Security Centre

Welcome to the Security Centre.

Your security is our priority.

Stay Protected with Online Security Tips by Citibank Singapore.

Learn how we protect your banking experience at Citi, and how you can protect yourself against identity theft and other security risks at the same time.

As the first step to protect your accounts, we’ll educate you on the different types of fraud that exist – from discovering how to spot and stop fraud, to the additional preventive steps that you can take.

Always remember to check that the citibank.com.sg website has a valid certificate marked Citigroup Inc. [US] when you access Citibank Online.

Online Security Tips

Online Security Tips

How You Can Protect Yourself

Protect Yourself from Fraud

Here are few types of fraud and the preventive steps that you can take to prevent yourself from becoming a victim.

Phishing


Phishing emails, also known as hoax or spoof emails, are fraudulent emails that appear to be sent from a trusted source but are in fact, designed to trick you into revealing valuable data such as your User ID, password, card details and
One-Time Pin (OTP).

Be aware of emails claiming to be Citi

Be aware of emails claiming to be Citi

Be aware of emails claiming to be Citi

  • Always check the sender's email address.
  • Remember that Citi will never ask you to confirm a payment or transaction via email.
  • If in doubt, don't click the link and report to Citi's fraud reporting service.

Be aware of websites imitating Citi

Be aware of websites imitating Citi

Be aware of websites imitating Citi

Never enter your details into website unless you see the padlock icon + address

Never enter your details into website unless you see the padlock icon + address

Never enter your details into website unless you see the padlock icon + address

  • Ensure that the padlock icon is displayed on the internet browser address bar.
  • Your internet browser address bar should always display "https" instead of "http" when banking with Citi online.

SMiShing


SMiShing messages appear to be from a legitimate company and typically contain a link that takes you to a spoof website, or it may ask you to call a phone number. Even if you don't enter any information, clicking the link can lead to other problems, such as installing malicious software or dangerous viruses to your phone.

HOW TO RECOGNISE SMS FRAUD

You may receive an SMS from a fraudster posing as your bank requesting you to share personal information, such as account or card details.

You may receive an SMS from a fraudster posing as Citibank, requesting you to share personal information, such as account or card details.

In most cases you will be directed to a fraudulent lookalike website that requests you to enter your:

In most cases you will be directed to a fraudulent lookalike website that requests you to enter your:

  • Card details
  • Name & Address
  • User ID & Password
  • One-Time PIN (OTP)

Fraudsters can utilise your details to make immediate purchases or fund transfers.

Fraudsters can utilise your details to make immediate purchases or fund transfers.

Security Tips

  • Remove file and printer sharing when your computer is connected to the Internet.
  • Regularly backup critical data and encrypt these data with minimal 128-bit encryption.
  • Delete junk or chain emails

Keep Your Card Safe At All Times

Here are some tips on how you can keep your card safe from fraudulent activities.


To learn more on how you can protect yourself online, click here

Your Role and Responsibility

You have an important role to play to ensure that you and your account(s) are protected while banking with us electronically. Here are some useful tips:

Your Role and Responsibility

In September 2018, the Monetary Authority of Singapore (“MAS”) issued the e-Payment User Protection Guidelines (“Guidelines”), which essentially set out the expectations of MAS of any responsible financial institution that issues or operates a protected account. The Guidelines are effective 30 June 2019.

The Guidelines define:

  • (1) a "payment account" as:
    • (a) any account held in the name of, or any account with a unique identifier of, one or more persons; or
    • (b) any personalized device or personalized facility, which is used by any person for the initiation, execution, or both of payment transactions and includes a bank account, debit card, credit card and charge card.
  • (2) a "payment transaction" to mean an act, initiated by the payer or payee, of placing, transferring or withdrawing money, irrespective of any underlying obligations between the payer or payee, where the act is initiated through electronic means and where money is received through electronic means, and includes:
    • (a) the placing, transferring or withdrawing of money for the purposes of making payment for goods or services; and
    • (b) the placing, transferring or withdrawing of money for any other purpose.
  • (3) a "protected account" as any payment account that:
    • (a) is held in the name of one or more persons, all of whom are either individuals or sole proprietors;
    • (b) is capable of having a balance of more than S$500 (or its equivalent amount expressed in any other currency) at any one time, or is a credit facility; and
    • (c) is capable of being used for electronic payment transactions
  • (4) an "unauthorised transaction" (in relation to any protected account) as any payment transaction initiated by any person without the actual or imputed knowledge and implied or express consent of an account user of the protected account.

