Learn how we protect your banking experience at Citi, and how you can protect yourself against identity theft and other security risks at the same time.
As the first step to protect your accounts, we’ll educate you on the different types of fraud that exist – from discovering how to spot and stop fraud, to the additional preventive steps that you can take.
Always remember to check that the citibank.com.sg website has a valid certificate marked Citigroup Inc. [US] and a padlock symbol in the web address bar when you access Citibank Online.
Customers of Citibank Singapore Limited are advised to check this page regularly for the latest security alerts and/or news. If you are unsure whether any call, email or SMS is genuinely from Citibank, please contact us immediately and refrain from taking any further action. Whilst Citibank strives to provide you with the latest security alerts and/or news, please note that this webpage and the examples of scams/phishing listed here are not exhaustive. For latest news on scams/phishing, please refer to www.scamalert.sg which is a website owned and operated by the National Crime Prevention Council of Singapore.
Date: 15 September 2023
With the increase and prevalence of malware scams, scammers are employing increasingly sophisticated tactics to deceive users into installing malicious apps (malware) on their devices. Once a malicious app is installed, scammers can remotely access your device and steal sensitive information, including personal data and banking credentials to perform fraudulent monetary transactions.
As part of our ongoing efforts to provide you with a safe and secure banking environment, we have introduced a new security update on the Citi Mobile® App.
To protect your online banking data, we have enhanced the Citi Mobile® App to restrict your access in the event we detect any apps/tools with risky permission settings attempting to gain access to the Citi Mobile® App on your device.
In order for you to continue accessing the Citi Mobile® App, you are required to disable any risky permission settings (for e.g. stop screen sharing/broadcasting/control) on the other app/tool.
Once such risky permission settings have been disabled, your access to the Citi Mobile® App will no longer be restricted and you may proceed with usage of the Citi Mobile® App.
We will be detecting the following 4 potential risky permission settings on apps/tools attempting to access the Citi Mobile® App on your device:
1) Be Vigilant — Stay Safe and Not Sorry: If the price of an offer is too good to be true, it probably is. Be vigilant and verify the legitimacy of the offer with the company via official sources. Consult your family, friends, or colleagues if you are unsure.
2) Avoid Installing Unknown Apps: Refrain from downloading apps from third-party websites and only download from official app stores like Apple AppStore and Google Play Store. Malicious apps may request for permissions, such as “Accessibility Services”, that are unrelated to their intended functionalities. Review app permissions carefully during installation and reject any suspicious requests.
3) Be Wary of Unusual Payment Requests: Be cautious if the offers require you to use unconventional payment methods, such as gift cards or cryptocurrency. These methods are often favoured by scammers because they are difficult to trace and reverse.
4) Share with Care: Always verify the legitimacy of the offer before sharing with your family, friends, and colleagues. If in doubt, avoid sharing it or enlist their assistance in helping you verify the legitimacy.
1) Switch your Device to Flight Mode: If you suspect your device has been infected by malware, switch your device to the flight mode immediately to disconnect from the Internet. This will prevent the scammers from further accessing your device remotely.
2) Activate Kill Switch immediately: On a secondary/uncompromised device, login to the Citi Mobile® App > Settings & More > Activate Kill Switch. Alternatively you can login to Citibank Online or call Citiphone +65 6225 5225 to activate Kill Switch. Click here for more information on activating Kill Switch.
3) Identified Unauthorised Transactions: If there are any unauthorised transactions detected in your bank account(s), contact Citiphone immediately at +65 6225 5225.
4) Report the incident to the police: Reach out to the police and lodge a report.
5) Run an anti-virus scan on your device: Use an anti-virus software which you have downloaded from verified or legitimate sources to scan and remove any malware detected in your device to ensure that known malware in your device is identified and removed.
Date: 13 June 2022
Thinking about travelling abroad any time soon? With the announcement of the simpler Vaccinated Travel Framework, Singaporeans will now be able to travel abroad easily. If you are planning to travel abroad, please be reminded to stay vigilant during your travels and to keep your credit and debit cards safe to avoid any fraud or theft.
Do not leave your handbags/wallets and cards unattended (e.g. in the overhead compartments of planes or coaches etc.). Use your hotel’s safe to store important documents such as your passport or spare credit card. If your hotel does not provide this option, you can use a lockable suitcase – always remember to lock your suitcase when left unattended. |
Beware of strangers and always check that your wallets/cards are in your possession. |
Be aware of common scams at your travel destination (e.g. elaborate begging or street vendor scams, taxi scams). |
Ensure that the correct card is returned to you after any purchase. |
Be alert at crowded places (e.g. trains, markets, shopping centres, airports etc.). Be wary of where you keep your wallet and watch out for people who bump into you, as they may be trying to swipe it. |
Your credit card information may be stolen digitally via radio-frequency identification (RFID) skimmers. You can consider protecting yourself using RFID-blocking travel wallets during your travels. |
For Credit Cards: |
|
Step 1: Lock your credit card immediately via the Citi Mobile® App so no one else
can use it.
