ONLINE BANKING SECURITY

Security Alerts and Information

Clients may check this page regularly for the latest security alerts and/or news. If you are unsure whether any call, email or SMS is genuinely from Citibank, please contact us immediately and refrain from taking any further action. Whilst Citibank strives to provide you with the latest security alerts and/or news, please note that this webpage and the examples of scams/phishing listed here are not exhaustive.

---

Loan Scam

Date: 19th October 2020

We have been alerted of customers receiving unsolicited text messages from unlicensed moneylenders offering loan and loan services.

The message may purport to be sending from "Citibank" or other financial institutions to convince you that they are legitimate. Victims were instructed to transfer monies to the fraudster as a deposit before the loan can be disbursed. After the victims have transferred the monies, the victims find that the fraudsters are no longer contactable.

---

Social Media and E-Commerce Scams

Date: 18th September 2020

There has been an increase in phishing scams cases involving emails and text messages since January 2020.

Victims of such phishing scams received emails or text messages by scammers impersonating entities the victims know or trust, such as banks, government agencies, trade unions, or companies such as Netflix, PayPal and DHL. These emails and text messages make fake offers or claims to trick recipients into clicking on an URL link. Such fake offers or claims include outstanding payment for parcel delivery, disruptions to services or subscriptions, refunds, or promotions. Upon clicking on the URL links, victims will be redirected to fraudulent websites where they are tricked into providing their credit/debit card details and One-Time PIN (OTP). Victims only realised that they have been scammed when they discovered unauthorised transactions made using their credit/debit card.

 

Impersonation and Technical Support Scam

Date: 24^th July 2020

In the first 3 months of 2020, at least S$41.3 million were lost to scammers, based on cases that were reported to the Singapore Police.

As of 5 June 2020, it was reported in the news that more than S$7 million has been lost to scammers who were posing as technical support staff from January to April 2020, an increase of more than 40 times from the same period in 2019.

We would like to remind our customers to be wary of phone calls or SMSes claiming to be from banks, government agencies, courier or telco companies or any technical support teams requesting for you to provide them with your banking or log in credentials, perform funds transfers or asking you to update your information with them.

These calls/SMSes prey on your fears by making you think that your data/accounts have been compromised or that there are illegal activities linked to you, your account or your IP address.

In these calls:

We set out below, a step-by-step flow of the latest impersonation and technical support scams that have been reported. Please take some time to read this and share with your family and loved ones.

Here is a typical flow of impersonation scam:

Below is a typical flow of a technical support scam.

Customers are reminded to exercise caution at all times.
Take note of the following important pointers:

 

Customer Advisory – 3^rd Party Mobile Applications / Websites

Date: 24^th April 2019

Description: Do not use 3^rd Party Mobile Applications / Websites for viewing Online Banking Details

We are aware that there are 3^rd Party Mobile Applications / Websites that allow customers to have a consolidated view of their financial expenses / transactions across multiple banks, credit card, investments, equity trades, and loan accounts in one place.

Citibank would like to remind our customers not to download any 3^rd Party Mobile Applications / Websites to view / access your Citibank Online accounts. There is a potential risk of your online banking credentials being compromised as Username and Password has been shared with the application.

To protect yourself, always exercise the following precautions:

• Do not download any 3^rd Party Mobile Applications to view your online banking details.
• Do not input your Citibank Online Username and Password when requested by such applications / websites.
• If already inputted, immediately change Username and Password.

Use of Citibank Online is personal to you and no third party should be allowed to access/view your account/account information via Citibank Online, whether or not you have consented to such third party’s access. This is to prevent any unauthorized access or use of your account and account information. You are responsible for keeping any of your log-in credentials (including User ID and Password) confidential and you cannot reveal your log-in credentials to any third party.

Where you have revealed your log-in credentials to a third party, please note that Citibank is not liable for and you have to compensate us for any losses arising out of any use of your log-in credentials. In such an event, we also have the right, from a risk management perspective, to suspend your access to Citibank Online at any time.

