Security Centre

Welcome to the Security Centre.

Your security is our priority.

Stay Protected with Online Security Tips by Citibank Singapore.

Learn how we protect your banking experience at Citi, and how you can protect yourself against identity theft and other security risks at the same time.

As the first step to protect your accounts, we’ll educate you on the different types of fraud that exist – from discovering how to spot and stop fraud, to the additional preventive steps that you can take.

Always remember to check that the citibank.com.sg website has a valid certificate marked Citigroup Inc. [US] and a padlock symbol in the web address bar when you access Citibank Online.

Online Security Tips

Online Security Tips

Latest Security Alert

Security Alerts and Information

Customers of Citibank Singapore Limited are advised to check this page regularly for the latest security alerts and/or news. If you are unsure whether any call, email or SMS is genuinely from Citibank, please contact us immediately and refrain from taking any further action. Whilst Citibank strives to provide you with the latest security alerts and/or news, please note that this webpage and the examples of scams/phishing listed here are not exhaustive. For latest news on scams/phishing, please refer to www.scamalert.sg which is a website owned and operated by the National Crime Prevention Council of Singapore.




Introducing new security updates on your Citi Mobile® App

Date: 15 September 2023

With the increase and prevalence of malware scams, scammers are employing increasingly sophisticated tactics to deceive users into installing malicious apps (malware) on their devices. Once a malicious app is installed, scammers can remotely access your device and steal sensitive information, including personal data and banking credentials to perform fraudulent monetary transactions.



WHAT CITI IS DOING FOR YOU

As part of our ongoing efforts to provide you with a safe and secure banking environment, we have introduced a new security update on the Citi Mobile® App.

To protect your online banking data, we have enhanced the Citi Mobile® App to restrict your access in the event we detect any apps/tools with risky permission settings attempting to gain access to the Citi Mobile® App on your device.

In order for you to continue accessing the Citi Mobile® App, you are required to disable any risky permission settings (for e.g. stop screen sharing/broadcasting/control) on the other app/tool.

Once such risky permission settings have been disabled, your access to the Citi Mobile® App will no longer be restricted and you may proceed with usage of the Citi Mobile® App.

We will be detecting the following 4 potential risky permission settings on apps/tools attempting to access the Citi Mobile® App on your device:

  • 1) Anti Remote Desktop Access
  • 2) Suspicious Accessibility Services
  • 3) Android Debugging via Developer Options
  • 4) Screen Overlay


HOW TO PROTECT YOURSELVES FROM MALWARE?

1) Be Vigilant — Stay Safe and Not Sorry: If the price of an offer is too good to be true, it probably is. Be vigilant and verify the legitimacy of the offer with the company via official sources. Consult your family, friends, or colleagues if you are unsure.

2) Avoid Installing Unknown Apps: Refrain from downloading apps from third-party websites and only download from official app stores like Apple AppStore and Google Play Store. Malicious apps may request for permissions, such as “Accessibility Services”, that are unrelated to their intended functionalities. Review app permissions carefully during installation and reject any suspicious requests.

3) Be Wary of Unusual Payment Requests: Be cautious if the offers require you to use unconventional payment methods, such as gift cards or cryptocurrency. These methods are often favoured by scammers because they are difficult to trace and reverse.

4) Share with Care: Always verify the legitimacy of the offer before sharing with your family, friends, and colleagues. If in doubt, avoid sharing it or enlist their assistance in helping you verify the legitimacy.



WHAT TO DO IF YOU FALL VICTIM TO A MALWARE SCAM?

1) Switch your Device to Flight Mode: If you suspect your device has been infected by malware, switch your device to the flight mode immediately to disconnect from the Internet. This will prevent the scammers from further accessing your device remotely.

2) Activate Kill Switch immediately: On a secondary/uncompromised device, login to the Citi Mobile® App > Settings & More > Activate Kill Switch. Alternatively you can login to Citibank Online or call Citiphone +65 6225 5225 to activate Kill Switch. Click here for more information on activating Kill Switch.

3) Identified Unauthorised Transactions: If there are any unauthorised transactions detected in your bank account(s), contact Citiphone immediately at +65 6225 5225.

4) Report the incident to the police: Reach out to the police and lodge a report.

5) Run an anti-virus scan on your device: Use an anti-virus software which you have downloaded from verified or legitimate sources to scan and remove any malware detected in your device to ensure that known malware in your device is identified and removed.




Keep your cards safe when travelling abroad

Date: 13 June 2022

Thinking about travelling abroad any time soon? With the announcement of the simpler Vaccinated Travel Framework, Singaporeans will now be able to travel abroad easily. If you are planning to travel abroad, please be reminded to stay vigilant during your travels and to keep your credit and debit cards safe to avoid any fraud or theft.



Follow these tips while travelling abroad:


Do not leave your handbags/wallets and cards unattended (e.g. in the overhead compartments of planes or coaches etc.). Use your hotel’s safe to store important documents such as your passport or spare credit card. If your hotel does not provide this option, you can use a lockable suitcase – always remember to lock your suitcase when left unattended.


Beware of strangers and always check that your wallets/cards are in your possession.



Be aware of common scams at your travel destination (e.g. elaborate begging or street vendor scams, taxi scams).


Ensure that the correct card is returned to you after any purchase.



Be alert at crowded places (e.g. trains, markets, shopping centres, airports etc.). Be wary of where you keep your wallet and watch out for people who bump into you, as they may be trying to swipe it.


Your credit card information may be stolen digitally via radio-frequency identification (RFID) skimmers. You can consider protecting yourself using RFID-blocking travel wallets during your travels.





What to do if your credit or debit card was stolen or lost overseas?



For Credit Cards:

Step 1: Lock your credit card immediately via the Citi Mobile® App so no one else can use it.
  • To lock your card, click on “Manage” on your card on the Citi Mobile® App. You may unlock your card just as easily when you need to.
  • While your card is locked, you will not be able to use it for point-of-sale transactions. However, any recurring payment instructions that you may have established on your card will not be affected.
Step 2: Report as lost or stolen via the Citi Mobile® App.
Step 3: If you would like to terminate your card and request for a replacement, please call our CitiPhone hotline available on the Citibank website.

For Debit Cards:

Deactivate your debit card by reporting it as lost and blocking your card(s) permanently.
  • Click on “Profile and Settings” from the top right hand and tap on “Cards & accounts”. Select the card you wish to block and tap on report as lost/stolen.
  • Please note that this action cannot be undone and a new replacement card number will be generated.






Getting ready for your trip? Here are some pre-travel preparation tips:

Check if your contact details with the bank is updated

Ensure that all your contact details with the bank are updated so that we can contact you immediately in the case of fraudulent activity. Do note that if you change your SIM card whilst overseas, Citibank will not be able to contact you.

To update your contact details, you may log in to the Citi Mobile® App and navigate to “Profile and Settings”. Alternatively, you may also log in to Citibank Online and select “My Profile”.
Enable your Citialerts to stay updated on your transactions

Ensure that your Citialerts are enabled via Citibank Online so that you can be notified on any transactions on your card(s) and account(s). You will be notified on online outgoing funds transfer from your banking accounts which is S$1 and above.

