Online Security Tips.

Your online protection.

Online Security Tips. Your online protection.

At Citibank, we constantly update our security technology to protect your privacy and confidentiality. It is important that you take the necessary measures to safeguard yourself.

Here are some of the security features and tips customers should be aware while ensuring a pleasant and secure online banking experience.

Online Security Tips

Online Security Tips

Security Alert

Security Alert: Mobile Malware


Malware is an abbreviated term meaning "malicious software." This is a software that is specifically designed to gain access or damage a computer or a mobile phone without the knowledge of the owner.

For example, when a customer installs applications from unauthorized sources. In some cases, the malware will intercept SMS messages (e.g. to obtain your One Time PIN/OTP) or generate fake browsers on the smartphone in order to trick the customer into performing a transaction.

Customers should take precaution and not let their devices like smartphones be infected by malware.

How can I protect myself from Malware?

New variants of mobile malware targeting Android smartphones continue to appear in the Asia-Pacific region. These malicious applications often target mobile banking applications, and may attempt to steal customer credentials and perform fraudulent transactions. In some cases, the mobile malware will attempt to circumvent the additional layer of security provided by One Time PINs (OTPs) by intercepting text messages (SMS) or generating a fake dialogue inside the mobile banking application in order to trick a user.

Citi recommends that customers remain alert for malware threats and review our Online Security Tips.

Specifically, Citi suggests that all mobile users consider the following:

  1. Install applications only from trusted and official sources
  2. Install a reputable mobile antivirus application and keep the antivirus up-to-date.
  3. Be alert especially if a screen on your mobile device suddenly pops up and asks for your confidential information, even if you did not open your applications or initiate any activity.
  4. Avoid using public/unsecured WiFi when transacting with sensitive information or mobile internet banking. Cybercriminals can use these WiFi networks to snoop and pry on your smartphone.
  5. Secure your smartphone with a password, pin or a relevant mechanism to prevent unauthorised use.
  6. Keep mobile device software up-to-date. If there is an update for your device from legitimate sources such as Google Play Store, or Apple Play Store, install it. New updates are sometimes used to fix bugs and address security vulnerabilities.
  7. Avoid using rooted / jail broken devices as this may compromise smartphone security.
  8. Don't follow any links or instructions from unknown or suspicious sources.
  9. Customers who notice unusual behavior in their online banking session should immediately terminate the online banking session and contact Citi’s 24-hour CitiPhone on (65) 6225 5225.

What are some of the symptoms of mobile malware infection?

  1. Bad Battery Life: Whether malware is hiding in plain sight, pretending to be a regular application, or trying to stay hidden from the user, abnormal battery drainage can often give away the presence of an infection. This could be due to malware utilising the system resources to perform its actions (e.g., communicating with a command and control server) in the background.
  2. Dropped Calls and Disruptions: Mobile malware can affect outgoing and incoming calls. Frequently dropped calls or disruptions during a conversation could be the interference of mobile malware. Call your service provider to determine if the dropped calls are its fault. If it’s not, it is possible that someone or something is trying to eavesdrop on conversations or perform other suspicious activities.
  3. Unusual Phone/Data Bills: Android malware often infects devices and starts sending SMS text messages to premium-rated numbers. Some malware may send an SMS message just once a month to avoid suspicions, or they may uninstall themselves after causing unusually large mobile/data bills. Malware can also smuggle, steal and send sensitive data from your device to a third-party. Significant changes in your download or upload patterns could be a sign that someone or something has control over your device.
  4. Clogged Performance: Malware infection may cause serious performance problems as it tries to perform unauthorised activities in the background such as read, write or sending data from your smartphone. Checking RAM (Random Access Memory) use or CPU load could reveal the presence of malware that’s actively running on the device.
  5. Suspicious Applications: If you notice an unusual change in the look-and-feel of your smartphone (such as new icons or applications), malware may have infected your phone.

For more FAQ's, please visit

Security Alert: TINBA Malware

A new variant of the TINBA malware is targeting banks in Singapore. This malware, when installed on the victim’s personal computer (PC), steals online banking credentials via fake messages and fake web pages that ask for personal information.