 

Citi Email Addresses

Date: 14^th April 2019

Description: Please note that we will send you email notifications from the following Citibank email addresses.

 

 

Customer Advisory

Date: 5^th September 2018

Description: Be alert to emails and SMS scams.

We would like to remind our customers to remain vigilant when responding to emails and SMS messages from senders masquerading as popular brands, often requesting for you to:

• Complete a survey or a quiz, with the promise of cash prizes, loyalty points or air miles.
• Provide your card number, in order to participate in the survey or quiz.
• Provide your mobile phone number.

As a further tactic to convince victims of the authenticity of these scams, a One-Time Pin (OTP) will be sent to the mobile phone number that you've just provided. Unfortunately, with the successful solicitation of this information, the scammer would have gathered the necessary details to perform unauthorized transactions on your Citi Cards.

To protect yourself, always exercise the following precautions:

• When clicking on a link from an email, always check that the internet address that you are directed to is legitimate by verifying it in the web browser. If you're unsure, please check this with the brand or merchant.
• Never disclose your card numbers on merchant websites that have internet addresses that look incorrect.
• Check if the web browser displays a Locked Padlock icon. Reputable sites would have these.
• Never disclose your OTP to websites that you might be unfamiliar with.
• Always check your account statements regularly to detect any unauthorized transactions. For a real-time view of your transactions, login to the Citi Mobile® App.

Phishing Emails

Date: 7^th August 2018

Description: We have detected phishing emails and webpages targeting Citi customers. These phishing emails comes from a non-Citi email address and requests Citi customers click on a hyperlink to unlock / update their online banking / credit card account.

If a customer falls victim to the phishing email and clicks on the hyperlink, they will be redirected to a page URL that is not official Citi website, requesting for a user's information (Username and Password), followed by a request to provide an SMS OTP. Such websites are used to conduct card not present transactions but may also be utilized in order to steal personally identifiable data, username-password combinations, OTPs or infect a user's device as well as fraudulent enrollment of Citi © Mobile Token (which may be used to carry out payments to these fraudsters).

How can you protect yourself from this?

• Be alert. Minimize clicking on links in emails as these may not be legitimate.
• Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application.
• Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

 

 

 

 

 

 

Customer Advisory

Date: 20^th July 2018

Description: A group of healthcare institutions has reported a data breach affecting more than 1.5 million patients. Patient data stolen included personally identifiable information such as names, addresses, birthdays, and national identification numbers. Approximately 160,000 patients had details of medical prescriptions stolen. Stolen credentials may be used to conduct social engineering and phishing scams. Such scams utilize personally identifiable information to appear legitimate.

How can you protect yourself from this?

• Be alert. Do not provide personal or bank information to unsolicited callers.
• Never give out any sensitive personal information (including login passwords or one-time passwords) over the phone or via email. Our staff will never ask you for such information.
• Contact Citiphone immediately if you are in any doubt of a call, SMS or email's validity.

 

SMS Phishing

Date: 20^th May 2018

Description: We have detected multiple Phishing Emails. The sender email addresses varies from those ending with @gmail.com, @hotmail.com, @yahoo.com, etc. They contain messages including the requirement to update account details due to system maintenance or "New Message from Citibank". A hyperlink that purports to be a Citibank hyperlink (but is not) is also included in the message and takes customer to URLs that does not belong to official Citibank. The site has the same look and feel of that of Citibank Online. Such websites are designed to trick users into providing their online banking and credit card details to conduct fraudulent / unauthorized bank transfers and / or credit card transactions. Credit Card details provided could also be used to enroll for Payment Wallets such as Samsung Pay, Android Pay, Google Pay and Apple Pay.

How can you protect yourself from this?