In accordance with the Guidelines, Citibank would like to inform customers and account users of protected accounts about (a) their duties set out in section 3 of the Guidelines, and (b) Citibank’s duties set out in section 4 (excluding paragraph 4.3) of the Guidelines. You should note that except for paragraph 4.4 (which relates to the sending of transaction notifications i.e. Citi Alerts), section 4 of the Guidelines do not apply to Citibank in respect of any credit card, charge card or and debit card issued by Citibank. Please carefully review the Guidelines here.

We would like to draw your attention to para 3.3 of the Guidelines which provides that it is the customer/account user’s responsibility to enable transaction notifications (i.e. Citi Alerts) on any device (used to receive transaction notifications from Citibank). Customers/Account users are required to opt to receive transaction notifications for all outgoing transactions of (any amount) made from your protected account, and to monitor the transaction notifications sent to you or the designated account contact. (For this reason, Citibank will assume that you will monitor such transaction notifications without further reminders or repeat notifications.)

If you wish to select threshold amounts for outgoing transaction alerts, simply login to Citibank Online at www.citibank.com.sg and navigate to 'Manage Alerts' under 'My Profile'. You will be able to amend your alerts preferences as well as your preferred mode of notification.

Please ensure that your contact information maintained with Citibank is accurate.

Some of your other duties are to protect the Unlock Code you use to authenticate any payment transaction or your identity (e.g. your password or OTP) and to protect access to your protected account such as by ensuring you have strong passwords and keeping your software updated.

An account user would be responsible for actual loss arising from an unauthorised transaction if such account user’s recklessness was the primary cause of loss. Recklessness would include the situation where the account user deliberately did not comply with the duties set out in section 3 of the Guidelines, which includes the duty to enable transaction alerts. It is therefore important to understand that the preferences you set for transaction alerts (including how low or high your selected threshold amount is, and the types of transactions for which you elect to receive notifications) would affect how the liability framework in section 5 of the Guidelines would be applied and how any claim by you in relation to an unauthorised transaction would be resolved.

You are also required to report any unauthorized transactions as soon as possible after receiving a transaction alert and to provide information on such unauthorized transactions to Citibank within a reasonable time.

Liability Framework for Unauthorised Transactions under the Guidelines

The Guidelines set out in section 5, a liability framework relating to unauthorized transactions effected on a protected account. For the avoidance of doubt, the section 5 liability framework does not apply in respect of any Citibank credit card, charge card or debit card (this issue being addressed in the relevant cardholder agreements). Further, Customers should note that the Guidelines provide that “where any account user knew of and consent to a transaction (“authorised transaction”), such a transaction is not an unauthorised transaction, notwithstanding that the account holder may not have consent to the transaction.

The information set out below has been distilled from section 5. However, Customers are advised to read the Guidelines.

Scenario (1): Customer is liable for actual loss

The customer will be liable for the actual loss arising from an unauthorized transaction on a protected account if the customer/account user’s recklessness was the primary cause of the loss. Recklessness would include the situation where any account user deliberately did not comply with section 3 of the Guidelines.

Scenario (2): Account holder is not liable for any loss

The customer is not liable for any loss arising from an unauthorized transaction if the loss arises from any action or omission by Citibank and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.

Any action or omission by Citibank includes the following:

  • (a) fraud or negligence by Citibank, its employee, its agent or any outsourcing service provider contracted by Citibank to provide Citibank's services through the protected account;
  • (b) non-compliance by Citibank or its employee with any requirement imposed by MAS on Citibank in respect of its provision of any financial service; and
  • (c) non-compliance by Citibank with any duty set out in section 4 of the Guidelines.

Scenario (3): Loss resulting from any action or omission of any independent third party

The customer is not liable for any loss arising from an unauthorized transaction that does not exceed S$1,000, if the loss arises from any action or omission by any third party not referred to in scenario (2) above, and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.

Other Advisory

Always make sure that you have entered your User ID and Password and other confidential information in the legitimate Citibank Website by entering Citibank's Website address https://www.citibank.com.sg or https://www.citigold.com.sg directly onto your Web browser.

How Citi Protects You

We're constantly updating and improving our wide variety of security measures, providing you the confidence you need when using Citi Mobile or Citibank Online.

Web Security

  • Our 128-bit SSL (Secure Sockets Layer) encryption engine provides industry standard levels of security, ensuring your information can't be accessed by anyone else.

    Secure Sockets Layer
  • The green address bar on Citi websites indicates that the site has undergone extensive vetting by our security teams and has been granted a security certificate known as an Extended Validation SSL Certificate.
  • For safety, we’ll suspend your online access if three failed login attempts are made. We’ll also block access to cash machines if the wrong PIN is entered three times.
  • You are recommended to use supported and updated browsers to ensure your internet banking is secured at all times. Learn More
  • Every time you sign in to Citibank Online, the date and time of your last visit are shown. If you didn't sign in then, this will indicate an unauthorised account access has occurred.