Note: If you have opted to receive SMS for your Citi Alerts, please ensure that you do not swop out your SIM card with the phone number registered with Citi.

If you detect any unauthorised transactions on your card(s) and account(s), please report it to us by calling our CitiPhone hotline available on our Citibank website.

Lock your credit card via the Citi Mobile® if you are not intending to use it overseas

To lock your card, click on “Manage” on your card on the Citi Mobile® App. You may unlock your card just as easily when you need to.



Be Wary of Impersonation Scams

Date: 05 MAY 2022

There are scammers calling victims and pretending to be a government official (e.g., a police officer, immigration officer, or court official), an employee, or a representative from a bank or courier company. The scammers will use scam tactics to get you to provide your personal banking information, surrender monies to them for investigation, or download remote access software to extract your personal information.

Be wary of impersonation scams and stay vigilant by learning about different impersonation tactics and what to look out for.

Please note that no foreign law enforcement or authority can investigate offences here in Singapore, and no public authority can request that you open a bank account or access your online banking account.



Types of Impersonation Scams


China Official Impersonation

This scam involves a scammer calling victims and pretending to be a government official or employee of a Chinese bank or courier company, claiming that your identity was used to send parcels containing fake passports, weapons, or to apply for overseas credit cards, involved in money laundering.

The victims will be threatened to give personal information such as passport or bank account number, internet banking credentials, or One-Time Password (OTP).


Police Impersonation

This scam involves unsolicited robocalls claiming to be from government agencies, transferring you to messaging applications (e.g., Whatsapp, Telegram, LINE) where you will be contacted by a fake policeman. The scammers will share forged documents such as warrant cards, police reports of arrest, or even wear police uniforms with police IDs to dupe and gain the trust of victims.

The victims will be instructed to surrender their monies for investigation by making transfers to various bank accounts or to pass the money in person based on the promise that the monies will be returned after investigation.

There have been cases where scammers will ask victims to provide banking credentials and set up an e-GIRO link to the victims’ bank account to top up their e-wallets (e.g., Grab e-wallets).



Telecommunication Representative Impersonation (“Tech Scam”)

This scam involves scammers calling victims (typically to their home lines to avoid caller ID) pretending to be a representative from a telecommunication company, where they claimed to have noticed that you have been facing issues with your Wi-Fi or phone lines.

The victims will be prompted to download remote access software such as TeamViewer so the scammer can to remotely view your screen as you key in your personal information like banking credentials and OTP.



What should you look out for?


Calls or messages from courier companies, telcos, or government agencies asking you for your personal particulars, bank account details, or OTPs. Please note that no local government agency/police will contact you using robocalls and instruct you to transfer money to designated bank accounts for investigation or ask for your personal banking information.
Scare tactics that link you to crimes such as pending court cases, your mobile number being used in a crime, your Wi-Fi being compromised, or urgent requests that require your immediate attention.
Threats by the caller to escalate matters to the police if you do not cooperate.
Numbers calling from a ‘+’ number, even if it is ‘+65’, does not mean it is from Singapore.



What should you do in the above scenarios?






Always verify the caller’s organisation or information shared directly with the source if you are unsure.




Beware of incoming calls with the "+" prefix as the calls are international incoming calls.




Never disclose personal particulars, banking, and credit card details and OTPs to anyone, especially over unsolicited phone calls.




Do not install any software or grant remote access to your devices.




Hang up immediately if the caller cannot identify himself properly.




Do not click on URL links provided in unsolicited emails and text messages.


Citibank customers are advised to install ScamShield (from Government Technology Agency) from the iOS App Store. The application allows you to block spoofed calls and SMSes based on a list from the Singapore Police Force, and report scam messages/calls via the in-app reporting.

For more details, please refer to www.scamshield.org.sg



Be Wary of Job Scams

Date: 04 May 2022

There are scammers sending unsolicited job offers via messaging apps or social media, offering high-paying jobs that require little effort and no experience but victims are required to pay fees or transfer monies before earning commissions. Be wary of unsolicited job offers and stay vigilant by learning about different job scams and what to look out for.



What are the different types of job scams?




Affiliate Marketing Job Scam

This is a job scam requiring victims to complete easy tasks such as liking social media posts to earn commissions. Victims are instructed to sign up for job packages by making upfront payments but will not receive further commissions after the initial commission.


  • Scammers offer fake online jobs requiring victims to complete easy tasks such as liking social media posts to boost viewership or pay for products in advance to boost sellers’ sales in order to earn commissions.
  • In order to do so, victims are directed to sign up for accounts on website links provided by the scammers which may also offer mobile application downloads for ease of utilising their services.
  • The websites offer job packages with varying amounts of commission paid per task. The victims would need to sign up for these packages by making upfront payments to bank accounts belonging to unknown individuals.
  • Most of the time, victims would be convinced that they were asked to do legitimate work as they would receive commissions and profit at the onset, i.e., no losses incurred initially. However, victims eventually discover that they had been scammed when they did not receive further commissions.




Fake Mobile App Job Scam

This is a job scam requiring victims to download a fake mobile application and top up funds into their accounts for buying and selling products or transferring money or cryptocurrency to bank accounts. Victims will not be able to withdraw their money or commission reflected on the fake mobile app.



  • Victims are told to download fake mobile applications (e.g., Shopee Pay) from unverified websites to shop, accept jobs through the fake mobile app, or buy and sell movie tickets for commission.
  • Thereafter, they would be instructed to top up funds into their account on the fake mobile app for ‘buying and selling’, or by transferring the money to bank accounts provided, or to convert the amount into cryptocurrency and transfer them into wallets provided by the scammer.
  • Scammers promise victims commission after a certain number of tasks have been completed, the amount will then be reflected in their accounts in the fake mobile app.
  • However, the victims soon realise that they have been scammed when they are unable to withdraw the money or purported commission.




Warning Letter Job Scam

This is a job scam evolving from the fake mobile app scam where victims who try to quit the job and withdraw money from their accounts, will receive a fake warning letter with a letterhead of local authorities stating that their accounts would be frozen with legal implications. Victims will then be further pressured to make more fund transfers to avoid claimed legal action.


  • Evolving from the fake mobile app job scam (see above), victims who try to quit the ‘jobs’ and withdraw money from the accounts on the fake mobile app will receive a warning letter. It would indicate that their mobile application accounts would be frozen and legal actions could be taken against them if they were to quit the 'jobs'.
  • The warning letter will bear the fake letterheads of local authorities such as Singapore Police Force, Singapore’s Coat of Arms as well as the Supreme Court to enhance the credibility of the ruse.
  • Victims are then pressured into making further fund transfers to bank accounts or cryptocurrency wallets to avoid having further legal action purportedly taken against them.
  • Victims would eventually realise that they have been scammed when they do not receive their commission after completing the tasks.



Here are just two examples of job scam offers that victims have received via SMS, Whatsapp or Telegram:






EXAMPLE 1




EXAMPLE 2






What should you look out for?






You are contacted for a job
you did not apply for.




You are promised a large sum of money for very little work or if the salary range is way out for your experience, then be wary. Easy jobs that offer lucrative commissions are simply too good to be true.