• Be alert. Minimize clicking on links in SMSs as these may not be legitimate.
• Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application.
• Never reply to unsolicited SMSs. Responses to such SMSs could be used by fraudsters to socially engineer information or trick users into performing unwanted actions.
• Only provide your credit card details if you're making a direct purchase. Always check that you intend to conduct a credit card transaction and do not provide an OTP to authorize payment if you are not.
• Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

 

 

 

Protect Yourself from Fraud

Here are few types of fraud and the preventive steps that you can take to prevent yourself from becoming a victim.

Impersonation Scam

Impersonation scams are calls from people claiming to be government officials or staff members of any agency asking for personal details. Callers may claim your identity was used for suspicious activity and may intimidate you into giving them personal information such as your passport, bank account number, internet banking credentials or One-Time PIN (OTP).

How to protect yourself against impersonation scams:

Do not follow the caller’s instructions, including allowing remote access to your electronic or mobile devices. In some cases, scammers may threaten you not to talk to anyone about your situation so that you are unable to verify if it is a scam.	Do not disclose your banking or card credentials and One-Time PIN (OTP), and do not lend your ATM/ Credit Card/ Hardware Token to anyone.
Read carefully the content of any OTP received and never disclose your OTP to anyone over the phone or to unfamiliar websites.	Always review any SMS or email notifications from Citibank relating to your account and report any unauthorised transactions to Citibank immediately.

Phishing

Phishing emails, also known as hoax or spoof emails, are fraudulent emails that appear to be sent from a trusted source but are in fact, designed to trick you into revealing valuable data such as your User ID, password, card details and One-Time Pin (OTP).

Your Role and Responsibility

In September 2018, the Monetary Authority of Singapore (“MAS”) issued the e-Payment User Protection Guidelines (the “Guidelines”), which essentially set out the expectations of MAS of any responsible financial institution that issues or operates a protected account. It also covers duties of account holders and account users of protected accounts and provide guidance on the liability for losses arising from unauthorised and erroneous transactions. The Guidelines are effective 30 June 2019 and last updated on 5 September 2020.

The Guidelines define:

• (1) a "payment account" as:
  • (a) any account, or any device or facility (whether in physical or electronic form), that —
  • (i) is held in the name, or associated with the unique identifier, of any person, and is used by that person for the initiation of a payment order or the execution of a payment transaction, or both; or
  • (ii) is held in the names, or associated with the unique identifiers, of 2 or more persons, and is used by any of those persons for the initiation of a payment order or the execution of a payment transaction, or both; and
  • (b) an account which includes a bank account, debit card, credit card or charge card.
• (2) a “payment transaction” as the placing, transfer or withdrawal of money, whether for the purpose of paying for goods or services or for any other purpose, and regardless of whether the intended recipient of the money is entitled to the money, where the placing, transfer or withdrawal of money is initiated through electronic means and where the money is received through electronic means;
  • (a) the placing, transferring or withdrawing of money for the purposes of making payment for goods or services; and
  • (b) the placing, transferring or withdrawing of money for any other purpose.
• (3) a “protected account” as any payment account that:
  • (a) is held in the name of one or more persons, all of whom are either individuals or sole proprietors;
  • (b) is capable of having a balance of more than S$500 (or equivalent amount expressed in any other currency) at any one time, or is a credit facility;
  • (c) is capable of being used for electronic payment transactions; and
  • (d) where issued by a relevant payment service provider is a payment account that stores specified e-money.
• (4) an "unauthorised transaction" (in relation to any protected account) as any payment transaction initiated by any person without the actual or imputed knowledge and implied or express consent of an account user of the protected account.

In accordance with the Guidelines, Citibank would like to inform customers and account users of protected accounts about (a) their duties set out in section 3 of the Guidelines, and (b) Citibank’s duties set out in section 4 (excluding paragraph 4.3) of the Guidelines. You should note that except for paragraph 4.4 (which relates to the sending of transaction notifications i.e. Citi Alerts), section 4 of the Guidelines do not apply to Citibank in respect of any credit card, charge card or and debit card issued by Citibank. Please carefully review the Guidelines.

