Security Centre

Welcome to the Security Centre.

Your security is our priority.

Stay Protected with Online Security Tips by Citibank Singapore.

Learn how we protect your banking experience at Citi, and how you can protect yourself against identity theft and other security risks at the same time.

As the first step to protect your accounts, we’ll educate you on the different types of fraud that exist – from discovering how to spot and stop fraud, to the additional preventive steps that you can take.

Always remember to check that the citibank.com.sg website has a valid certificate marked Citigroup Inc. [US] and a padlock symbol in the web address bar when you access Citibank Online.

Online Security Tips

Online Security Tips

Latest Security Alert

Security Alerts and Information

Customers of Citibank Singapore Limited are advised to check this page regularly for the latest security alerts and/or news. If you are unsure whether any call, email or SMS is genuinely from Citibank, please contact us immediately and refrain from taking any further action. Whilst Citibank strives to provide you with the latest security alerts and/or news, please note that this webpage and the examples of scams/phishing listed here are not exhaustive. For latest news on scams/phishing, please refer to www.scamalert.sg which is a website owned and operated by the National Crime Prevention Council of Singapore.




Beware of Phishing Scams

Date: 3 September 2021

There has been an increasing trend of phishing scams where scammers trick victims into providing sensitive banking information such as their login credentials, One-Time Pin (OTP), bank account and/or card details, including expiry date and CVV. The scammers use digital platforms of email, SMS, messaging platforms, social media and online advertisements.

It is important that you familiarise yourself with the nature of these common scams to protect yourself from fraudulent fund transfers or charges to your cards.


What do Phishing Scams look like?

Advertisements

Advertisements for incredible offers or flash deals expiring within the hour, with common phrases such as “not to be missed”

Claims of issues with delivery or request of shipping fees

Messages that claim incorrect delivery details or request additional delivery fees before your product can be sent

Claims of windfall

Announcements declaring you the winner of a lucky draw or contest randomly picked by the company

Claims of requiring renewal or verification

Messages that claim you have any unpaid fees, expiring subscriptions, refunds to be credited or security updates verification

Important things to take note of





ALWAYS

  • Verify whether the social media account is legitimate by checking with the person offline or outside of Social Media.
  • Verify the URL of the website for its legitimacy. Hovering over the link usually reveals that the email or link is not from the official company.
  • Insist on cash-on-delivery when possible or use the platform’s secure payment option.
  • Be extra careful when it comes to advertisements and promotions, especially when providing personal details.
  • Be extra vigilant on phone calls from unfamiliar numbers to avoid scammers asking for personal details.


NEVER

  • Disclose your personal particulars, banking and credit card details and OTPs to anyone, including family and friends.
  • Act hastily upon seeing a flash deal without confirming its source.
  • Agree to private bank transfers to sellers before delivery.



Beware of Calls from Spoof Citibank Hotlines & Fake SMSes with Spoof Citibank Headers

Date: 11 June 2021

There has been a re-emerging trend of scammers pretending to be from the bank contacting victims through a spoof Citibank hotline or spoof SMS headers. They would claim that there are suspicious activities on the victim’s account or that the victim’s cards have been suspended.

Do not fall prey to such scams, as scammers can use the information you provide to them to make unauthorised transactions on your credit/debit cards or bank accounts.





What is Spoof Citibank Hotline?






The scammer impersonates a ‘Bank officer’ and calls the victim from phone number +65 6225 5225.




The scammer informs the victim that there is a suspicious activity on the victim’s account and proceeds to ask questions to verify that he/she is the customer.




The scammer requests the victim to provide account details and OTP (One-Time PIN).




Fraudulent transactions will then take place on the account.



What should you do?



  • Ignore suspicious looking calls coming from a ‘+’ number.
  • Be wary of providing full bank, debit and credit card details when asked.
  • Citibank will never ask you to provide your OTP to us.
  • Hang up immediately, block and report if the caller cannot identify themselves.
  • Call our hotline numbers directly found behind your debit or credit card, the Citi Mobile® App or Citibank website if you are suspicious or unsure.


What is SMS with Spoof Citibank Header?






Example 1




Example 2


  • The scammers usually instruct the victims to contact a phone number included in the SMS in order to reactivate their card.
  • Upon calling such a number, victims are instructed to provide their NRIC, bank account and/or credit/debit card details for further verification.
  • The scammer requests the victim to provide account details and OTP (One-Time PIN).
  • Fraudulent transactions will then take place on the account.


What should you look out for?






Be wary of fake SMS messages with spoof Citibank headers. Do also check for grammatical and/or spelling errors.




Verify the content by calling Citibank directly or reach us via secured email.




Never disclose your personal, bank account, credit/debit card details or OTP to anyone.




Report any fraudulent credit/debit card charges or account transfers to Citibank immediately.





Social Media Impersonation Scam

Date: 24 May 2021

Stay vigilant online against the recent increase of Social Media impersonation and phishing scams. It is important that you familiarise yourself with the nature of these common scams to protect yourself from fraudulent fund transfers or charges to your cards.


What do Social Media Impersonation Scams Look Like?






The scammer contacts you via social media platforms such as Facebook messenger or Instagram impersonating as your friend, family member or follower by using comprised or spoofed social media accounts.




The scammer requests for your mobile phone number and/or mobile phone provider on the pretext of helping you sign up for fake contests or promotions on online shopping platforms.




The scammer asks for your credit card details, including your card number, expiry date and the three digits on the back of your card, on the pretext of helping you claim a prize or reward.




Some scammers are able to provide personal information to convince you of their identity.




The scammer then asks for the SMS OTP from your mobile phone to access your account until you suspect something is wrong or your credit limit is reached.

What Should You Look Out For?



Messages promising gift vouchers from popular online shopping websites


What do Phishing Scams Look Like?






You receive an SMS, email, pop-up message or advertisement regarding an incredible offer on Instagram or Facebook.