You receive an offer from a free email account eg., @yahoo.com, @gmail.com.




You are asked to transfer funds to bank accounts or cryptocurrency wallets belonging to individuals that you have not met in person.




You are asked for confidential information, including bank and credit card details over messaging apps or emails.




You are hired directly without an interview or meeting your potential employer.




You are asked to download dubious mobile
applications from unverified sources.




What should you do in the above scenarios?






Ignore unsolicited job offers from dubious sources.




Verify the legitimacy of the job offer directly with the company concerned.




Do not share personal and banking information, including OTPs.




Never transfer money/cryptocurrency to strangers or anyone you have not met.




Do not use your bank account to conduct
transactions on behalf of others.




Beware of fake SMSes with spoofed Citibank Headers & calls from spoofed Citibank Hotlines

Date: 04 May 2022

There has been a re-emerging trend of scammers pretending to be from the bank contacting victims through a spoofed Citibank Hotline or spoofed SMS headers. They would claim that there are suspicious activities on the victim’s account or that the victim’s cards have been suspended.

Do not fall prey to such scams, as scammers can use the information you provide to them to make unauthorised transactions on your credit/debit cards or bank accounts. To ensure the legitimacy of the links, they should start with https://www.citibank.com.sg/ when you click in.

How to spot a fake SMS with spoofed Citibank Header?






Example 1




Example 2




Example 3




Example 4





The scammers send SMSes with spoofed Citibank Headers to victims, informing them that their accounts have been suspended for security reasons.




The scammers usually instruct the victims to contact a phone number or click a link to reactivate their accounts.




Upon calling the number or clicking on the links, victims are instructed to provide their personal and banking details for further verification.




The scammer requests the victim to provide account details and OTP (One-Time PIN).




Fraudulent transactions will then take place on the account.



What should you look out for?

Be wary of fake SMS messages with spoofed Citibank Headers. Do also check for grammatical and/or spelling errors.
Verify the content by calling Citibank directly or reaching us via secured email.
Never disclose your personal, bank account, credit/debit card details, or OTP to anyone.
Report any fraudulent credit/debit card charges or account transfers to Citibank immediately.





What should you look out for?




The scammer impersonates a 'Bank officer' and calls the victim from phone number +65 6225 5225.




The scammer informs the victim that there is suspicious activity on the victim’s account and proceeds to ask questions to verify that he/she is the customer.




The scammer informs the victim that there is a fraudulent transaction on his/her bank account.




The scammer informs the victim that a bank account has been created at a Citibank branch. The scammer then says that there are two large amount transfers done under the victim’s account (e.g., $100,000 and $150,000).




The scammer informs the victim that a deposit has been made and the victim has a current account with a fraudulent transaction.




The scammer requests the victim to provide account details and OTP (One-Time PIN).




Fraudulent transactions will then take place on the account.


In all the above scenarios, scammers may ask for your account number, login details, password, and inform you to lodge a Police report.

In some cases when you inform them that you did not open such an account with the bank, they might pretend to transfer you to the Commercial Affairs Department (CAD) to report the fraud application. The person claiming to be from ‘CAD’ may provide you with a reference number for his report (e.g., CAD#63250000) and ask for your personal and banking details such as your NRIC number or credit card number.



What should you do?

Ignore suspicious-looking calls coming from a ‘+’ number.
Be wary of providing full bank, debit, and credit card details when asked.
Citibank will never ask you to provide your OTP or passwords to us. Always verify that the OTP you are entering is related to the transaction that you are performing. This includes authorising an online purchase or adding your credit/debit card to your mobile wallet (Apple, Google, or Samsung Pay) or when the SMS OTP is triggered for your Citi Mobile® App registration.
Hang up immediately, block, and report if the caller cannot identify themselves.
Call our hotline numbers directly found behind your debit or credit card, the Citi Mobile® App, or Citibank website if you are suspicious or unsure.



What should you do?


  • Citibank will never ask you to log in to your e-banking with an embedded hyperlink or request that you enter personal information, for example reactivating your credit card or providing your card details via the hyperlink in an SMS.

  • Please check if the received links are legitimate by ensuring the link starts with https://www.citibank.com.sg/

  • You should never reveal your banking details (e.g., your login credentials and passwords, security token, unlock code, one-time password (OTP), ATM Card/Credit Card Personal Identification Number (PIN), account balance, identity card/passport number, ATM card image, banking statement or other sensitive information) to any third party or unauthorised app. Remember that our staff will not ask for the above information via phone call, SMS, and/or email.

  • Remember that the risks of scanning an unknown QR code are similar to clicking on links in unknown messages, especially while making payments or transactions using QR codes. It is best only to use QR codes to pay in secure and familiar environments.



Protect Yourself Against Vishing Scams

Date: 1 December 2021

Have you received a suspicious call claiming to be from a telecommunication company, government ministry or an online shopping site? There has been a rise of call related scams where scammers will call you claiming to be a representative from a reputable company and asking for your sensitive personal information such as Credit Card or banking details and OTP (One-Time Pin).

Stay vigilant and safeguard yourself from these call related scams as scammers can use the information you provide to them to make unauthorised transactions on your credit/debit cards or bank accounts.


Find out about a common shopping site vishing scam scenario

Customer receives a call from someone claiming to be a representative from a shopping site informing him/her that there are unauthorised transactions on his/her account.
The scammer claims, that in order to help the customer reverse the unauthorised transactions, they require his/her Credit Card, Banking details and OTP before they can proceed to do so. They may even read out some Card details and personal information to assure the customer of their credibility.
If the customer is not convinced, the scammer may pressure the customer that it is time sensitive and urgent or even transfer it to a manager who may have more of customer's personal information on hand.
The scammer then uses the details provided by the customer, to make transactions out of customers’ account.

Find out about a common telecommunication company vishing scam scenario

Customer receives a call from a representative claiming to be from a telecommunication company informing them that someone has hacked into their account.
Customer is transferred to someone else claiming to be a “Cyber Crime Police Offer” who informs that there are suspicious activities detected on their network.
Scammer sets a trap to secure the customer’s account by telling them to co-operate in downloading a screen-sharing application onto their desktop and log into Citibank Online.
Scammer captures the customer’s personal information from the screen-sharing and proceeds to make transactions out of their account.

Important things to take note of





ALWAYS

  • Be wary of phone calls from numbers beginning with +65 as they are international calls and highly likely to be fraudulent.
  • Check the full OTP message before entering it anywhere as the message will contain information on its intended purpose i.e. Apple Pay enrolment.
  • Hang up if you are suspicious and uncomfortable of the call.
  • Check your transaction alerts from Citi. You may set a minimum transaction amount that you want to be alerted on at Citibank Online.


NEVER

  • Give out your Credit Card or Banking details especially the CVV or OTP as Citi will not ask you for that information over the phone.
  • Share any personal identifiable information.
  • Share your Banking or SingPass login credentials such as User ID or Passwords.
  • Allow 3rd party applications or remote access on your PCs or mobiles.


What should you do when you receive suspicious calls?



If you encounter any suspicious calls and have provided your personal details, please contact the Citi Hotline immediately.