We would like to draw your attention to para 3.3 of the Guidelines which provides that it is the customer/account user’s responsibility to enable transaction notifications (i.e. Citi Alerts) on any device (used to receive transaction notifications from Citibank). Customers/Account users are required to opt to receive transaction notifications for all outgoing transactions of (any amount) made from your protected account, and to monitor the transaction notifications sent to you or the designated account contact. (For this reason, Citibank will assume that you will monitor such transaction notifications without further reminders or repeat notifications.)

If you had previously chosen your threshold for receiving such alerts, the existing threshold will continue to apply. Otherwise, the default threshold set by the Bank will apply. If you wish to select threshold amounts for outgoing transaction alerts, simply login to Citibank Online with your User ID and Password and select 'Manage Alerts' found on the right menu under ‘Useful Links’. You will be able to amend your alerts preferences as well as your preferred mode of notification.

Please ensure that your contact information maintained with Citibank is accurate.

Some of your other duties are to protect the Unlock Code you use to authenticate any payment transaction or your identity (e.g. your password or OTP) and to protect access to your protected account such as by ensuring you have strong passwords and keeping your software updated.

An account user would be responsible for actual loss arising from an unauthorised transaction if such account user’s recklessness was the primary cause of loss. Recklessness would include the situation where the account user deliberately did not comply with the duties set out in section 3 of the Guidelines, which includes the duty to enable transaction alerts. It is therefore important to understand that the preferences you set for transaction alerts (including how low or high your selected threshold amount is, and the types of transactions for which you elect to receive notifications) would affect how the liability framework in section 5 of the Guidelines would be applied and how any claim by you in relation to an unauthorised transaction would be resolved.

You are also required to report any unauthorized transactions as soon as possible after receiving a transaction alert and to provide information on such unauthorized transactions to Citibank within a reasonable time.

Liability Framework for Unauthorised Transactions under the Guidelines

The Guidelines set out in section 5, a liability framework relating to unauthorized transactions effected on a protected account. For the avoidance of doubt, the section 5 liability framework does not apply in respect of any Citibank credit card, charge card or debit card (this issue being addressed in the relevant cardholder agreements). Further, Customers should note that the Guidelines provide that “where any account user knew of and consent to a transaction (“authorised transaction”), such a transaction is not an unauthorised transaction, notwithstanding that the account holder may not have consent to the transaction.

The information set out below has been distilled from section 5. However, Customers are advised to read the Guidelines.

Scenario (1): Customer is liable for actual loss

The customer will be liable for the actual loss arising from an unauthorized transaction on a protected account if the customer/account user’s recklessness was the primary cause of the loss. Recklessness would include the situation where any account user deliberately did not comply with section 3 of the Guidelines.

Scenario (2): Account holder is not liable for any loss

The customer is not liable for any loss arising from an unauthorized transaction if the loss arises from any action or omission by Citibank and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.

Any action or omission by Citibank includes the following:

• (a) fraud or negligence by Citibank, its employee, its agent or any outsourcing service provider contracted by Citibank to provide Citibank's services through the protected account;
• (b) non-compliance by Citibank or its employee with any requirement imposed by MAS on Citibank in respect of its provision of any financial service; and
• (c) non-compliance by Citibank with any duty set out in section 4 of the Guidelines.

Scenario (3): Loss resulting from any action or omission of any independent third party

The customer is not liable for any loss arising from an unauthorized transaction that does not exceed S$1,000, if the loss arises from any action or omission by any third party not referred to in scenario (2) above, and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.

Note:
^**Under the Citibank cardmember agreements, a cardmember’s liability for all unauthorized transactions on his/her Citibank credit card which are effected prior to such cardmember notifying Citibank shall be limited to S$100 provided that certain conditions are complied with, including inter alia, the following:- (a) the cardmember has exercised due care in preventing his/her card from being stolen and has immediately notified Citibank; (b) the cardmember assists in the investigations and recovery; and (c) Citibank is satisfied that such unauthorized card transactions are not due to the cardmember’s negligence or fraud.

