments, equity trades, and loan accounts in one place.

Citibank would like to remind our customers not to download any 3rd Party Mobile Applications / Websites to view / access your Citibank Online accounts. There is a potential risk of your online banking credentials being compromised as Username and Password has been shared with the application.

To protect yourself, always exercise the following precautions:

  • Do not download any 3rd Party Mobile Applications to view your online banking details.
  • Do not input your Citibank Online Username and Password when requested by such applications / websites.
  • If already inputted, immediately change Username and Password.

Use of Citibank Online is personal to you and no third party should be allowed to access/view your account/account information via Citibank Online, whether or not you have consented to such third party’s access. This is to prevent any unauthorized access or use of your account and account information. You are responsible for keeping any of your log-in credentials (including User ID and Password) confidential and you cannot reveal your log-in credentials to any third party.

Where you have revealed your log-in credentials to a third party, please note that Citibank is not liable for and you have to compensate us for any losses arising out of any use of your log-in credentials. In such an event, we also have the right, from a risk management perspective, to suspend your access to Citibank Online at any time.


Citi Email Addresses

Date: 14th April 2019

Description: Please note that we will send you email notifications from the following Citibank email addresses.


Email Addresses


Customer Advisory

Date: 5th September 2018

Description: Be alert to emails and SMS scams.

We would like to remind our customers to remain vigilant when responding to emails and SMS messages from senders masquerading as popular brands, often requesting for you to:

  • Complete a survey or a quiz, with the promise of cash prizes, loyalty points or air miles.
  • Provide your card number, in order to participate in the survey or quiz.
  • Provide your mobile phone number.

As a further tactic to convince victims of the authenticity of these scams, a One-Time Pin (OTP) will be sent to the mobile phone number that you've just provided. Unfortunately, with the successful solicitation of this information, the scammer would have gathered the necessary details to perform unauthorized transactions on your Citi Cards.

To protect yourself, always exercise the following precautions:

  • When clicking on a link from an email, always check that the internet address that you are directed to is legitimate by verifying it in the web browser. If you're unsure, please check this with the brand or merchant.
  • Never disclose your card numbers on merchant websites that have internet addresses that look incorrect.
  • Check if the web browser displays a Locked Padlock icon. Reputable sites would have these.
  • Never disclose your OTP to websites that you might be unfamiliar with.
  • Always check your account statements regularly to detect any unauthorized transactions. For a real-time view of your transactions, login to the Citi Mobile® App.

Phishing Emails

Date: 7th August 2018

Description: We have detected phishing emails and webpages targeting Citi customers. These phishing emails comes from a non-Citi email address and requests Citi customers click on a hyperlink to unlock / update their online banking / credit card account.

If a customer falls victim to the phishing email and clicks on the hyperlink, they will be redirected to a page URL that is not official Citi website, requesting for a user's information (Username and Password), followed by a request to provide an SMS OTP. Such websites are used to conduct card not present transactions but may also be utilized in order to steal personally identifiable data, username-password combinations, OTPs or infect a user's device as well as fraudulent enrollment of Citi © Mobile Token (which may be used to carry out payments to these fraudsters).

How can you protect yourself from this?

  • Be alert. Minimize clicking on links in emails as these may not be legitimate.
  • Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application.
  • Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

citi screen


citi screen


citi screen


citi screen


citi screen


citi screen


Customer Advisory

Date: 20th July 2018

Description: A group of healthcare institutions has reported a data breach affecting more than 1.5 million patients. Patient data stolen included personally identifiable information such as names, addresses, birthdays, and national identification numbers. Approximately 160,000 patients had details of medical prescriptions stolen. Stolen credentials may be used to conduct social engineering and phishing scams. Such scams utilize personally identifiable information to appear legitimate.

How can you protect yourself from this?

  • Be alert. Do not provide personal or bank information to unsolicited callers.
  • Never give out any sensitive personal information (including login passwords or one-time passwords) over the phone or via email. Our staff will never ask you for such information.
  • Contact Citiphone immediately if you are in any doubt of a call, SMS or email's validity.


SMS Phishing

Date: 20th May 2018

Description: We have detected multiple Phishing Emails. The sender email addresses varies from those ending with,,, etc. They contain messages including the requirement to update account details due to system maintenance or "New Message from Citibank". A hyperlink that purports to be a Citibank hyperlink (but is not) is also included in the message and takes customer to URLs that does not belong to official Citibank. The site has the same look and feel of that of Citibank Online. Such websites are designed to trick users into providing their online banking and credit card details to conduct fraudulent / unauthorized bank transfers and / or credit card transactions. Credit Card details provided could also be used to enroll for Payment Wallets such as Samsung Pay, Android Pay, Google Pay and Apple Pay.

How can you protect yourself from this?

  • Be alert. Minimize clicking on links in SMSs as these may not be legitimate.
  • Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application.
  • Never reply to unsolicited SMSs. Responses to such SMSs could be used by fraudsters to socially engineer information or trick users into performing unwanted actions.
  • Only provide your credit card details if you're making a direct purchase. Always check that you intend to conduct a credit card transaction and do not provide an OTP to authorize payment if you are not.
  • Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

citi screen


citi screen


citi screen


citi screen

How You Can Protect Yourself
Your Role and Responsibility
How Citi Protects You
Contact Us
  • The Global Online Account for global citizens.
  • Citi mobile® the way to bank