Citi recommends customers remain alert for malware threats and consider the following tips:

  • Malware often arrives on your PC in an email attachment. You should never open an attachment from someone you don’t know or if an email looks suspicious.
  • Malicious websites can install malware on your PC when you visit them. Never open links to webpages that you don’t recognize or that are sent from people you don’t know.
  • Install anti-virus software and make sure it is kept up to date. Anti-virus software should be configured to check for updates at least once per day.
  • Keep your PC operating system up to date.

Customers who notice unusual behavior in their online banking session should immediately terminate the online banking session and contact Citi’s 24-hour CitiPhone on (65) 6225 5225.

Security Alert: DYRE malware

Variants of the DYRE malware continue to target online banking customers worldwide.

DYRE, also known as Dryeza, is a malicious program used by cybercriminals to steal online banking credentials and perform fraudulent transactions. Dyre is usually spread by phishing emails containing attachments or hyperlinks that, once opened, can exploit your computer’s existing security flaws to install the malware. Once installed, DYRE can redirect websites through servers operated by criminals, allowing them to capture and alter data in real time.

How to recognize DYRE Infection?

  • Repeated requests for User ID, Password and/or One-Time PIN (OTP)
  • Changes in the appearance or procedures of online banking
  • Delays and persistent "loading" screens.

Citi recommends customers remain alert for malware threats and review our Online Security Tips.

Customers who notice unusual behavior in their online banking or believe their computer may be infected should immediately contact Citi's 24-hour CitiPhone helpdesk on (65) 6225 5225.

Security Alert: POODLE

A security vulnerability known as "POODLE" (Padding Oracle On Downgraded Legacy Encryption) has been discovered on the SSL3 (Secure Sockets Layer v3) used by old versions of web browsers such as Internet Explorer 6 on Microsoft XP.

SSL is used to establish an encrypted link between a website and a web browser (such as Internet Explorer) to keep the customer's credentials and transactions secure.

In view of this vulnerability, we will not be supporting older versions of web browsers as of 11th January 2015.

We recommend customers to refer to the Supported Browsers and Roles and Responsibility for steps to ensure a safe and secure online banking experience.


Authenticity of Citibank Website

Only login by typing Citibank's Website '' onto your web browser. Always ensure that you are on a secure website before submitting your information via your web browser. To ensure you are on a secure website,

  • Check the beginning of the Web address in your browser's address field - it will be "https://" rather than "http://".
  • Secure websites will also contain a padlock icon on the status bar at the top of the browser. Double-click to view details of the security certificate, which is issued to Citibank.

    To verify that the website is authentic, check for the following details:

    • The certificate is issued to
    • The certificate is issued by Verisign.
    • The certificate has a valid date.
  • Even if you see "https://..." and a warning is shown that the SSL Certificate does not belong to Citibank, you must terminate the session immediately and contact our 24-Hour CitiPhone Banking at + 65 6225 5225 to report the incident.

  • All data sent to and from Citibank is "scrambled" and "reassembled" between Citibank and your personal computer using 128-bit encryption, the highest level of encryption commercially available.

    Right-click on the page > Select Properties


    Connection: TLS 1.0, RC4 with 128 bit encryption (High); RSA with 2048 bit exchange

One-Time PIN (OTP)

Whether you login from home, office or elsewhere, the One-Time PIN (OTP) when used with your User ID and Password, provides additional protection against unauthorized access of your online account information and from various forms of online fraud.

Time-Out Session with No Activity

When there is no activity for 8 minutes, your secured Citibank Online session will be terminated to help protect you against unauthorized access. You will have to re-enter your User ID and Password to login again.

Strict Protection of Customer Information

Citibank has strict standards on security and confidentiality to safeguard our customers' personal information. Regular audits are conducted internally to uphold these standards. Our security features also ensures that Citibank will never compromise our customers' personal information including Password and PIN to others.

Roles and Responsibility

As an internet banking user, you have a role to play to ensure that you are protected while banking online. Here are some of the ways you could take to safeguard yourself:

Your Role and Responsibility

Always make sure that you have entered your User ID and Password and other confidential information in the legitimate Citibank Website by entering Citibank's Website address "", "" or "" directly onto your Web browser.

To ensure you are on a secure website,

  • Check the beginning of the Web address in your browser's address field - it will be "https://" rather than "http://".
  • Secure websites will also contain a padlock icon on the status bar at the top of the browser. Double-click to view details of the security certificate, which is issued to Citibank.