After clicking on the link, you are directed to a website that resembles the actual company’s website.




You are required to enter your credit card details, including your card number, expiry date and the three digits on the back of your card.




You are prompted to enter your OTP to complete the transaction.


What Should You Look Out For?



  • Messages that you have a package that is stuck and needs delivery charges to be paid.
  • Messages that you have overpayments to be credited or shortfall to be settled.
  • Incredible offers or flash deals expiring within the hour, “not to be missed”.
  • Announcements declaring you the winner of a lucky draw/contest randomly picked by the company’s database.


Important things to take note of





ALWAYS

  • Verify whether the social media account is legitimate by checking with the person offline or outside of Social Media.
  • Verify the URL of the website for its legitimacy. Hovering over the link usually reveals that the email or link is not from the official company.
  • Insist on cash-on-delivery when possible or use the platform’s secure payment option.
  • Be extra careful when it comes to advertisements and promotions, especially when providing personal details.
  • Be extra vigilant on phone calls from unfamiliar numbers to avoid scammers asking for personal details.


NEVER

  • Disclose your personal particulars, banking and credit card details and OTPs to anyone, including family and friends.
  • Act hastily upon seeing a flash deal without confirming its source.
  • Agree to private bank transfers to sellers before delivery.



Protect yourself from e-Wallet scams

Date: 10 February 2021

Due to the current pandemic situation, more people are making payments through e-Wallets such as Apple Pay, Samsung Pay and Google Pay. Recently, there has been an increase in phishing attempts relating to e-Wallets. Hence, it is important that you stay vigilant and familiarise yourself with common scams that take place relating to e-Wallets.


What is an e-Wallet?



An e-Wallet allows you to turn your smartphone into a mobile wallet and experience a faster, more convenient and secure way to pay with just a tap. All you need to do is add your Citi Cards to the mobile wallet (such as Apple Pay/Samsung Pay/Google Pay), tap and pay at merchant terminals or online for merchants that accept e-Wallet as a payment mode.

Click here to learn more about Mobile Payments.

What is an e-Wallet scam?



An e-Wallet scam typically involves the fraudster sending a phishing email or SMS to the victim to request for the victim’s card details on the pretext that the victim’s card details are outdated and require updating, that card details are required to make a refund/credit to them or to deliver a parcel to them. The victim clicks on the URL and is prompted to enter his/her card details and One-Time PIN on a fraudulent website. The fraudster uses these card details to add the victim’s card details into the fraudster’s e‑Wallet. The fraudster then uses this e-Wallet to make transactions which will be charged to the victim’s card.



What should you look out for?






Emails and text messages making fake offers or claims to trick recipients into clicking a link, e.g. payment for parcel delivery, disruptions to services or subscriptions, refunds or promotions.




Link redirects victims to fraudulent websites and tricks them into providing credit card details and One-Time PIN (OTP) sent to their phone so credit card can be added to third party wallet (Apple Pay/Samsung Pay/Google Pay) to make unauthorised transactions.



How to check that the card is added to your own e-Wallet





Match the last four digit of the Device/Digital/Virtual Account Number shown on your device to the last four digit of the Device Account Number mentioned in the email alert sent to your registered email address by Citibank Singapore, upon enrollment of your card to your e-Wallet.



Important things to take note of





ALWAYS

  • Verify the authenticity of the text message/email/information received with the official website or sources.
  • Check and match the last 4 digits of the Device Account Number in the email alert you receive when your card is added to a Wallet App to verify that the card is added to your personal wallet.
  • Inform the bank immediately if you receive an OTP which was not initiated by you to provision your card into Apple Pay/Samsung Pay/Google Pay.
  • Inform the bank immediately if you receive an OTP to provision your card into a Wallet App not used by you or not supported by your device.


NEVER

  • Click on URL links provided in unsolicited emails and text messages.
  • Disclose your personal or internet banking details or OTP to anyone.



Loan Scam

Date: 19th October 2020

We have been alerted of customers receiving unsolicited text messages from unlicensed moneylenders offering loan and loan services.

The message may purport to be sending from "Citibank" or other financial institutions to convince you that they are legitimate. Victims were instructed to transfer monies to the fraudster as a deposit before the loan can be disbursed. After the victims have transferred the monies, the victims find that the fraudsters are no longer contactable.


Examples of loan scam messages




What you should do






Ignore the message




Block and report the numbers on the platform where you received the message



For more information, please refer to www.scamalert.sg.




Social Media and E-Commerce Scams

Date: 18th September 2020

The Singapore Police have continued to see an increase in phishing scams cases involving emails and text messages, with more than 220 reports lodged since January 2020.

Victims of such phishing scams received emails or text messages by scammers impersonating entities the victims know or trust, such as banks, government agencies, trade unions, or companies such as SingPost, StarHub, Netflix, PayPal and DHL. These emails and text messages make fake offers or claims to trick recipients into clicking on an URL link. Such fake offers or claims include outstanding payment for parcel delivery, disruptions to services or subscriptions, refunds, or promotions. Upon clicking on the URL links, victims will be redirected to fraudulent websites where they are tricked into providing their credit/debit card details and One-Time PIN (OTP). Victims only realised that they have been scammed when they discovered unauthorised transactions made using their credit/debit card.

Please refer to the full Singapore Police advisory, which includes examples of phishing emails and phishing websites.


Impersonation Scam

Scammers will impersonate the victim’s friends or followers on social media like Facebook or Instagram using spoofed or compromised accounts and reach out to the victims. The scammers will ask the victims for their contact numbers, images of their credit/debit cards and One-Time PIN (OTP) on the pretext of signing them up for fake lucky draws or promotions on online shopping platforms like Lazada or Shopee.


What does it look like?
Below is the typical flow of a social media impersonation scam






An impersonator poses as someone you know/follow on your social media (e.g. Facebook or Instagram) and sends you a personal message.