Beware of Phishing Scams

Date: 3 September 2021

There has been an increasing trend of phishing scams where scammers trick victims into providing sensitive banking information such as their login credentials, One-Time Pin (OTP), bank account and/or card details, including expiry date and CVV. The scammers use digital platforms of email, SMS, messaging platforms, social media and online advertisements.

It is important that you familiarise yourself with the nature of these common scams to protect yourself from fraudulent fund transfers or charges to your cards.


What do Phishing Scams look like?

Advertisements

Advertisements for incredible offers or flash deals expiring within the hour, with common phrases such as “not to be missed”

Claims of issues with delivery or request of shipping fees

Messages that claim incorrect delivery details or request additional delivery fees before your product can be sent

Claims of windfall

Announcements declaring you the winner of a lucky draw or contest randomly picked by the company

Claims of requiring renewal or verification

Messages that claim you have any unpaid fees, expiring subscriptions, refunds to be credited or security updates verification

Important things to take note of





ALWAYS

  • Verify whether the social media account is legitimate by checking with the person offline or outside of Social Media.
  • Verify the URL of the website for its legitimacy. Hovering over the link usually reveals that the email or link is not from the official company.
  • Insist on cash-on-delivery when possible or use the platform’s secure payment option.
  • Be extra careful when it comes to advertisements and promotions, especially when providing personal details.
  • Be extra vigilant on phone calls from unfamiliar numbers to avoid scammers asking for personal details.


NEVER

  • Disclose your personal particulars, banking and credit card details and OTPs to anyone, including family and friends.
  • Act hastily upon seeing a flash deal without confirming its source.
  • Agree to private bank transfers to sellers before delivery.



Beware of Calls from Spoof Citibank Hotlines & Fake SMSes with Spoof Citibank Headers

Date: 11 June 2021

There has been a re-emerging trend of scammers pretending to be from the bank contacting victims through a spoof Citibank hotline or spoof SMS headers. They would claim that there are suspicious activities on the victim’s account or that the victim’s cards have been suspended.

Do not fall prey to such scams, as scammers can use the information you provide to them to make unauthorised transactions on your credit/debit cards or bank accounts.





What is Spoof Citibank Hotline?






The scammer impersonates a ‘Bank officer’ and calls the victim from phone number +65 6225 5225.




The scammer informs the victim that there is a suspicious activity on the victim’s account and proceeds to ask questions to verify that he/she is the customer.




The scammer requests the victim to provide account details and OTP (One-Time PIN).




Fraudulent transactions will then take place on the account.



What should you do?



  • Ignore suspicious looking calls coming from a ‘+’ number.
  • Be wary of providing full bank, debit and credit card details when asked.
  • Citibank will never ask you to provide your OTP to us.
  • Hang up immediately, block and report if the caller cannot identify themselves.
  • Call our hotline numbers directly found behind your debit or credit card, the Citi Mobile® App or Citibank website if you are suspicious or unsure.


What is SMS with Spoof Citibank Header?






Example 1




Example 2


  • The scammers usually instruct the victims to contact a phone number included in the SMS in order to reactivate their card.
  • Upon calling such a number, victims are instructed to provide their NRIC, bank account and/or credit/debit card details for further verification.
  • The scammer requests the victim to provide account details and OTP (One-Time PIN).
  • Fraudulent transactions will then take place on the account.


What should you look out for?






Be wary of fake SMS messages with spoof Citibank headers. Do also check for grammatical and/or spelling errors.




Verify the content by calling Citibank directly or reach us via secured email.




Never disclose your personal, bank account, credit/debit card details or OTP to anyone.




Report any fraudulent credit/debit card charges or account transfers to Citibank immediately.





Social Media Impersonation Scam

Date: 24 May 2021

Stay vigilant online against the recent increase of Social Media impersonation and phishing scams. It is important that you familiarise yourself with the nature of these common scams to protect yourself from fraudulent fund transfers or charges to your cards.


What do Social Media Impersonation Scams Look Like?






The scammer contacts you via social media platforms such as Facebook messenger or Instagram impersonating as your friend, family member or follower by using comprised or spoofed social media accounts.




The scammer requests for your mobile phone number and/or mobile phone provider on the pretext of helping you sign up for fake contests or promotions on online shopping platforms.




The scammer asks for your credit card details, including your card number, expiry date and the three digits on the back of your card, on the pretext of helping you claim a prize or reward.




Some scammers are able to provide personal information to convince you of their identity.




The scammer then asks for the SMS OTP from your mobile phone to access your account until you suspect something is wrong or your credit limit is reached.

What Should You Look Out For?



Messages promising gift vouchers from popular online shopping websites


What do Phishing Scams Look Like?






You receive an SMS, email, pop-up message or advertisement regarding an incredible offer on Instagram or Facebook.




After clicking on the link, you are directed to a website that resembles the actual company’s website.




You are required to enter your credit card details, including your card number, expiry date and the three digits on the back of your card.




You are prompted to enter your OTP to complete the transaction.


What Should You Look Out For?



  • Messages that you have a package that is stuck and needs delivery charges to be paid.
  • Messages that you have overpayments to be credited or shortfall to be settled.
  • Incredible offers or flash deals expiring within the hour, “not to be missed”.
  • Announcements declaring you the winner of a lucky draw/contest randomly picked by the company’s database.


Important things to take note of





ALWAYS

  • Verify whether the social media account is legitimate by checking with the person offline or outside of Social Media.
  • Verify the URL of the website for its legitimacy. Hovering over the link usually reveals that the email or link is not from the official company.
  • Insist on cash-on-delivery when possible or use the platform’s secure payment option.
  • Be extra careful when it comes to advertisements and promotions, especially when providing personal details.
  • Be extra vigilant on phone calls from unfamiliar numbers to avoid scammers asking for personal details.


NEVER

  • Disclose your personal particulars, banking and credit card details and OTPs to anyone, including family and friends.
  • Act hastily upon seeing a flash deal without confirming its source.
  • Agree to private bank transfers to sellers before delivery.



Protect yourself from e-Wallet scams

Date: 10 February 2021

Due to the current pandemic situation, more people are making payments through e-Wallets such as Apple Pay, Samsung Pay and Google Pay. Recently, there has been an increase in phishing attempts relating to e-Wallets. Hence, it is important that you stay vigilant and familiarise yourself with common scams that take place relating to e-Wallets.


What is an e-Wallet?



An e-Wallet allows you to turn your smartphone into a mobile wallet and experience a faster, more convenient and secure way to pay with just a tap. All you need to do is add your Citi Cards to the mobile wallet (such as Apple Pay/Samsung Pay/Google Pay), tap and pay at merchant terminals or online for merchants that accept e-Wallet as a payment mode.

Click here to learn more about Mobile Payments.

What is an e-Wallet scam?



An e-Wallet scam typically involves the fraudster sending a phishing email or SMS to the victim to request for the victim’s card details on the pretext that the victim’s card details are outdated and require updating, that card details are required to make a refund/credit to them or to deliver a parcel to them. The victim clicks on the URL and is prompted to enter his/her card details and One-Time PIN on a fraudulent website. The fraudster uses these card details to add the victim’s card details into the fraudster’s e‑Wallet. The fraudster then uses this e-Wallet to make transactions which will be charged to the victim’s card.