    To verify that the website is authentic, check for the following details:

    • The certificate is issued to
    • The certificate is issued by Verisign.
    • The certificate has a valid date.
  • All data sent to and from Citibank is "scrambled" and "reassembled" between Citibank and your personal computer using 128-bit encryption, the highest level of encryption commercially available.

    Right-click on the page > Select Properties


    Connection: TLS 1.0, RC4 with 128 bit encryption (High); RSA with 2048 bit exchange

Do not save your online banking login details on the browsers by clearing your browser's cache and history after each session. Click here for steps to clear browsers' cache. Always remember to log out when you have completed your internet banking session.

Always update the bank whenever you have changed your contact details so that you can be contacted in a timely manner should we detect any unusual transactions.

Ensure that your computer has the latest anti-virus software as they help to guard against new viruses. Your computer's operating system and browser software should be updated with the latest security patches. All these will help prevent unauthorized access to your computer.

Keep your User ID and Password confidential

Internet banking users should never disclosed their User ID and Password and they should also ensure that no one is watching you while you enter your User ID and Password or any confidential information. Memorize your User ID and Password and do not record it anywhere. Under no circumstances should you reveal your User ID and Password to anyone even if they purport to be a staff of Citibank.

Do not use a shared computer or device that cannot be trusted for internet banking such as the computer at an Internet café. These devices may be installed with certain software that could capture your personal information prior to your approval.

Your Online Security Device (OSD) should be kept with you at all times and not be used or tampered with by anyone. The One-time PIN(OTP) generated with OSD or via an SMS should also not be compromised to anyone else.

Beware of Online Threats

Online threats are very common nowadays and it tricks you into surrendering your confidential information. It is important to know its mechanisms and take preventive measures to safeguard yourself. Here are some of the examples of online threats:

  • Fraudulent emails - It is a forged email that alludes you to provide sensitive confidential information either by requesting you to reply to the email or it includes links to a 'fake' website that attempts to retrieve your personal data by requesting you to login to the 'fake' website.

    Preventive Methods:

    • Do not disclose your personal, financial or credit card information to unknown or suspicious websites.
    • Do not open email attachments from strangers and unknown sources or by installing software or run programs from unknown origins.
    • Remember, under no circumstances will Citibank ever send you an email requesting for your confidential information. You should not respond to the email or reveal your User ID and Password to anyone.
  • Spyware - It is a software inserted onto your computer that collects information about you and your internet traffic. It is usually get stored onto your computer unknowingly when you download software, games, screensavers, etc from unknown Websites and it claims to improve your computer's performance. It can be used maliciously to gain access to your confidential personal data such as your Passwords, PINs and Internet browsing history.

    Preventive Methods:

    • If you have installed any software that claims to speed up your internet connection, or have additional third-party toolbars on your browsers, then you may be using software that has the ability to track your internet sessions. We recommend that you uninstall this software.
    • Refrain from logging onto Citibank Online until the problem has been resolved.

Email Fraud

Every Internet user should know about spoofing (a.k.a. phishing or hoax) emails and letters that appear to be from a well-known company. Although they can be difficult to spot, the emails or letters generally will request you to access a link that leads you to a spoof Website or to call a phone number to get you to update and confirm your confidential information. To bait you, they may allude to an urgent or threatening condition concerning your account.

You should always remember that under no circumstances will Citibank ever send you an email or letter asking for your account specific confidential information. You should never respond to such emails, letters and reveal your User ID, Password or any other confidential information to anyone. Keep your User ID and Password private and do not share this with anyone, particularly on written correspondence such as email or letters.

Do not give your account number away over the phone unless you know the recipient or if you've initiated the call.


Phishing Scams

Spear Phishing

Even if a customer's desktop and mobile devices are not infected by malware, a customer may still be at risk to threats like phishing. Phishing occurs when fraudsters pose as trusted organizations and send out thousands of fraudulent emails to random email addresses. Spear Phishing is phishing that uses personalized or customized details to make the fraud seem even more legitimate to the targeted recipient.

Cyber criminals collect details from various public websites where people post personal information, including blogs and social networking sites. Using this information, criminals create customized fraudulent communications that appear legitimate and send them to groups of people.