The impersonator claims to have lost his/her contact list, asks for personal details such as your mobile phone number to sign you up for contests or promotion campaigns on e-commerce (e.g. Lazada or Shopee) sites.




The impersonator then claims that you have won a lucky draw and asks for your credit card details and OTP in order for him/her to credit the cash prize.




You later discover that the impersonator has made unauthorised fraudulent transactions from your bank account or mobile wallet without your consent.




What should you look out for?

Contact claiming to be someone you know sends you a personal message asking for your mobile phone number and credit card details to sign you up for contests or promotion campaigns on an online shopping platform.
Contact claims that you have won a lucky draw and asks for your credit card details in order to credit the cash prize to you.
Contact asks for the OTP sent to your mobile phone number.
Social media account impersonating your existing contacts sends new friend/follower request to you.

E-Commerce Scam

Scammers will tout a good deal for a gadget, amusement park or concert tickets online, usually pricing these way below market-price and for a limited time period. Victims lured by the attractiveness of the offer will transfer payment to the “seller” who promises to deliver the item which never arrives.

What does it look like?
Below is the typical flow of an e-commerce scam:






An advertisement shows up on your social media (e.g. Facebook or Instagram) selling a product at an attractive price over a flash deal ending in an hour.




You visit the “seller’s” social media account page and follow the URL linking to their “official” webpage. Positive comments from buyers make you think that the “seller” is legitimate.




You hastily decide to make the purchase before the flash sale ends and follow the instructions on the webpage to key in your credit card details.




You receive a confirmation email with the “seller” requiring an additional delivery fee before sending out the product. You are promised delivery within 3 weeks from the purchase.




You do not receive the product and attempt to contact the “seller”. However, there are no responses given once your payment transaction has gone through.



What should you look out for?

Advertisements on your social media show deals from e-commerce that are way below market-price, disguised as limited-time-only or flash deals.
Lack of information on the products or unstated terms and conditions.
Reviews/comments on the product that are only positive.
Seller:
  • requires additional delivery fee before product can be sent out.
  • requests for conversations to be taken off shopping platform.
  • insists on bank transfers instead of using the platform's payment options.

How to protect yourself against social media scams:




ALWAYS

  • Verify the social media account’s legitimacy by checking with your contacts offline, e.g. contacting them via their mobile phone number.
  • Verify the website URL’s legitimacy.
  • Insist on cash-on delivery where possible, or use the platform’s secure payment option.


NEVER

  • Disclose your personal particulars, OTPs and banking and credit card details to anyone, including family and friends.
  • Act hastily upon seeing a flash deal. Always confirm the source.
  • Agree to private bank transfers to sellers before delivery.

 

Impersonation and Technical Support Scam

Date: 24th July 2020

In the first 3 months of 2020, at least S$41.3 million were lost to scammers, based on cases that were reported to the Singapore Police.

As of 5 June 2020, it was reported in the news that more than S$7 million has been lost to scammers who were posing as technical support staff from January to April 2020, an increase of more than 40 times from the same period in 2019.

We would like to remind our customers to be wary of phone calls or SMSes claiming to be from banks, government agencies, courier or telco companies or any technical support teams requesting for you to provide them with your banking or log in credentials, perform funds transfers or asking you to update your information with them.

These calls/SMSes prey on your fears by making you think that your data/accounts have been compromised or that there are illegal activities linked to you, your account or your IP address.

In these calls:



The fraudster may deceive you into revealing your banking or login credentials such as Username, Password, One-Time PIN ("OTP") and/or Transaction Authorisation Code ("TAC"). The fraudster may claim that he/she need the information to assist in investigations but this is all part of the ruse.


The fraudster may trick you into performing a funds transfer from your account to foreign bank accounts.


The fraudster usually works with other persons purporting to be from government/law enforcement agencies in Singapore or overseas to try to lull you into a sense of confidence.


We set out below, a step-by-step flow of the latest impersonation and technical support scams that have been reported. Please take some time to read this and share with your family and loved ones.

Here is a typical flow of impersonation scam:

Customer receives a call from someone claiming to be from a Bank/Telco/Government agency/ Courier company, informing him/her that his/her internet account has been hacked and used for illegal activities.

The call is then transferred to a Police/Interpol/Cybercrime police etc.

Customer is advised by the impersonator to download a screen sharing software and then log in to his/her Citi account during the screen sharing, in order to catch the fictitious hacker.

In certain cases, impersonator will provide the payee details to customer and advise customer to perform the fund transfer to the payee directly.

During screen sharing, impersonator is able to see customer’s User ID, Password and One-time PIN (OTP). He then uses the OTP to download Citi Mobile® Token, adds a payee and performs fund transfer or advises you to add payee and perform fund transfer to the payee.

Customer is told to ignore all SMS alerts from Citi as that is the bank’s practice. Any amount transferred will be refunded to him/her as it is used as a “bait” to catch the hacker. The impersonator will assure the customer that the money will be returned the customer.

When customer tries to call the impersonator to check on the return of funds, the impersonator is uncontactable. Monies would have already been transferred out of his/her banking accounts.


Below is a typical flow of a technical support scam.

Customer experiences a technical fault on his/her device and a technical support hotline (e.g. from Microsoft) pops up on his/her screen. Customer proceeds to call the hotline.
Someone claiming to be from the customer support team answers and walks customer through the steps of installing a screen sharing software (e.g. the Ultraviewer), in order to recover his/her device.
Scammer will be able to see the User ID/Password & OTP and use the information to enable customer's Citi Mobile® Token and add payee and transfer funds out of customer's banking accounts.
Customer will be asked to submit his/her NRIC in order to process the documents for the enhanced security protocols. Customer will be assured that his accounts are safe and told to ignore all SMS alerts from the bank.
When customer terminates the line and disconnects his/her devices from the network, monies had already been debited from his/her banking accounts.