What should you look out for?






Emails and text messages making fake offers or claims to trick recipients into clicking a link, e.g. payment for parcel delivery, disruptions to services or subscriptions, refunds or promotions.




Link redirects victims to fraudulent websites and tricks them into providing credit card details and One-Time PIN (OTP) sent to their phone so credit card can be added to third party wallet (Apple Pay/Samsung Pay/Google Pay) to make unauthorised transactions.



How to check that the card is added to your own e-Wallet





Match the last four digit of the Device/Digital/Virtual Account Number shown on your device to the last four digit of the Device Account Number mentioned in the email alert sent to your registered email address by Citibank Singapore, upon enrollment of your card to your e-Wallet.



Important things to take note of





ALWAYS

  • Verify the authenticity of the text message/email/information received with the official website or sources.
  • Check and match the last 4 digits of the Device Account Number in the email alert you receive when your card is added to a Wallet App to verify that the card is added to your personal wallet.
  • Inform the bank immediately if you receive an OTP which was not initiated by you to provision your card into Apple Pay/Samsung Pay/Google Pay.
  • Inform the bank immediately if you receive an OTP to provision your card into a Wallet App not used by you or not supported by your device.


NEVER

  • Click on URL links provided in unsolicited emails and text messages.
  • Disclose your personal or internet banking details or OTP to anyone.



Loan Scam

Date: 19th October 2020

We have been alerted of customers receiving unsolicited text messages from unlicensed moneylenders offering loan and loan services.

The message may purport to be sending from "Citibank" or other financial institutions to convince you that they are legitimate. Victims were instructed to transfer monies to the fraudster as a deposit before the loan can be disbursed. After the victims have transferred the monies, the victims find that the fraudsters are no longer contactable.


Examples of loan scam messages




What you should do






Ignore the message




Block and report the numbers on the platform where you received the message



For more information, please refer to www.scamalert.sg.




Social Media and E-Commerce Scams

Date: 18th September 2020

The Singapore Police have continued to see an increase in phishing scams cases involving emails and text messages, with more than 220 reports lodged since January 2020.

Victims of such phishing scams received emails or text messages by scammers impersonating entities the victims know or trust, such as banks, government agencies, trade unions, or companies such as SingPost, StarHub, Netflix, PayPal and DHL. These emails and text messages make fake offers or claims to trick recipients into clicking on an URL link. Such fake offers or claims include outstanding payment for parcel delivery, disruptions to services or subscriptions, refunds, or promotions. Upon clicking on the URL links, victims will be redirected to fraudulent websites where they are tricked into providing their credit/debit card details and One-Time PIN (OTP). Victims only realised that they have been scammed when they discovered unauthorised transactions made using their credit/debit card.

Please refer to the full Singapore Police advisory, which includes examples of phishing emails and phishing websites.


Impersonation Scam

Scammers will impersonate the victim’s friends or followers on social media like Facebook or Instagram using spoofed or compromised accounts and reach out to the victims. The scammers will ask the victims for their contact numbers, images of their credit/debit cards and One-Time PIN (OTP) on the pretext of signing them up for fake lucky draws or promotions on online shopping platforms like Lazada or Shopee.


What does it look like?
Below is the typical flow of a social media impersonation scam






An impersonator poses as someone you know/follow on your social media (e.g. Facebook or Instagram) and sends you a personal message.




The impersonator claims to have lost his/her contact list, asks for personal details such as your mobile phone number to sign you up for contests or promotion campaigns on e-commerce (e.g. Lazada or Shopee) sites.




The impersonator then claims that you have won a lucky draw and asks for your credit card details and OTP in order for him/her to credit the cash prize.




You later discover that the impersonator has made unauthorised fraudulent transactions from your bank account or mobile wallet without your consent.




What should you look out for?

Contact claiming to be someone you know sends you a personal message asking for your mobile phone number and credit card details to sign you up for contests or promotion campaigns on an online shopping platform.
Contact claims that you have won a lucky draw and asks for your credit card details in order to credit the cash prize to you.
Contact asks for the OTP sent to your mobile phone number.
Social media account impersonating your existing contacts sends new friend/follower request to you.

E-Commerce Scam

Scammers will tout a good deal for a gadget, amusement park or concert tickets online, usually pricing these way below market-price and for a limited time period. Victims lured by the attractiveness of the offer will transfer payment to the “seller” who promises to deliver the item which never arrives.

What does it look like?
Below is the typical flow of an e-commerce scam:






An advertisement shows up on your social media (e.g. Facebook or Instagram) selling a product at an attractive price over a flash deal ending in an hour.




You visit the “seller’s” social media account page and follow the URL linking to their “official” webpage. Positive comments from buyers make you think that the “seller” is legitimate.




You hastily decide to make the purchase before the flash sale ends and follow the instructions on the webpage to key in your credit card details.




You receive a confirmation email with the “seller” requiring an additional delivery fee before sending out the product. You are promised delivery within 3 weeks from the purchase.




You do not receive the product and attempt to contact the “seller”. However, there are no responses given once your payment transaction has gone through.



What should you look out for?

Advertisements on your social media show deals from e-commerce that are way below market-price, disguised as limited-time-only or flash deals.
Lack of information on the products or unstated terms and conditions.
Reviews/comments on the product that are only positive.
Seller:
  • requires additional delivery fee before product can be sent out.
  • requests for conversations to be taken off shopping platform.
  • insists on bank transfers instead of using the platform's payment options.

How to protect yourself against social media scams:




ALWAYS

  • Verify the social media account’s legitimacy by checking with your contacts offline, e.g. contacting them via their mobile phone number.
  • Verify the website URL’s legitimacy.
  • Insist on cash-on delivery where possible, or use the platform’s secure payment option.


NEVER

  • Disclose your personal particulars, OTPs and banking and credit card details to anyone, including family and friends.
  • Act hastily upon seeing a flash deal. Always confirm the source.
  • Agree to private bank transfers to sellers before delivery.

 

Impersonation and Technical Support Scam

Date: 24th July 2020

In the first 3 months of 2020, at least S$41.3 million were lost to scammers, based on cases that were reported to the Singapore Police.

As of 5 June 2020, it was reported in the news that more than S$7 million has been lost to scammers who were posing as technical support staff from January to April 2020, an increase of more than 40 times from the same period in 2019.

We would like to remind our customers to be wary of phone calls or SMSes claiming to be from banks, government agencies, courier or telco companies or any technical support teams requesting for you to provide them with your banking or log in credentials, perform funds transfers or asking you to update your information with them.

These calls/SMSes prey on your fears by making you think that your data/accounts have been compromised or that there are illegal activities linked to you, your account or your IP address.

In these calls:



The fraudster may deceive you into revealing your banking or login credentials such as Username, Password, One-Time PIN ("OTP") and/or Transaction Authorisation Code ("TAC"). The fraudster may claim that he/she need the information to assist in investigations but this is all part of the ruse.


The fraudster may trick you into performing a funds transfer from your account to foreign bank accounts.


The fraudster usually works with other persons purporting to be from government/law enforcement agencies in Singapore or overseas to try to lull you into a sense of confidence.