These emails appear to come from a known person or organization and usually contain a link to a look-alike website to mislead customers into entering sensitive financial information such as their account number and PIN. This will enable the fraudsters to capture the customer's account information to access the customer's bank accounts.

How can I protect myself from Spear Phishing and SMShing?

  • Be suspicious of emails or SMS messages from unknown or suspicious sources.
  • Do not click on embedded hyperlinks or open attachments in emails or SMS messages from unknown or suspicious sources
  • Do not click on any hyperlinks provided in email attachments or hyperlinks from suspicious sources
  • Even if a message appears to be from Citibank, do not click on any links provided in the email or SMS message. Instead, independently navigate to Citibank’s website or call CitiPhone to determine if any action is needed.
  • As far as possible, do not provide personal information on unfamiliar websites or when posting information on social networking sites or discussion forums. Once your desktop or mobile phone is infected, your personal details can be hacked into and used against you via phishing etc.

How to Recognize Spear Phishing and SMShing?

  • The email or SMS message may come from an unknown sender.
  • There may be a sense of urgency, eg: Your account will be closed or temporarily suspended or you will be charged a fee if you do not respond.
  • There may be obvious spelling errors. These errors enable phishing emails to avoid the spam filters that internet service providers use.
  • Use the "hover" test before clicking on any hyperlinks in emails: place your mouse pointer on the hyperlink without clicking. A small box will appear that displays the underlying destination to which you will be taken; if the two addresses do not agree, do NOT click the hyperlink.

Citibank will never send emails to customers to ask for or verify confidential, personal or account information.

What to do if I think I may have Malware on my device, or have experienced any Phishing or SMShing scam?

  • Do not enter in any personal, financial or credit card information.
  • If you have submitted banking information, then please contact Citi's 24-hour CitiPhone on (65) 6225 5225.
  • If you think you have received a phishing email purporting to have come from Citibank, forward the entire email as an attachment to
  • If you notice unusual behavior in your online banking session, you should immediately terminate the online banking session and contact Citi's 24-hour CitiPhone on (65) 6225 5225.

When you inform the Bank that your device may be infected by Malware, or have report experiencing any Phishing or SMShing scam, the Bank can take appropriate steps to place restrictions on your account such as restricting online access using your online login credentials or stopping your card to prevent any more spending. Hence, it is important that you inform the Bank at the soonest possible if you notice any unusual or suspicious behavior or transactions on your account.

We also post updates on our website when we learn about new variants of mobile malware targeting online and mobile banking transactions. Please visit our website on a regular basis to check for the latest information.

For the latest update on online security, please refer to the below link:

Pretext Calling

Pretext calling is defined as a deceptive means of obtaining personal information and unauthorised disclosure of customer financial information. Fraudsters may pretend as bank officers to obtain your account number or credit card number and other information required. Upon obtaining such information, the fraudsters may call your bank posing as you, using the information stolen to take over your identity in order to perform transactions using your account.

Another form of pretext calling is when fraudsters request victims to confirm transactions that were purportedly made on victims’ credit cards. When victims inform fraudsters that they do not have such credit cards, the victims are provided with a fake Citibank Singapore telephone number in order to lodge a report. Upon calling, the fraudsters will request for victims’ personal information which will subsequently be used for fraudulent activities. Be aware that Citibank Singapore Ltd will never request for your personal or financial information through SMS or telephone calls and will never ask anyone to transfer money to any third party account.

  • Monitor and pay attention to your regular credit card and bank statements to ensure your transactions are accurate.
  • Do not share personal information, such as account numbers, passwords, National Registration Identity Card (NRIC) number and other personal information over the telephone, email, SMS or internet, unless you know who you are dealing with.
  • Store your personal information in a safe place and shred your old credit card receipts, ATM receipts, old account statements, and any other correspondences prior to disposing them.


Pharming is a scamming practice in which a malicious code is installed on a personal computer or server, misdirecting users to fraudulent websites without their knowledge or consent. Pharming can be conducted either by changing the host file on a victim's computer by exploitation of a vulnerability in DNS server software.

  • If you access websites which requires your personal information, ensure the website address has a https:// in its URL.


Keylogging is a form of online fraud where the keys inputted on a keyboard is captured, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.