Customers are reminded to exercise caution at all times.
Take note of the following important pointers:

Impersonators may use Caller ID spoofing technology to mask their actual number and instead display a name/number one that purports to be from a Bank/Telco/Government agency/Courier company.
No government agency will request for your personal and banking details, or request for you to transfer money over the phone or through automated voice machines.
Do not act under the instructions of anyone suspicious.
Always verify the identity of the caller. You can do so by calling the official contact number of the relevant entity. Do not assume that the caller is genuine.
Do not give out any personal and banking information (i.e. User ID, password or OTP) to anyone.

Treat them like your ATM PIN.

 

Customer Advisory – 3rd Party Mobile Applications / Websites

Date: 24th April 2019

Description: Do not use 3rd Party Mobile Applications / Websites for viewing Online Banking Details

We are aware that there are 3rd Party Mobile Applications / Websites that allow customers to have a consolidated view of their financial expenses / transactions across multiple banks, credit card, investments, equity trades, and loan accounts in one place.

Citibank would like to remind our customers not to download any 3rd Party Mobile Applications / Websites to view / access your Citibank Online accounts. There is a potential risk of your online banking credentials being compromised as Username and Password has been shared with the application.

To protect yourself, always exercise the following precautions:

  • Do not download any 3rd Party Mobile Applications to view your online banking details.
  • Do not input your Citibank Online Username and Password when requested by such applications / websites.
  • If already inputted, immediately change Username and Password.

Use of Citibank Online is personal to you and no third party should be allowed to access/view your account/account information via Citibank Online, whether or not you have consented to such third party’s access. This is to prevent any unauthorized access or use of your account and account information. You are responsible for keeping any of your log-in credentials (including User ID and Password) confidential and you cannot reveal your log-in credentials to any third party.

Where you have revealed your log-in credentials to a third party, please note that Citibank is not liable for and you have to compensate us for any losses arising out of any use of your log-in credentials. In such an event, we also have the right, from a risk management perspective, to suspend your access to Citibank Online at any time.

 

Citi Email Addresses

Date: 14th April 2019

Description: Please note that we will send you email notifications from the following Citibank email addresses.

 

Email Addresses
alerts@citibank.com.sg
statements@citibank.com.sg
advices@citibank.com.sg
welcome@citibank.com.sg
marketing@citibank.com.sg
services@citibank.com.sg
chargeback@citibank.com.sg
customerservice@citibank.com.sg
client@experience.citi.com
customerservice@thankyou.citi.com

 

Customer Advisory

Date: 5th September 2018

Description: Be alert to emails and SMS scams.

We would like to remind our customers to remain vigilant when responding to emails and SMS messages from senders masquerading as popular brands, often requesting for you to:

  • Complete a survey or a quiz, with the promise of cash prizes, loyalty points or air miles.
  • Provide your card number, in order to participate in the survey or quiz.
  • Provide your mobile phone number.

As a further tactic to convince victims of the authenticity of these scams, a One-Time Pin (OTP) will be sent to the mobile phone number that you've just provided. Unfortunately, with the successful solicitation of this information, the scammer would have gathered the necessary details to perform unauthorized transactions on your Citi Cards.

To protect yourself, always exercise the following precautions:

  • When clicking on a link from an email, always check that the internet address that you are directed to is legitimate by verifying it in the web browser. If you're unsure, please check this with the brand or merchant.
  • Never disclose your card numbers on merchant websites that have internet addresses that look incorrect.
  • Check if the web browser displays a Locked Padlock icon. Reputable sites would have these.
  • Never disclose your OTP to websites that you might be unfamiliar with.
  • Always check your account statements regularly to detect any unauthorized transactions. For a real-time view of your transactions, login to the Citi Mobile® App.

Phishing Emails

Date: 7th August 2018

Description: We have detected phishing emails and webpages targeting Citi customers. These phishing emails comes from a non-Citi email address and requests Citi customers click on a hyperlink to unlock / update their online banking / credit card account.

If a customer falls victim to the phishing email and clicks on the hyperlink, they will be redirected to a page URL that is not official Citi website, requesting for a user's information (Username and Password), followed by a request to provide an SMS OTP. Such websites are used to conduct card not present transactions but may also be utilized in order to steal personally identifiable data, username-password combinations, OTPs or infect a user's device as well as fraudulent enrollment of Citi © Mobile Token (which may be used to carry out payments to these fraudsters).

How can you protect yourself from this?

  • Be alert. Minimize clicking on links in emails as these may not be legitimate.
  • Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application .
  • Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

citi screen

 

citi screen

 

citi screen

 

citi screen

 

citi screen

 

citi screen

 

Customer Advisory

Date: 20th July 2018

Description: SingHealth has reported a data breach affecting more than 1.5 million SingHealth patients. Patient data stolen included personally identifiable information such as names, addresses, birthdays, and NRIC numbers. Approximately 160,000 patients had details of medical prescriptions stolen. Stolen credentials may be used to conduct social engineering and phishing scams. Such scams utilize personally identifiable information to appear legitimate.

How can you protect yourself from this?

  • Be alert. Do not provide personal or bank information to unsolicited callers.
  • Never give out any sensitive personal information (including login passwords or one-time passwords) over the phone or via email. Our staff will never ask you for such information.
  • Contact Citiphone immediately if you are in any doubt of a call, SMS or email's validity.

 

SMS Phishing

Date: 20th May 2018

Description: We have detected multiple Phishing Emails. The sender email addresses varies from those ending with @gmail.com, @hotmail.com, @yahoo.com, etc. They contain messages including the requirement to update account details due to system maintenance or "New Message from Citibank". A hyperlink that purports to be a Citibank hyperlink (but is not) is also included in the message and takes customer to URLs that does not belong to official Citibank. The site has the same look and feel of that of Citibank Online. Such websites are designed to trick users into providing their online banking and credit card details to conduct fraudulent / unauthorized bank transfers and / or credit card transactions. Credit Card details provided could also be used to enroll for Payment Wallets such as Samsung Pay, Android Pay, Google Pay and Apple Pay.