We set out below, a step-by-step flow of the latest impersonation and technical support scams that have been reported. Please take some time to read this and share with your family and loved ones.

Here is a typical flow of impersonation scam:

Customer receives a call from someone claiming to be from a Bank/Telco/Government agency/ Courier company, informing him/her that his/her internet account has been hacked and used for illegal activities.

The call is then transferred to a Police/Interpol/Cybercrime police etc.

Customer is advised by the impersonator to download a screen sharing software and then log in to his/her Citi account during the screen sharing, in order to catch the fictitious hacker.

In certain cases, impersonator will provide the payee details to customer and advise customer to perform the fund transfer to the payee directly.

During screen sharing, impersonator is able to see customer’s User ID, Password and One-time PIN (OTP). He then uses the OTP to download Citi Mobile® Token, adds a payee and performs fund transfer or advises you to add payee and perform fund transfer to the payee.

Customer is told to ignore all SMS alerts from Citi as that is the bank’s practice. Any amount transferred will be refunded to him/her as it is used as a “bait” to catch the hacker. The impersonator will assure the customer that the money will be returned the customer.

When customer tries to call the impersonator to check on the return of funds, the impersonator is uncontactable. Monies would have already been transferred out of his/her banking accounts.


Below is a typical flow of a technical support scam.

Customer experiences a technical fault on his/her device and a technical support hotline (e.g. from Microsoft) pops up on his/her screen. Customer proceeds to call the hotline.
Someone claiming to be from the customer support team answers and walks customer through the steps of installing a screen sharing software (e.g. the Ultraviewer), in order to recover his/her device.
Scammer will be able to see the User ID/Password & OTP and use the information to enable customer's Citi Mobile® Token and add payee and transfer funds out of customer's banking accounts.
Customer will be asked to submit his/her NRIC in order to process the documents for the enhanced security protocols. Customer will be assured that his accounts are safe and told to ignore all SMS alerts from the bank.
When customer terminates the line and disconnects his/her devices from the network, monies had already been debited from his/her banking accounts.


Customers are reminded to exercise caution at all times.
Take note of the following important pointers:

Impersonators may use Caller ID spoofing technology to mask their actual number and instead display a name/number one that purports to be from a Bank/Telco/Government agency/Courier company.
No government agency will request for your personal and banking details, or request for you to transfer money over the phone or through automated voice machines.
Do not act under the instructions of anyone suspicious.
Always verify the identity of the caller. You can do so by calling the official contact number of the relevant entity. Do not assume that the caller is genuine.
Do not give out any personal and banking information (i.e. User ID, password or OTP) to anyone.

Treat them like your ATM PIN.

 

Customer Advisory – 3rd Party Mobile Applications / Websites

Date: 24th April 2019

Description: Do not use 3rd Party Mobile Applications / Websites for viewing Online Banking Details

We are aware that there are 3rd Party Mobile Applications / Websites that allow customers to have a consolidated view of their financial expenses / transactions across multiple banks, credit card, investments, equity trades, and loan accounts in one place.

Citibank would like to remind our customers not to download any 3rd Party Mobile Applications / Websites to view / access your Citibank Online accounts. There is a potential risk of your online banking credentials being compromised as Username and Password has been shared with the application.

To protect yourself, always exercise the following precautions:

  • Do not download any 3rd Party Mobile Applications to view your online banking details.
  • Do not input your Citibank Online Username and Password when requested by such applications / websites.
  • If already inputted, immediately change Username and Password.

Use of Citibank Online is personal to you and no third party should be allowed to access/view your account/account information via Citibank Online, whether or not you have consented to such third party’s access. This is to prevent any unauthorized access or use of your account and account information. You are responsible for keeping any of your log-in credentials (including User ID and Password) confidential and you cannot reveal your log-in credentials to any third party.

Where you have revealed your log-in credentials to a third party, please note that Citibank is not liable for and you have to compensate us for any losses arising out of any use of your log-in credentials. In such an event, we also have the right, from a risk management perspective, to suspend your access to Citibank Online at any time.

 

Citi Email Addresses

Date: 14th April 2019

Description: Please note that we will send you email notifications from the following Citibank email addresses.

 

Email Addresses
alerts@citibank.com.sg
statements@citibank.com.sg
advices@citibank.com.sg
welcome@citibank.com.sg
marketing@citibank.com.sg
services@citibank.com.sg
chargeback@citibank.com.sg
customerservice@citibank.com.sg
client@experience.citi.com
customerservice@thankyou.citi.com

 

Customer Advisory

Date: 5th September 2018

Description: Be alert to emails and SMS scams.

We would like to remind our customers to remain vigilant when responding to emails and SMS messages from senders masquerading as popular brands, often requesting for you to:

  • Complete a survey or a quiz, with the promise of cash prizes, loyalty points or air miles.
  • Provide your card number, in order to participate in the survey or quiz.
  • Provide your mobile phone number.

As a further tactic to convince victims of the authenticity of these scams, a One-Time Pin (OTP) will be sent to the mobile phone number that you've just provided. Unfortunately, with the successful solicitation of this information, the scammer would have gathered the necessary details to perform unauthorized transactions on your Citi Cards.

To protect yourself, always exercise the following precautions:

  • When clicking on a link from an email, always check that the internet address that you are directed to is legitimate by verifying it in the web browser. If you're unsure, please check this with the brand or merchant.
  • Never disclose your card numbers on merchant websites that have internet addresses that look incorrect.
  • Check if the web browser displays a Locked Padlock icon. Reputable sites would have these.
  • Never disclose your OTP to websites that you might be unfamiliar with.
  • Always check your account statements regularly to detect any unauthorized transactions. For a real-time view of your transactions, login to the Citi Mobile® App.

Phishing Emails

Date: 7th August 2018

Description: We have detected phishing emails and webpages targeting Citi customers. These phishing emails comes from a non-Citi email address and requests Citi customers click on a hyperlink to unlock / update their online banking / credit card account.

If a customer falls victim to the phishing email and clicks on the hyperlink, they will be redirected to a page URL that is not official Citi website, requesting for a user's information (Username and Password), followed by a request to provide an SMS OTP. Such websites are used to conduct card not present transactions but may also be utilized in order to steal personally identifiable data, username-password combinations, OTPs or infect a user's device as well as fraudulent enrollment of Citi © Mobile Token (which may be used to carry out payments to these fraudsters).

How can you protect yourself from this?

  • Be alert. Minimize clicking on links in emails as these may not be legitimate.
  • Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application .
  • Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

citi screen

 

citi screen

 

citi screen

 

citi screen

 

citi screen

 

citi screen

 

Customer Advisory

Date: 20th July 2018

Description: SingHealth has reported a data breach affecting more than 1.5 million SingHealth patients. Patient data stolen included personally identifiable information such as names, addresses, birthdays, and NRIC numbers. Approximately 160,000 patients had details of medical prescriptions stolen. Stolen credentials may be used to conduct social engineering and phishing scams. Such scams utilize personally identifiable information to appear legitimate.

How can you protect yourself from this?

  • Be alert. Do not provide personal or bank information to unsolicited callers.
  • Never give out any sensitive personal information (including login passwords or one-time passwords) over the phone or via email. Our staff will never ask you for such information.
  • Contact Citiphone immediately if you are in any doubt of a call, SMS or email's validity.