Citibank Online

  • Using One-Time PIN (OTP) is keylogger safe as each PIN is invalidated as soon as it is used.
  • Install anti-spyware applications which are able to detect and disable/cleanse keylogging softwares.


Keylogging on ATM has been known as overlaying a keyboard ATMs pinpad to capture people's PINs. The device is designed to look like an integrated part of the ATM so that bank customers are unaware of its presence

  • Citibank only uses certified encrypting pin pad for all the ATMs
  • If you notice any "unauthorized" devices or objects fixed to the ATM, do not use the ATM machine and report it immediately to our 24-Hour CitiPhone.
  • If you notice anything strange at the ATM, leave immediately. If you have already started a transaction, cancel it and leave immediately.

Interactive Voice Response (IVR)

Keylogging on mobile phone has been known in the market for a number of years. The main purpose of such spyware is to capture and transmit information including email, sms and keystrokes on the cell phone without the user of the phone being aware of it.
  • Think before downloading applications. Review the privacy policy and understand what data (location, access to your social networks) an application can access on your device before you download it.
  • If you did not expect any message or connection attempt to your mobile device, take precaution by declining the connection as this may be an attempt to send a malicious program to your mobile device. Always decline such attempts in connection when in doubt.
  • Avoid downloading Citibank Mobile application from any site unless it is from Apple App Store and Google Play sites.

SMS Spoofing

SMS spoofing uses the short message service (SMS) to set who the message appears to come from by replacing the originating mobile number (sender ID) with alphanumeric text. Spoofing has both legitimate uses (setting the company name from which the message is being sent, setting your own mobile number, or a product name) and illegitimate uses (such as impersonating another person, company or product).

  • If you suspect any SMS spoofing, you should notify Citibank immediately by calling CitiPhone at (65) 6225 5225. Remember, Citibank will never request for your personal details via SMS.
  • Important tips when using the ATM

    • Be alert and watch out for any suspicious persons or activities around the ATM. Be alert of anyone loitering in close proximity to or even at a distance from the ATM location.
    • Never lend your ATM card to anyone.
    • If you notice any "unauthorized" devices or objects fixed to the ATM, do not use the ATM machine and report it immediately to our 24-Hour CitiPhone.
    • Do not accept any offers of assistance with the ATM from strangers. If you need help, use the phone located at the ATM machines to contact our 24-Hour CitiPhone for help.
    • If you withdraw cash, put it away immediately. Do not count it at the ATM machine.
    • When leaving an ATM location make sure you are not being followed by anyone. Drive immediately to a police station, crowded area or well-lighted location if you are being followed.
    • Apply ATM cards for accounts used regularly only.
    • Do not apply for an ATM card if there is no requirement to access the account often.
    • Keep minimal amount of money in the accounts that are linked to the ATM cards.
    • Minimize the chances of falling victim to ATM card fraud.
    • - When choosing a PIN, don't use common numbers like the last six digits of your IC or your date of birth.

      - Once you have chosen a PIN, memorize it, never write it down on anything that you carry with you, including the   back of your card.

      - Get used to using the same ATM for your transactions. When you are familiar with it you will be able to recognize   changes to it.

      - Be alert and vigilant when conducting transactions at any ATM, and be sure not to be distracted by strangers.

      - Be mindful when entering your PIN in the presence of others near the ATM.

      - If your card is withheld by the ATM, report it immediately to our 24-Hour CitiPhone hotline.

      - Do not respond to any mobile phone text messages or emails requesting for personal information, especially your PIN   and passwords to your banking account. This is because banks will never request for such information in this   way. If you do receive such call or text message, take down the caller's details and call the bank directly to verify   their identity with the bank's customer service centre.

    • Minimize your loss if you do fall victim
    • - If your ATM card has been lost, stolen or otherwise compromised, immediately call the bank to cancel the card and get   another with a new PIN. If you have reason to believe that an identity thief has tampered with your bank accounts,   cheques or ATM card, close the account immediately.

      - Check your bank statements regularly even after you have reported your ATM card missing. If you find any suspicious   charges, notify the bank immediately.

    Types of ATM Fraud:

    ATM Card skimming

    Instance where a skimming device is used to copy an ATM card's security information on its magnetic stripe in order to reproduce the customer's information on a counterfeit card.