How can you protect yourself from this?

  • Be alert. Minimize clicking on links in SMSs as these may not be legitimate.
  • Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application .
  • Never reply to unsolicited SMSs. Responses to such SMSs could be used by fraudsters to socially engineer information or trick users into performing unwanted actions.
  • Only provide your credit card details if you're making a direct purchase. Always check that you intend to conduct a credit card transaction and do not provide an OTP to authorize payment if you are not.
  • Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

citi screen

 

citi screen

 

citi screen

 

citi screen

 

Impersonation and Technical Support Scam

Date: 24th July 2020

In the first 3 months of 2020, at least S$41.3 million were lost to scammers, based on cases that were reported to the Singapore Police.

As of 5 June 2020, it was reported in the news that more than S$7 million has been lost to scammers who were posing as technical support staff from January to April 2020, an increase of more than 40 times from the same period in 2019.

We would like to remind our customers to be wary of phone calls or SMSes claiming to be from banks, government agencies, courier or telco companies or any technical support teams requesting for you to provide them with your banking or log in credentials, perform funds transfers or asking you to update your information with them.

These calls/SMSes prey on your fears by making you think that your data/accounts have been compromised or that there are illegal activities linked to you, your account or your IP address.

In these calls:



The fraudster may deceive you into revealing your banking or login credentials such as Username, Password, One-Time PIN ("OTP") and/or Transaction Authorisation Code ("TAC"). The fraudster may claim that he/she need the information to assist in investigations but this is all part of the ruse.


The fraudster may trick you into performing a funds transfer from your account to foreign bank accounts.


The fraudster usually works with other persons purporting to be from government/law enforcement agencies in Singapore or overseas to try to lull you into a sense of confidence.


We set out below, a step-by-step flow of the latest impersonation and technical support scams that have been reported. Please take some time to read this and share with your family and loved ones.

Here is a typical flow of impersonation scam:

Customer receives a call from someone claiming to be from a Bank/Telco/Government agency/ Courier company, informing him/her that his/her internet account has been hacked and used for illegal activities.

The call is then transferred to a Police/Interpol/Cybercrime police etc.

Customer is advised by the impersonator to download a screen sharing software and then log in to his/her Citi account during the screen sharing, in order to catch the fictitious hacker.

In certain cases, impersonator will provide the payee details to customer and advise customer to perform the fund transfer to the payee directly.

During screen sharing, impersonator is able to see customer’s User ID, Password and One-time PIN (OTP). He then uses the OTP to download Citi Mobile® Token, adds a payee and performs fund transfer or advises you to add payee and perform fund transfer to the payee.

Customer is told to ignore all SMS alerts from Citi as that is the bank’s practice. Any amount transferred will be refunded to him/her as it is used as a “bait” to catch the hacker. The impersonator will assure the customer that the money will be returned the customer.

When customer tries to call the impersonator to check on the return of funds, the impersonator is uncontactable. Monies would have already been transferred out of his/her banking accounts.


Below is a typical flow of a technical support scam.

Customer experiences a technical fault on his/her device and a technical support hotline (e.g. from Microsoft) pops up on his/her screen. Customer proceeds to call the hotline.
Someone claiming to be from the customer support team answers and walks customer through the steps of installing a screen sharing software (e.g. the Ultraviewer), in order to recover his/her device.
Scammer will be able to see the User ID/Password & OTP and use the information to enable customer's Citi Mobile® Token and add payee and transfer funds out of customer's banking accounts.
Customer will be asked to submit his/her NRIC in order to process the documents for the enhanced security protocols. Customer will be assured that his accounts are safe and told to ignore all SMS alerts from the bank.
When customer terminates the line and disconnects his/her devices from the network, monies had already been debited from his/her banking accounts.


Customers are reminded to exercise caution at all times.
Take note of the following important pointers:

Impersonators may use Caller ID spoofing technology to mask their actual number and instead display a name/number one that purports to be from a Bank/Telco/Government agency/Courier company.
No government agency will request for your personal and banking details, or request for you to transfer money over the phone or through automated voice machines.
Do not act under the instructions of anyone suspicious.
Always verify the identity of the caller. You can do so by calling the official contact number of the relevant entity. Do not assume that the caller is genuine.
Do not give out any personal and banking information (i.e. User ID, password or OTP) to anyone.

Treat them like your ATM PIN.

 

Customer Advisory – 3rd Party Mobile Applications / Websites

Date: 24th April 2019

Description: Do not use 3rd Party Mobile Applications / Websites for viewing Online Banking Details

We are aware that there are 3rd Party Mobile Applications / Websites that allow customers to have a consolidated view of their financial expenses / transactions across multiple banks, credit card, investments, equity trades, and loan accounts in one place.

Citibank would like to remind our customers not to download any 3rd Party Mobile Applications / Websites to view / access your Citibank Online accounts. There is a potential risk of your online banking credentials being compromised as Username and Password has been shared with the application.

To protect yourself, always exercise the following precautions:

  • Do not download any 3rd Party Mobile Applications to view your online banking details.
  • Do not input your Citibank Online Username and Password when requested by such applications / websites.
  • If already inputted, immediately change Username and Password.

Use of Citibank Online is personal to you and no third party should be allowed to access/view your account/account information via Citibank Online, whether or not you have consented to such third party’s access. This is to prevent any unauthorized access or use of your account and account information. You are responsible for keeping any of your log-in credentials (including User ID and Password) confidential and you cannot reveal your log-in credentials to any third party.

Where you have revealed your log-in credentials to a third party, please note that Citibank is not liable for and you have to compensate us for any losses arising out of any use of your log-in credentials. In such an event, we also have the right, from a risk management perspective, to suspend your access to Citibank Online at any time.