 

SMS Phishing

Date: 20th May 2018

Description: We have detected multiple Phishing Emails. The sender email addresses varies from those ending with @gmail.com, @hotmail.com, @yahoo.com, etc. They contain messages including the requirement to update account details due to system maintenance or "New Message from Citibank". A hyperlink that purports to be a Citibank hyperlink (but is not) is also included in the message and takes customer to URLs that does not belong to official Citibank. The site has the same look and feel of that of Citibank Online. Such websites are designed to trick users into providing their online banking and credit card details to conduct fraudulent / unauthorized bank transfers and / or credit card transactions. Credit Card details provided could also be used to enroll for Payment Wallets such as Samsung Pay, Android Pay, Google Pay and Apple Pay.

How can you protect yourself from this?

  • Be alert. Minimize clicking on links in SMSs as these may not be legitimate.
  • Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application .
  • Never reply to unsolicited SMSs. Responses to such SMSs could be used by fraudsters to socially engineer information or trick users into performing unwanted actions.
  • Only provide your credit card details if you're making a direct purchase. Always check that you intend to conduct a credit card transaction and do not provide an OTP to authorize payment if you are not.
  • Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

citi screen

 

citi screen

 

citi screen

 

citi screen

How You Can Protect Yourself

Protect Yourself from Fraud

Here are few types of fraud and the preventive steps that you can take to prevent yourself from becoming a victim.

Impersonation Scam

Impersonation scams are calls from people claiming to be government officials or staff members of any agency asking for personal details. Callers may claim your identity was used for suspicious activity and may intimidate you into giving them personal information such as your passport, bank account number, internet banking credentials or One-Time PIN (OTP).


How to protect yourself against impersonation scams:




Do not follow the caller’s instructions, including allowing remote access to your electronic or mobile devices. In some cases, scammers may threaten you not to talk to anyone about your situation so that you are unable to verify if it is a scam.




Do not disclose your banking or card credentials and One-Time PIN (OTP), and do not lend your ATM/ Credit Card/ Hardware Token to anyone.




Read carefully the content of any OTP received and never disclose your OTP to anyone over the phone or to unfamiliar websites.




Always review any SMS or email notifications from Citibank relating to your account and report any unauthorised transactions to Citibank immediately.


Phishing


Phishing emails, also known as hoax or spoof emails, are fraudulent emails that appear to be sent from a trusted source but are in fact, designed to trick you into revealing valuable data such as your User ID, password, card details and
One-Time Pin (OTP).

Be aware of emails claiming to be Citi

Be aware of emails claiming to be Citi

Be aware of emails claiming to be Citi

  • Always check the sender's email address.
  • Remember that Citi will never ask you to confirm a payment or transaction via email.
  • If in doubt, don't click the link and report to Citi's fraud reporting service .

Be aware of websites imitating Citi

Be aware of websites imitating Citi

Be aware of websites imitating Citi

Never enter your details into website unless you see the padlock icon + address

Never enter your details into website unless you see the padlock icon + address

Never enter your details into website unless you see the padlock icon + address

  • Ensure that the padlock icon is displayed on the internet browser address bar.
  • Your internet browser address bar should always display "https" instead of "http" when banking with Citi online.

SMiShing


SMiShing messages appear to be from a legitimate company and typically contain a link that takes you to a spoof website, or it may ask you to call a phone number. Even if you don't enter any information, clicking the link can lead to other problems, such as installing malicious software or dangerous viruses to your phone.

HOW TO RECOGNISE SMS FRAUD

You may receive an SMS from a fraudster posing as your bank requesting you to share personal information, such as account or card details.

You may receive an SMS from a fraudster posing as Citibank, requesting you to share personal information, such as account or card details.

In most cases you will be directed to a fraudulent lookalike website that requests you to enter your:

In most cases you will be directed to a fraudulent lookalike website that requests you to enter your:

  • Card details
  • Name & Address
  • User ID & Password
  • One-Time PIN (OTP)

Fraudsters can utilise your details to make immediate purchases or fund transfers.

Fraudsters can utilise your details to make immediate purchases or fund transfers.

Security Tips

  • Remove file and printer sharing when your computer is connected to the Internet.
  • Regularly backup critical data and encrypt these data with minimal 128-bit encryption.
  • Delete junk or chain emails

Keep Your Card Safe At All Times

Here are some tips on how you can keep your card safe from fraudulent activities.


To learn more on how you can protect yourself online, click here

Your Role and Responsibility

You have an important role to play to ensure that you and your account(s) are protected while banking with us electronically. Here are some useful tips:

Your Role and Responsibility

In September 2018, the Monetary Authority of Singapore (“MAS”) issued the e-Payment User Protection Guidelines (the “Guidelines”), which essentially set out the expectations of MAS of any responsible financial institution that issues or operates a protected account. It also covers duties of account holders and account users of protected accounts and provide guidance on the liability for losses arising from unauthorised and erroneous transactions. The Guidelines are effective 30 June 2019 and last updated on 5 September 2020.

The Guidelines define:

  • (1) a "payment account" as:
    • (a) any account, or any device or facility (whether in physical or electronic form), that —
      • (i) is held in the name, or associated with the unique identifier, of any person, and is used by that person for the initiation of a payment order or the execution of a payment transaction, or both; or
      • (ii) is held in the names, or associated with the unique identifiers, of 2 or more persons, and is used by any of those persons for the initiation of a payment order or the execution of a payment transaction, or both; and
    • (b) an account which includes a bank account, debit card, credit card or charge card.
  • (2) a “payment transaction” as the placing, transfer or withdrawal of money, whether for the purpose of paying for goods or services or for any other purpose, and regardless of whether the intended recipient of the money is entitled to the money, where the placing, transfer or withdrawal of money is initiated through electronic means and where the money is received through electronic means;
    • (a) the placing, transferring or withdrawing of money for the purposes of making payment for goods or services; and
    • (b) the placing, transferring or withdrawing of money for any other purpose.
  • (3) a “protected account” as any payment account that:
    • (a) is held in the name of one or more persons, all of whom are either individuals or sole proprietors;
    • (b) is capable of having a balance of more than S$500 (or equivalent amount expressed in any other currency) at any one time, or is a credit facility;
    • (c) is capable of being used for electronic payment transactions; and
    • (d) where issued by a relevant payment service provider is a payment account that stores specified e-money.
  • (4) an "unauthorised transaction" (in relation to any protected account) as any payment transaction initiated by any person without the actual or imputed knowledge and implied or express consent of an account user of the protected account.

In accordance with the Guidelines, Citibank would like our customers and account users of protected accounts to take note of (a) their duties set out in section 3 of the Guidelines, and (b) Citibank’s duties set out in section 4 (excluding paragraph 4.3) of the Guidelines. You should note that except for paragraph 4.4 (which relates to the sending of transaction notifications i.e. Citi Alerts), section 4 of the Guidelines do not apply to Citibank in respect of any credit card, charge card or and debit card issued by Citibank. Please carefully review the Guidelines here.