2-way SMS Notification

2 way SMS verification
  • Our 2-Way SMS service alerts you of any suspicious transactions on your account. It is important that you respond to us immediately:
    • You should reply to the SMS with "1" if the transaction is authorised by you or "2" if the transaction is not authorised by you.
  • Please note
    • You will receive the SMS from the number 72484 ("Short Code") if your registered mobile is a Singapore number and +65 9657 2484
      ("Long Code") if your registered number is not a Singapore number*.
    • We will not ask for any additional information to be provided other than "1" or "2".
    • If you are overseas or holding onto an overseas mobile number, please send your reply to +65 9657 2484.
    • Please contact the Fraud Hotline +6563375519 if you have any issues.
  • You can stay on top of your account activities with customised Citi Alerts, where you can get SMS or email notifications whenever there is a specific transaction on your account. Learn More

Citi Mobile® Token

  • Citi Mobile® Token is a feature within the Citi Mobile® App that authenticates transactions as an alternative to other authentication methods such as Online Security Device, or One-Time PIN (OTP) via SMS.
  • The benefits of Citi Mobile Token are:

    SECURE

    SECURE

    Protected by a 6-digit Unlock Code chosen by you and restricted to one device of your choice.

    INSTANT

    INSTANT

    Enter your unique Unlock Code to instantly authenticate your transactions initiated in Citi Mobile® App on your Citi Mobile® Token enabled device. No more waiting for an OTP via SMS, or worrying about misplacing your Online Security device.

    EASY

    EASY

    Authenticates all online transactions such as payments and transfers, adding new payee and updating your contact details. It also generates OTP for online purchases.

  • With the Citi Mobile® Token, you can instantly authenticate all transactions initiated in the Citi Mobile® App. You can also instantly generate OTP with your unique Unlock Code to authenticate transactions on Citibank Online or for online purchases. To learn more, click here
  • After enrolling to Citi Mobile® Token, you should not share or reveal your Unlock Code to anyone, including Citibank.

Misplaced your card? Lock your card on the Citi Mobile® App

Lock your card
  • If you’ve misplaced your card, you can temporarily lock your card at Citi Mobile® App so that no one else can use it. You can unlock your card just as easily when you need to.
  • While your card is locked, you will not be able to use it for point-of-sale transactions. However, any recurring payment instructions that you may have established on your card will not be affected.
  • To terminate your card and request for a replacement if your card is lost or stolen, please call our Citiphone hotline.
Contact Us

If you suspect there are unauthorised transactions on your account or you wish to report suspicious emails, SMS messages or phishing websites:

Step 1

Call

  • CitiPhone banking: (65) 6225-5225
  • Commercial Bank hotline: (65) 6238 8833

Email: spoof@citicorp.com.

 

Step 2

Change your Citibank Online User ID, Password and ATM PIN immediately.

Latest Security Alert

Security Alerts and Information

Customers of Citibank Singapore Limited are advised to check this page regularly for the latest security alerts and/or news. If you are unsure whether any call, email or SMS is genuinely from Citibank, please contact us immediately and refrain from taking any further action. Whilst Citibank strives to provide you with the latest security alerts and/or news, please note that this webpage and the examples of scams/phishing listed here are not exhaustive.

 

Customer Advisory – 3rd Party Mobile Applications / Websites

Date: 24th April 2019

Description: Do not use 3rd Party Mobile Applications / Websites for viewing Online Banking Details

We are aware that there are 3rd Party Mobile Applications / Websites that allow customers to have a consolidated view of their financial expenses / transactions across multiple banks, credit card, investments, equity trades, and loan accounts in one place.

Citibank would like to remind our customers not to download any 3rd Party Mobile Applications / Websites to view / access your Citibank Online accounts. There is a potential risk of your online banking credentials being compromised as Username and Password has been shared with the application.

To protect yourself, always exercise the following precautions:

  • Do not download any 3rd Party Mobile Applications to view your online banking details.
  • Do not input your Citibank Online Username and Password when requested by such applications / websites.
  • If already inputted, immediately change Username and Password.

Use of Citibank Online is personal to you and no third party should be allowed to access/view your account/account information via Citibank Online, whether or not you have consented to such third party’s access. This is to prevent any unauthorized access or use of your account and account information. You are responsible for keeping any of your log-in credentials (including User ID and Password) confidential and you cannot reveal your log-in credentials to any third party.

Where you have revealed your log-in credentials to a third party, please note that Citibank is not liable for and you have to compensate us for any losses arising out of any use of your log-in credentials. In such an event, we also have the right, from a risk management perspective, to suspend your access to Citibank Online at any time.