 

Citi Email Addresses

Date: 14th April 2019

Description: Please note that we will send you email notifications from the following Citibank email addresses.

 

Email Addresses
alerts@citibank.com.sg
statements@citibank.com.sg
advices@citibank.com.sg
welcome@citibank.com.sg
marketing@citibank.com.sg
services@citibank.com.sg
chargeback@citibank.com.sg
customerservice@citibank.com.sg
client@experience.citi.com
customerservice@thankyou.citi.com

 

Customer Advisory

Date: 5th September 2018

Description: Be alert to emails and SMS scams.

We would like to remind our customers to remain vigilant when responding to emails and SMS messages from senders masquerading as popular brands, often requesting for you to:

  • Complete a survey or a quiz, with the promise of cash prizes, loyalty points or air miles.
  • Provide your card number, in order to participate in the survey or quiz.
  • Provide your mobile phone number.

As a further tactic to convince victims of the authenticity of these scams, a One-Time Pin (OTP) will be sent to the mobile phone number that you've just provided. Unfortunately, with the successful solicitation of this information, the scammer would have gathered the necessary details to perform unauthorized transactions on your Citi Cards.

To protect yourself, always exercise the following precautions:

  • When clicking on a link from an email, always check that the internet address that you are directed to is legitimate by verifying it in the web browser. If you're unsure, please check this with the brand or merchant.
  • Never disclose your card numbers on merchant websites that have internet addresses that look incorrect.
  • Check if the web browser displays a Locked Padlock icon. Reputable sites would have these.
  • Never disclose your OTP to websites that you might be unfamiliar with.
  • Always check your account statements regularly to detect any unauthorized transactions. For a real-time view of your transactions, login to the Citi Mobile® App.

Phishing Emails

Date: 7th August 2018

Description: We have detected phishing emails and webpages targeting Citi customers. These phishing emails comes from a non-Citi email address and requests Citi customers click on a hyperlink to unlock / update their online banking / credit card account.

If a customer falls victim to the phishing email and clicks on the hyperlink, they will be redirected to a page URL that is not official Citi website, requesting for a user's information (Username and Password), followed by a request to provide an SMS OTP. Such websites are used to conduct card not present transactions but may also be utilized in order to steal personally identifiable data, username-password combinations, OTPs or infect a user's device as well as fraudulent enrollment of Citi © Mobile Token (which may be used to carry out payments to these fraudsters).

How can you protect yourself from this?

  • Be alert. Minimize clicking on links in emails as these may not be legitimate.
  • Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application.
  • Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

citi screen

 

citi screen

 

citi screen

 

citi screen

 

citi screen

 

citi screen

 

Customer Advisory

Date: 20th July 2018

Description: SingHealth has reported a data breach affecting more than 1.5 million SingHealth patients. Patient data stolen included personally identifiable information such as names, addresses, birthdays, and NRIC numbers. Approximately 160,000 patients had details of medical prescriptions stolen. Stolen credentials may be used to conduct social engineering and phishing scams. Such scams utilize personally identifiable information to appear legitimate.

How can you protect yourself from this?

  • Be alert. Do not provide personal or bank information to unsolicited callers.
  • Never give out any sensitive personal information (including login passwords or one-time passwords) over the phone or via email. Our staff will never ask you for such information.
  • Contact Citiphone immediately if you are in any doubt of a call, SMS or email's validity.

 

SMS Phishing

Date: 20th May 2018

Description: We have detected multiple Phishing Emails. The sender email addresses varies from those ending with @gmail.com, @hotmail.com, @yahoo.com, etc. They contain messages including the requirement to update account details due to system maintenance or "New Message from Citibank". A hyperlink that purports to be a Citibank hyperlink (but is not) is also included in the message and takes customer to URLs that does not belong to official Citibank. The site has the same look and feel of that of Citibank Online. Such websites are designed to trick users into providing their online banking and credit card details to conduct fraudulent / unauthorized bank transfers and / or credit card transactions. Credit Card details provided could also be used to enroll for Payment Wallets such as Samsung Pay, Android Pay, Google Pay and Apple Pay.

How can you protect yourself from this?

  • Be alert. Minimize clicking on links in SMSs as these may not be legitimate.
  • Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application.
  • Never reply to unsolicited SMSs. Responses to such SMSs could be used by fraudsters to socially engineer information or trick users into performing unwanted actions.
  • Only provide your credit card details if you're making a direct purchase. Always check that you intend to conduct a credit card transaction and do not provide an OTP to authorize payment if you are not.
  • Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.

citi screen

 

citi screen

 

citi screen

 

citi screen

How You Can Protect Yourself

Protect Yourself from Fraud

Here are few types of fraud and the preventive steps that you can take to prevent yourself from becoming a victim.

Impersonation Scam

Impersonation scams are calls from people claiming to be government officials or staff members of any agency asking for personal details. Callers may claim your identity was used for suspicious activity and may intimidate you into giving them personal information such as your passport, bank account number, internet banking credentials or One-Time PIN (OTP).


How to protect yourself against impersonation scams:




Do not follow the caller’s instructions, including allowing remote access to your electronic or mobile devices. In some cases, scammers may threaten you not to talk to anyone about your situation so that you are unable to verify if it is a scam.




Do not disclose your banking or card credentials and One-Time PIN (OTP), and do not lend your ATM/ Credit Card/ Hardware Token to anyone.




Read carefully the content of any OTP received and never disclose your OTP to anyone over the phone or to unfamiliar websites.




Always review any SMS or email notifications from Citibank relating to your account and report any unauthorised transactions to Citibank immediately.


Phishing


Phishing emails, also known as hoax or spoof emails, are fraudulent emails that appear to be sent from a trusted source but are in fact, designed to trick you into revealing valuable data such as your User ID, password, card details and
One-Time Pin (OTP).