Always make sure that you have entered your User ID and Password and other confidential information in the legitimate Citibank Website by entering Citibank's Website address https://www.ipb.citibank.com.sg directly onto your Web browser.

To ensure you are on a secure website,

• Check the beginning of the Web address in your browser's address field - it will be "https://" rather than "http://". Secure websites will also contain a padlock icon on the status bar at the top of the browser. Double-click to view details of the security certificate, which is issued to Citibank.

• To verify that the website is authentic, check for the following details:

  • The certificate is issued to http://www.ipb.citibank.com.sg
  • The certificate is issued by Verisign.
  • The certificate has a valid date.

• All data sent to and from Citibank is "scrambled" and "reassembled" between Citibank and your personal computer using 128-bit encryption, the highest level of encryption commercially available.

  Right-click on the page > Select Properties

  URL: https://www.ipb.citibank.com.sg/SGIPB/JSO/signon/DisplayUsernameSignon.do?locale=en_SG

  Connection: TLS 1.0, RC4 with 128 bit encryption (High); RSA with 2048 bit exchange

Do not save your online banking login details on the browsers by clearing your browser's cache and history after each session. Click here for steps to clear browsers' cache. Always remember to log out when you have completed your internet banking session.

Always update the bank whenever you have changed your contact details so that you can be contacted in a timely manner should we detect any unusual transactions.

Ensure that your computer has the latest anti-virus software as they help to guard against new viruses. Your computer's operating system and browser software should be updated with the latest security patches. All these will help prevent unauthorized access to your computer.

Keep your User ID and Password confidential

Internet banking users should never disclosed their User ID and Password and they should also ensure that no one is watching you while you enter your User ID and Password or any confidential information. Memorize your User ID and Password and do not record it anywhere. Under no circumstances should you reveal your User ID and Password to anyone even if they purport to be a staff of Citibank.

Do not use a shared computer or device that cannot be trusted for internet banking such as the computer at an Internet café. These devices may be installed with certain software that could capture your personal information prior to your approval.

Your Online Security Device (OSD) should be kept with you at all times and not be used or tampered with by anyone. The One-time PIN(OTP) generated with OSD or via an SMS should also not be compromised to anyone else.

Beware of Online Threats

Online threats are very common nowadays and it tricks you into surrendering your confidential information. It is important to know its mechanisms and take preventive measures to safeguard yourself. Here are some of the examples of online threats:

1.Fraudulent emails - It is a forged email that alludes you to provide sensitive confidential information either by requesting you to reply to the email or it includes links to a 'fake' website that attempts to retrieve your personal data by requesting you to login to the 'fake' website.

Preventive Methods:

• Do not disclose your personal, financial or credit card information to unknown or suspicious websites.
• Do not open email attachments from strangers and unknown sources or by installing software or run programs from unknown origins.
• Remember, under no circumstances will Citibank ever send you an email requesting for your confidential information. You should not respond to the email or reveal your User ID and Password to anyone.

2.Spyware - It is a software inserted onto your computer that collects information about you and your internet traffic. It is usually get stored onto your computer unknowingly when you download software, games, screensavers, etc from unknown Websites and it claims to improve your computer's performance. It can be used maliciously to gain access to your confidential personal data such as your Passwords, PINs and Internet browsing history.

Preventive Methods:

• If you have installed any software that claims to speed up your internet connection, or have additional third-party toolbars on your browsers, then you may be using software that has the ability to track your internet sessions. We recommend that you uninstall this software.
• Refrain from logging onto Citibank Online until the problem has been resolved.