 

Citi Email Addresses

Date: 14th April 2019

Description: Please note that we will send you email notifications from the following Citibank email addresses.

 

Email Addresses
alerts@citibank.com.sg
statements@citibank.com.sg
advices@citibank.com.sg
welcome@citibank.com.sg
marketing@citibank.com.sg
services@citibank.com.sg
chargeback@citibank.com.sg
customerservice@citibank.com.sg
client@experience.citi.com
customerservice@thankyou.citi.com

 

Customer Advisory

Date: 5th September 2018

Description: Be alert to emails and SMS scams.

We would like to remind our customers to remain vigilant when responding to emails and SMS messages from senders masquerading as popular brands, often requesting for you to:

  • Complete a survey or a quiz, with the promise of cash prizes, loyalty points or air miles.
  • Provide your card number, in order to participate in the survey or quiz.
  • Provide your mobile phone number.

As a further tactic to convince victims of the authenticity of these scams, a One-Time Pin (OTP) will be sent to the mobile phone number that you've just provided. Unfortunately, with the successful solicitation of this information, the scammer would have gathered the necessary details to perform unauthorized transactions on your Citi Cards.

To protect yourself, always exercise the following precautions:

  • When clicking on a link from an email, always check that the internet address that you are directed to is legitimate by verifying it in the web browser. If you're unsure, please check this with the brand or merchant.
  • Never disclose your card numbers on merchant websites that have internet addresses that look incorrect.
  • Check if the web browser displays a Locked Padlock icon. Reputable sites would have these.
  • Never disclose your OTP to websites that you might be unfamiliar with.
  • Always check your account statements regularly to detect any unauthorized transactions. For a real-time view of your transactions, login to the Citi Mobile® App.

Phishing Emails

Date: 7th August 2018

Description: We have detected phishing emails and webpages targeting Citi customers. These phishing emails comes from a non-Citi email address and requests Citi customers click on a hyperlink to unlock / update their online banking / credit card account.

If a customer falls victim to the phishing email and clicks on the hyperlink, they will be redirected to a page URL that is not official Citi website, requesting for a user's information (Username and Password), followed by a request to provide an SMS OTP. Such websites are used to conduct card not present transactions but may also be utilized in order to steal personally identifiable data, username-password combinations, OTPs or infect a user's device as well as fraudulent enrollment of Citi © Mobile Token (which may be used to carry out payments to these fraudsters).

How can you protect yourself from this?

  • Be alert. Minimize clicking on links in emails as these may not be legitimate.
  • Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application.
  • Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

citi screen

 

citi screen

 

citi screen

 

citi screen

 

citi screen

 

citi screen

 

Customer Advisory

Date: 20th July 2018

Description: SingHealth has reported a data breach affecting more than 1.5 million SingHealth patients. Patient data stolen included personally identifiable information such as names, addresses, birthdays, and NRIC numbers. Approximately 160,000 patients had details of medical prescriptions stolen. Stolen credentials may be used to conduct social engineering and phishing scams. Such scams utilize personally identifiable information to appear legitimate.

How can you protect yourself from this?

  • Be alert. Do not provide personal or bank information to unsolicited callers.
  • Never give out any sensitive personal information (including login passwords or one-time passwords) over the phone or via email. Our staff will never ask you for such information.
  • Contact Citiphone immediately if you are in any doubt of a call, SMS or email's validity.

 

SMS Phishing

Date: 20th May 2018

Description: We have detected multiple Phishing Emails. The sender email addresses varies from those ending with @gmail.com, @hotmail.com, @yahoo.com, etc. They contain messages including the requirement to update account details due to system maintenance or "New Message from Citibank". A hyperlink that purports to be a Citibank hyperlink (but is not) is also included in the message and takes customer to URLs that does not belong to official Citibank. The site has the same look and feel of that of Citibank Online. Such websites are designed to trick users into providing their online banking and credit card details to conduct fraudulent / unauthorized bank transfers and / or credit card transactions. Credit Card details provided could also be used to enroll for Payment Wallets such as Samsung Pay, Android Pay, Google Pay and Apple Pay.

How can you protect yourself from this?

  • Be alert. Minimize clicking on links in SMSs as these may not be legitimate.
  • Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application.
  • Never reply to unsolicited SMSs. Responses to such SMSs could be used by fraudsters to socially engineer information or trick users into performing unwanted actions.
  • Only provide your credit card details if you're making a direct purchase. Always check that you intend to conduct a credit card transaction and do not provide an OTP to authorize payment if you are not.
  • Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

citi screen

 

citi screen

 

citi screen

 

citi screen