Be aware of emails claiming to be Citi

Be aware of emails claiming to be Citi

Be aware of emails claiming to be Citi

  • Always check the sender's email address.
  • Remember that Citi will never ask you to confirm a payment or transaction via email.
  • If in doubt, don't click the link and report to Citi's fraud reporting service.

Be aware of websites imitating Citi

Be aware of websites imitating Citi

Be aware of websites imitating Citi

Never enter your details into website unless you see the padlock icon + address

Never enter your details into website unless you see the padlock icon + address

Never enter your details into website unless you see the padlock icon + address

  • Ensure that the padlock icon is displayed on the internet browser address bar.
  • Your internet browser address bar should always display "https" instead of "http" when banking with Citi online.

SMiShing


SMiShing messages appear to be from a legitimate company and typically contain a link that takes you to a spoof website, or it may ask you to call a phone number. Even if you don't enter any information, clicking the link can lead to other problems, such as installing malicious software or dangerous viruses to your phone.

HOW TO RECOGNISE SMS FRAUD

You may receive an SMS from a fraudster posing as your bank requesting you to share personal information, such as account or card details.

You may receive an SMS from a fraudster posing as Citibank, requesting you to share personal information, such as account or card details.

In most cases you will be directed to a fraudulent lookalike website that requests you to enter your:

In most cases you will be directed to a fraudulent lookalike website that requests you to enter your:

  • Card details
  • Name & Address
  • User ID & Password
  • One-Time PIN (OTP)

Fraudsters can utilise your details to make immediate purchases or fund transfers.

Fraudsters can utilise your details to make immediate purchases or fund transfers.

Security Tips

  • Remove file and printer sharing when your computer is connected to the Internet.
  • Regularly backup critical data and encrypt these data with minimal 128-bit encryption.
  • Delete junk or chain emails

Keep Your Card Safe At All Times

Here are some tips on how you can keep your card safe from fraudulent activities.


To learn more on how you can protect yourself online, click here

Your Role and Responsibility

You have an important role to play to ensure that you and your account(s) are protected while banking with us electronically. Here are some useful tips:

Your Role and Responsibility

In September 2018, the Monetary Authority of Singapore (“MAS”) issued the e-Payment User Protection Guidelines (the “Guidelines”), which essentially set out the expectations of MAS of any responsible financial institution that issues or operates a protected account. It also covers duties of account holders and account users of protected accounts and provide guidance on the liability for losses arising from unauthorised and erroneous transactions. The Guidelines are effective 30 June 2019 and last updated on 5 September 2020.

The Guidelines define:

  • (1) a "payment account" as:
    • (a) any account, or any device or facility (whether in physical or electronic form), that —
      • (i) is held in the name, or associated with the unique identifier, of any person, and is used by that person for the initiation of a payment order or the execution of a payment transaction, or both; or
      • (ii) is held in the names, or associated with the unique identifiers, of 2 or more persons, and is used by any of those persons for the initiation of a payment order or the execution of a payment transaction, or both; and
    • (b) an account which includes a bank account, debit card, credit card or charge card.
  • (2) a “payment transaction” as the placing, transfer or withdrawal of money, whether for the purpose of paying for goods or services or for any other purpose, and regardless of whether the intended recipient of the money is entitled to the money, where the placing, transfer or withdrawal of money is initiated through electronic means and where the money is received through electronic means;
    • (a) the placing, transferring or withdrawing of money for the purposes of making payment for goods or services; and
    • (b) the placing, transferring or withdrawing of money for any other purpose.
  • (3) a “protected account” as any payment account that:
    • (a) is held in the name of one or more persons, all of whom are either individuals or sole proprietors;
    • (b) is capable of having a balance of more than S$500 (or equivalent amount expressed in any other currency) at any one time, or is a credit facility;
    • (c) is capable of being used for electronic payment transactions; and
    • (d) where issued by a relevant payment service provider is a payment account that stores specified e-money.
  • (4) an "unauthorised transaction" (in relation to any protected account) as any payment transaction initiated by any person without the actual or imputed knowledge and implied or express consent of an account user of the protected account.

In accordance with the Guidelines, Citibank would like our customers and account users of protected accounts to take note of (a) their duties set out in section 3 of the Guidelines, and (b) Citibank’s duties set out in section 4 (excluding paragraph 4.3) of the Guidelines. You should note that except for paragraph 4.4 (which relates to the sending of transaction notifications i.e. Citi Alerts), section 4 of the Guidelines do not apply to Citibank in respect of any credit card, charge card or and debit card issued by Citibank. Please carefully review the Guidelines here.

We would like to draw your attention to para 3.3 of the Guidelines which provides that it is the customer/account user’s responsibility to enable transaction notifications (i.e. Citi Alerts) on any device (used to receive transaction notifications from Citibank). Customers/Account users are required to opt to receive transaction notifications for all outgoing transactions of (any amount) made from your protected account, and to monitor the transaction notifications sent to you or the designated account contact. (For this reason, Citibank will assume that you will monitor such transaction notifications without further reminders or repeat notifications.)

If you wish to select threshold amounts for outgoing transaction alerts, simply login to Citibank Online at www.citibank.com.sg and navigate to 'Manage Alerts' under 'My Profile'. You will be able to amend your alerts preferences as well as your preferred mode of notification.

Please ensure that your contact information maintained with Citibank is accurate.

Some of your other duties are to protect the Unlock Code you use to authenticate any payment transaction or your identity (e.g. your password or OTP) and to protect access to your protected account such as by ensuring you have strong passwords and keeping your software updated.

An account user would be responsible for actual loss arising from an unauthorised transaction if such account user’s recklessness was the primary cause of loss. Recklessness would include the situation where the account user deliberately did not comply with the duties set out in section 3 of the Guidelines, which includes the duty to enable transaction alerts. It is therefore important to understand that the preferences you set for transaction alerts (including how low or high your selected threshold amount is, and the types of transactions for which you elect to receive notifications) would affect how the liability framework in section 5 of the Guidelines would be applied and how any claim by you in relation to an unauthorised transaction would be resolved.