    ATM Card jamming

    Instance where an ATM's card reader is tampered with the intention to trap a customer's card. The criminal removes the card once the customer has walked away from the ATM Machine.

    ATM Card swapping

    Instance where a customer's card is swapped with another card without their knowledge during an ATM transaction.

    Shoulder surfing

    Instance where an individual stands next to someone and observe as they enter a PIN number at an ATM machine.

    Compromise of ATM PIN number

    Instance where either the customer's ATM PIN is obtained via observation ie "shoulder surfing" or the ATM PIN is illegally recorded by a hidden camera.

    Types of Telephone Banking Fraud:

    Telephone Tapping

    Telephone tapping is the unauthorized monitoring of telephone and Internet conversations and/or key tone by a third party. Phone Tapping is possible on a public switched telephone network and can be difficult to detect. To minimize the risk, consider disabling your mobile phone's Bluetooth connection to prevent any unauthorized access to signal sent from and to your phone.

Supported Browsers

You are recommended to use supported and updated browsers to ensure that your internet banking is secure.

Web Browsers / OS: Windows Mac OSX iOS Android
8.1 8 7 Vista XP 10.10 10.9 10.8 7.1.2 7 4.1.2
Internet Explorer 11 X X
Internet Explorer 10 X X
Internet Explorer 9 X X
Internet Explorer 8 X X X
Chrome 35 X X X X X
Chrome 32 X X X X X
Chrome 31 X X X X X
Firefox 33 X X
Firefox 30 X X X
Firefox 28 X
Firefox 26 X X X X
Firefox 25 X X X X
Safari 8.0 X
Safari 7.0 X
Opera 12 X X
Opera 10 X X X X
Tablet Local Browser X X X X
(Samsung Galaxy Note 10.1)
(Kindle Fire HD)

You can download a new browser from:

  • Microsoft Internet Explorer™
  • Google Chrome
  • Mozilla Firefox
  • Safari
  • Opera

NOTE: We do not recommend that you download beta versions, since they are experimental and may undergo significant changes before they're released. Please only download the above recommended versions.

If you are not ready to upgrade your browser, or you do not use one of these operating systems, you can still visit our site. However, should the browser be rejected, you will need to upgrade your browser from the recommended links above and they can be usually downloaded for free from the company's web site stated above.

How can I tell which browser version I am using?

For Windows Users:

  • Microsoft® Internet Explorer™ - Menu > Help > About Internet Explorer
  • Mozilla Firefox - Menu > Help > About Mozilla Firefox
  • Google Chrome - Wrench icon, top right corner > About Google Chrome

For Mac Users:

  • Safari - Safari > About Safari

If you suspect that there has been any unauthorized breach of your accounts online, or that an online transaction has taken place that you did not initiate, it is important for you to inform us firsthand. Not only that, immediately notify the bank should you encounter any issues, difficulties or irregularities.

  • Security incidents will be escalated to our technical support staff for evaluation. If any breach of security appears to have occurred, the bank will investigate it further
  • Citibank will provide you an interim update of our investigations and the status of your case. Final resolution of any incident, though, will depend on the nature and complexity of the incident, as well as the details surrounding the case
  • While we investigate, our officers may ask you to provide more details surrounding the incident to allow us to resolve your case as quickly and as efficiently as possible.

It is strongly advised that you check their accounts on a regular basis and monitor your monthly statements to ensure they are authorized activities on their account, and if they notice something suspicious to contact the customer service number on the back of their card immediately.

You are always encouraged to login to Internet banking from your browser by typing or into the address bar or add Citibank to your list of favourites. Do not follow links from an email, letters, etc.

Protecting our customers' accounts and personal information is one of our highest priorities. You can call our 24-Hour CitiPhone banking at (65) 6225-5225 or Commercial Bank hotline at (65) 6238 8833 to report any irregularities.

It is important that you do your part to ensure banking online is done in a safe and secure manner. Citibank shall neither be liable for acting upon instructions nor obliged to investigate the authenticity or authority of persons effecting your instructions or verify the accuracy and completeness of your instructions. Such instructions shall be deemed irrevocable and binding on you upon receipt by Citibank notwithstanding any error, fraud, forgery, lack of clarity or misunderstanding in respect of the terms of such instructions.