We would like to draw your attention to para 3.3 of the Guidelines which provides that it is the customer/account user’s responsibility to enable transaction notifications (i.e. Citi Alerts) on any device (used to receive transaction notifications from Citibank). Customers/Account users are required to opt to receive transaction notifications for all outgoing transactions of (any amount) made from your protected account, and to monitor the transaction notifications sent to you or the designated account contact. (For this reason, Citibank will assume that you will monitor such transaction notifications without further reminders or repeat notifications.)

If you wish to select threshold amounts for outgoing transaction alerts, simply login to Citibank Online at www.citibank.com.sg and navigate to 'Manage Alerts' under 'My Profile'. You will be able to amend your alerts preferences as well as your preferred mode of notification.

Please ensure that your contact information maintained with Citibank is accurate.

Some of your other duties are to protect the Unlock Code you use to authenticate any payment transaction or your identity (e.g. your password or OTP) and to protect access to your protected account such as by ensuring you have strong passwords and keeping your software updated.

An account user would be responsible for actual loss arising from an unauthorised transaction if such account user’s recklessness was the primary cause of loss. Recklessness would include the situation where the account user deliberately did not comply with the duties set out in section 3 of the Guidelines, which includes the duty to enable transaction alerts. It is therefore important to understand that the preferences you set for transaction alerts (including how low or high your selected threshold amount is, and the types of transactions for which you elect to receive notifications) would affect how the liability framework in section 5 of the Guidelines would be applied and how any claim by you in relation to an unauthorised transaction would be resolved.

You are also required to report any unauthorized transactions as soon as possible after receiving a transaction alert and to provide information on such unauthorized transactions to Citibank within a reasonable time.

Liability Framework for Unauthorised Transactions under the Guidelines

The Guidelines set out in section 5, a liability framework relating to unauthorized transactions effected on a protected account. For the avoidance of doubt, the section 5 liability framework does not apply in respect of any Citibank credit card, charge card or debit card (this issue being addressed in the relevant cardholder agreements). Further, Customers should note that the Guidelines provide that “where any account user knew of and consent to a transaction (“authorised transaction”), such a transaction is not an unauthorised transaction, notwithstanding that the account holder may not have consent to the transaction.

The information set out below has been distilled from section 5. However, Customers are advised to read the Guidelines.

Scenario (1): Customer is liable for actual loss

The customer will be liable for the actual loss arising from an unauthorized transaction on a protected account if the customer/account user’s recklessness was the primary cause of the loss. Recklessness would include the situation where any account user deliberately did not comply with section 3 of the Guidelines.

Scenario (2): Account holder is not liable for any loss

The customer is not liable for any loss arising from an unauthorized transaction if the loss arises from any action or omission by Citibank and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.

Any action or omission by Citibank includes the following:

  • (a) fraud or negligence by Citibank, its employee, its agent or any outsourcing service provider contracted by Citibank to provide Citibank's services through the protected account;
  • (b) non-compliance by Citibank or its employee with any requirement imposed by MAS on Citibank in respect of its provision of any financial service; and
  • (c) non-compliance by Citibank with any duty set out in section 4 of the Guidelines.

Scenario (3): Loss resulting from any action or omission of any independent third party

The customer is not liable for any loss arising from an unauthorized transaction that does not exceed S$1,000, if the loss arises from any action or omission by any third party not referred to in scenario (2) above, and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.

Other Advisory

Always make sure that you have entered your User ID and Password and other confidential information in the legitimate Citibank Website by entering Citibank's Website address https://www.citibank.com.sg or https://www.citigold.com.sg directly onto your Web browser.

How Citi Protects You

We're constantly updating and improving our wide variety of security measures, providing you the confidence you need when using Citi Mobile or Citibank Online.

Web Security

  • Our 128-bit SSL (Secure Sockets Layer) encryption engine provides industry standard levels of security, ensuring your information can't be accessed by anyone else.

    Secure Sockets Layer
  • The green address bar on Citi websites indicates that the site has undergone extensive vetting by our security teams and has been granted a security certificate known as an Extended Validation SSL Certificate.
  • For safety, we’ll suspend your online access if three failed login attempts are made. We’ll also block access to cash machines if the wrong PIN is entered three times.
  • You are recommended to use supported and updated browsers to ensure your internet banking is secured at all times. Learn More
  • Every time you sign in to Citibank Online, the date and time of your last visit are shown. If you didn't sign in then, this will indicate an unauthorised account access has occurred.

2-way SMS Notification

2 way SMS verification
  • Our 2-Way SMS service alerts you of any suspicious transactions on your account. It is important that you respond to us immediately:
    • You should reply to the SMS with "1" if the transaction is authorised by you or "2" if the transaction is not authorised by you.
  • Please note
    • You will receive the SMS from the number 72484 ("Short Code") if your registered mobile is a Singapore number and +65 9657 2484
      ("Long Code") if your registered number is not a Singapore number*.
    • We will not ask for any additional information to be provided other than "1" or "2".
    • If you are overseas or holding onto an overseas mobile number, please send your reply to +65 9657 2484.
    • Please contact the Fraud Hotline +6563375519 if you have any issues.
  • You can stay on top of your account activities with customised Citi Alerts, where you can get SMS or email notifications whenever there is a specific transaction on your account. Learn More

Citi Mobile® Token

  • Citi Mobile® Token is a feature within the Citi Mobile® App that authenticates transactions as an alternative to other authentication methods such as Online Security Device, or One-Time PIN (OTP) via SMS.
  • The benefits of Citi Mobile Token are:

    SECURE

    SECURE

    Protected by a 6-digit Unlock Code chosen by you and restricted to one device of your choice.

    INSTANT

    INSTANT

    Enter your unique Unlock Code to instantly authenticate your transactions initiated in Citi Mobile® App on your Citi Mobile® Token enabled device. No more waiting for an OTP via SMS, or worrying about misplacing your Online Security device.

    EASY

    EASY

    Authenticates all online transactions such as payments and transfers, adding new payee and updating your contact details. It also generates OTP for online purchases.

  • With the Citi Mobile® Token, you can instantly authenticate all transactions initiated in the Citi Mobile® App. You can also instantly generate OTP with your unique Unlock Code to authenticate transactions on Citibank Online or for online purchases. To learn more, click here
  • After enrolling to Citi Mobile® Token, you should not share or reveal your Unlock Code to anyone, including Citibank.

Misplaced your card? Lock your card on the Citi Mobile® App

Lock your card
  • If you’ve misplaced your card, you can temporarily lock your card at Citi Mobile® App so that no one else can use it. You can unlock your card just as easily when you need to.
  • While your card is locked, you will not be able to use it for point-of-sale transactions. However, any recurring payment instructions that you may have established on your card will not be affected.
  • To terminate your card and request for a replacement if your card is lost or stolen, please call our Citiphone hotline.
Contact Us

If you suspect there are unauthorised transactions on your account or you wish to report suspicious emails, SMS messages or phishing websites:

Step 1

Call

  • CitiPhone banking: (65) 6225-5225
  • Commercial Bank hotline: (65) 6238 8833

Email: spoof@citicorp.com.

 

Step 2

Change your Citibank Online User ID, Password and ATM PIN immediately.