You are also required to report any unauthorized transactions as soon as possible after receiving a transaction alert and to provide information on such unauthorized transactions to Citibank within a reasonable time.

Liability Framework for Unauthorised Transactions under the Guidelines

The Guidelines set out in section 5, a liability framework relating to unauthorized transactions effected on a protected account. For the avoidance of doubt, the section 5 liability framework does not apply in respect of any Citibank credit card, charge card or debit card (this issue being addressed in the relevant cardholder agreements). Further, Customers should note that the Guidelines provide that “where any account user knew of and consent to a transaction (“authorised transaction”), such a transaction is not an unauthorised transaction, notwithstanding that the account holder may not have consent to the transaction.

The information set out below has been distilled from section 5. However, Customers are advised to read the Guidelines.

Scenario (1): Customer is liable for actual loss

The customer will be liable for the actual loss arising from an unauthorized transaction on a protected account if the customer/account user’s recklessness was the primary cause of the loss. Recklessness would include the situation where any account user deliberately did not comply with section 3 of the Guidelines.

Scenario (2): Account holder is not liable for any loss

The customer is not liable for any loss arising from an unauthorized transaction if the loss arises from any action or omission by Citibank and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.

Any action or omission by Citibank includes the following:

  • (a) fraud or negligence by Citibank, its employee, its agent or any outsourcing service provider contracted by Citibank to provide Citibank's services through the protected account;
  • (b) non-compliance by Citibank or its employee with any requirement imposed by MAS on Citibank in respect of its provision of any financial service; and
  • (c) non-compliance by Citibank with any duty set out in section 4 of the Guidelines.

Scenario (3): Loss resulting from any action or omission of any independent third party

The customer is not liable for any loss arising from an unauthorized transaction that does not exceed S$1,000, if the loss arises from any action or omission by any third party not referred to in scenario (2) above, and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.

Other Advisory

Always make sure that you have entered your User ID and Password and other confidential information in the legitimate Citibank Website by entering Citibank's Website address https://www.citibank.com.sg or https://www.citigold.com.sg directly onto your Web browser.

How Citi Protects You

We're constantly updating and improving our wide variety of security measures, providing you the confidence you need when using Citi Mobile or Citibank Online.

Web Security

  • Our 128-bit SSL (Secure Sockets Layer) encryption engine provides industry standard levels of security, ensuring your information can't be accessed by anyone else.

    Secure Sockets Layer
  • The green address bar on Citi websites indicates that the site has undergone extensive vetting by our security teams and has been granted a security certificate known as an Extended Validation SSL Certificate.
  • For safety, we’ll suspend your online access if three failed login attempts are made. We’ll also block access to cash machines if the wrong PIN is entered three times.
  • You are recommended to use supported and updated browsers to ensure your internet banking is secured at all times. Learn More
  • Every time you sign in to Citibank Online, the date and time of your last visit are shown. If you didn't sign in then, this will indicate an unauthorised account access has occurred.

2-way SMS Notification

2 way SMS verification
  • Our 2-Way SMS service alerts you of any suspicious transactions on your account. It is important that you respond to us immediately:
    • You should reply to the SMS with "1" if the transaction is authorised by you or "2" if the transaction is not authorised by you.
  • Please note
    • You will receive the SMS from the number 72484 ("Short Code") if your registered mobile is a Singapore number and +65 9657 2484
      ("Long Code") if your registered number is not a Singapore number*.
    • We will not ask for any additional information to be provided other than "1" or "2".
    • If you are overseas or holding onto an overseas mobile number, please send your reply to +65 9657 2484.
    • Please contact the Fraud Hotline +6563375519 if you have any issues.
  • You can stay on top of your account activities with customised Citi Alerts, where you can get SMS or email notifications whenever there is a specific transaction on your account. Learn More

Citi Mobile® Token

  • Citi Mobile® Token is a feature within the Citi Mobile® App that authenticates transactions as an alternative to other authentication methods such as Online Security Device, or One-Time PIN (OTP) via SMS.
  • The benefits of Citi Mobile Token are:

    SECURE

    SECURE

    Protected by a 6-digit Unlock Code chosen by you and restricted to one device of your choice.

    INSTANT

    INSTANT

    Enter your unique Unlock Code to instantly authenticate your transactions initiated in Citi Mobile® App on your Citi Mobile® Token enabled device. No more waiting for an OTP via SMS, or worrying about misplacing your Online Security device.

    EASY

    EASY

    Authenticates all online transactions such as payments and transfers, adding new payee and updating your contact details. It also generates OTP for online purchases.

  • With the Citi Mobile® Token, you can instantly authenticate all transactions initiated in the Citi Mobile® App. You can also instantly generate OTP with your unique Unlock Code to authenticate transactions on Citibank Online or for online purchases. To learn more, click here
  • After enrolling to Citi Mobile® Token, you should not share or reveal your Unlock Code to anyone, including Citibank.

Misplaced your card? Lock your card on the Citi Mobile® App

Lock your card
  • If you’ve misplaced your card, you can temporarily lock your card at Citi Mobile® App so that no one else can use it. You can unlock your card just as easily when you need to.
  • While your card is locked, you will not be able to use it for point-of-sale transactions. However, any recurring payment instructions that you may have established on your card will not be affected.
  • To terminate your card and request for a replacement if your card is lost or stolen, please call our Citiphone hotline.
Contact Us

If you suspect there are unauthorised transactions on your account or you wish to report suspicious emails, SMS messages or phishing websites:

Step 1

Call

  • CitiPhone banking: (65) 6225-5225
  • Commercial Bank hotline: (65) 6238 8833

Email: spoof@citicorp.com.

 

Step 2

Change your Citibank Online User ID, Password and ATM PIN immediately.