Email Fraud

Every Internet user should know about spoofing (a.k.a. phishing or hoax) emails and letters that appear to be from a well-known company. Although they can be difficult to spot, the emails or letters generally will request you to access a link that leads you to a spoof Website or to call a phone number to get you to update and confirm your confidential information. To bait you, they may allude to an urgent or threatening condition concerning your account.

You should always remember that under no circumstances will Citibank ever send you an email or letter asking for your account specific confidential information. You should never respond to such emails, letters and reveal your User ID, Password or any other confidential information to anyone. Keep your User ID and Password private and do not share this with anyone, particularly on written correspondence such as email or letters.

Do not give your account number away over the phone unless you know the recipient or if you've initiated the call.

Credit and Debit Card Advisory

You may have read or heard about a security breach at CardSystems Solutions, Inc., a third-party processor of payments for credit and debit card transactions, including Visa and MasterCard.

When we become aware of a breach, we take appropriate steps, above and beyond our normal prevention and detection actions, on any of your accounts that may have been impacted. Our detection actions include the use of Citi's sophisticated Fraud Early Warning System to monitor accounts, and our prevention actions include notifying you who we think may be at risk due to suspicious activity.

There is a low risk of identity theft in this situation since the data compromised, as we understand it, included only name, account number, card verification codes and expiration date. You as cardholders will not be held liable for these proven unauthorized transactions.

Citibank suggests you to monitor their monthly statements to ensure all activities are authorized on their account, and if they notice something suspicious please contact us at our 24-hour CitiPhone Banking on the back of their card immediately. Protecting our customers' accounts and personal information is one of our highest priorities.

We're constantly updating and improving our wide variety of security measures, providing you the confidence you need when using Citi Mobile or Citibank Online.

Web Security

• Our 128-bit SSL (Secure Sockets Layer) encryption engine provides industry standard levels of security, ensuring your information can't be accessed by anyone else.

  
• The green address bar on Citi websites indicates that the site has undergone extensive vetting by our security teams and has been granted a security certificate known as an Extended Validation SSL Certificate.
• For safety, we’ll suspend your online access if three failed login attempts are made. We’ll also block access to cash machines if the wrong PIN is entered three times.
• You are recommended to use supported and updated browsers to ensure your internet banking is secured at all times. Learn More
• Every time you sign in to Citibank Online, the date and time of your last visit are shown. If you didn't sign in then, this will indicate an unauthorised account access has occurred.

2-way SMS Notification

Citi Mobile^® Token

• Citi Mobile^® Token is a feature within the Citi Mobile^® App that authenticates transactions as an alternative to other authentication methods such as Online Security Device, or One-Time PIN (OTP) via SMS.

• The benefits of Citi Mobile Token are:

  

  SECURE

  Protected by a 6-digit Unlock Code chosen by you and restricted to one device of your choice.

  

  INSTANT

  Enter your unique Unlock Code to instantly authenticate your transactions initiated in Citi Mobile^® App on your Citi Mobile^® Token enabled device. No more waiting for an OTP via SMS, or worrying about misplacing your Online Security device.

  

  EASY

  Authenticates all online transactions such as payments and transfers, adding new payee and updating your contact details. It also generates OTP for online purchases.

• With the Citi Mobile^® Token, you can instantly authenticate all transactions initiated in the Citi Mobile^® App. You can also instantly generate OTP with your unique Unlock Code to authenticate transactions on Citibank Online or for online purchases. To learn more, click here
• After enrolling to Citi Mobile^® Token, you should not share or reveal your Unlock Code to anyone, including Citibank.

Misplaced your card? Lock your card on the Citi Mobile^® App

If you suspect there are unauthorised transactions on your account or you wish to report suspicious emails, SMS messages or phishing websites:

Step 1

Call

• CitiPhone banking: (65) 6224-5757
• Commercial Bank hotline: (65) 6238-8833

Email: spoof@citicorp.com.

 

Step 2

Change your Citibank Online User ID, Password and ATM PIN immediately.