|
|
Step 2: Report as lost or stolen via the Citi Mobile® App. | |
Step 3: If you would like to terminate your card and request for a replacement, please call our CitiPhone hotline available on the Citibank website. | |
For Debit Cards: |
|
Deactivate your debit card by reporting it as lost and blocking your card(s)
permanently.
|
Check if your contact details with the bank is updated
Ensure that all your contact details with the bank are updated so that we can contact you immediately in the case of fraudulent activity. Do note that if you change your SIM card whilst overseas, Citibank will not be able to contact you. To update your contact details, you may log in to the Citi Mobile® App and navigate to “Profile and Settings”. Alternatively, you may also log in to Citibank Online and select “My Profile”. |
Enable your Citialerts to stay updated on your transactions
Ensure that your Citialerts are enabled via Citibank Online so that you can be notified on any transactions on your card(s) and account(s). You will be notified on online outgoing funds transfer from your banking accounts which is S$1 and above. Note: If you have opted to receive SMS for your Citi Alerts, please ensure that you do not swop out your SIM card with the phone number registered with Citi. If you detect any unauthorised transactions on your card(s) and account(s), please report it to us by calling our CitiPhone hotline available on our Citibank website. |
Lock your credit card via the Citi Mobile® if you are not intending to use it overseas
To lock your card, click on “Manage” on your card on the Citi Mobile® App. You may unlock your card just as easily when you need to. |
Date: 05 MAY 2022
There are scammers calling victims and pretending to be a government official (e.g., a police officer, immigration officer, or court official), an employee, or a representative from a bank or courier company. The scammers will use scam tactics to get you to provide your personal banking information, surrender monies to them for investigation, or download remote access software to extract your personal information.
Be wary of impersonation scams and stay vigilant by learning about different impersonation tactics and what to look out for.
Please note that no foreign law enforcement or authority can investigate offences here in Singapore, and no public authority can request that you open a bank account or access your online banking account.
China Official ImpersonationThis scam involves a scammer calling victims and pretending to be a government official or employee of a Chinese bank or courier company, claiming that your identity was used to send parcels containing fake passports, weapons, or to apply for overseas credit cards, involved in money laundering. The victims will be threatened to give personal information such as passport or bank account number, internet banking credentials, or One-Time Password (OTP). |
Police ImpersonationThis scam involves unsolicited robocalls claiming to be from government agencies, transferring you to messaging applications (e.g., Whatsapp, Telegram, LINE) where you will be contacted by a fake policeman. The scammers will share forged documents such as warrant cards, police reports of arrest, or even wear police uniforms with police IDs to dupe and gain the trust of victims. The victims will be instructed to surrender their monies for investigation by making transfers to various bank accounts or to pass the money in person based on the promise that the monies will be returned after investigation. There have been cases where scammers will ask victims to provide banking credentials and set up an e-GIRO link to the victims’ bank account to top up their e-wallets (e.g., Grab e-wallets). |
Telecommunication Representative Impersonation (“Tech Scam”)This scam involves scammers calling victims (typically to their home lines to avoid caller ID) pretending to be a representative from a telecommunication company, where they claimed to have noticed that you have been facing issues with your Wi-Fi or phone lines. The victims will be prompted to download remote access software such as TeamViewer so the scammer can to remotely view your screen as you key in your personal information like banking credentials and OTP. |
Calls or messages from courier companies, telcos, or government agencies asking you for your personal particulars, bank account details, or OTPs. Please note that no local government agency/police will contact you using robocalls and instruct you to transfer money to designated bank accounts for investigation or ask for your personal banking information. | |
Scare tactics that link you to crimes such as pending court cases, your mobile number being used in a crime, your Wi-Fi being compromised, or urgent requests that require your immediate attention. | |
Threats by the caller to escalate matters to the police if you do not cooperate. | |
Numbers calling from a ‘+’ number, even if it is ‘+65’, does not mean it is from Singapore. |
Always verify the caller’s organisation or information shared directly with the source if you are unsure. |
Beware of incoming calls with the "+" prefix as the calls are international incoming calls. |
Never disclose personal particulars, banking, and credit card details and OTPs to anyone, especially over unsolicited phone calls. |
Do not install any software or grant remote access to your devices. |
Hang up immediately if the caller cannot identify himself properly. |
Do not click on URL links provided in unsolicited emails and text messages. |
Citibank customers are advised to install ScamShield (from Government Technology
Agency) from the iOS App Store. The application allows you to block spoofed calls and
SMSes based on a list from the Singapore Police Force, and report scam messages/calls
via the in-app reporting.
For more details, please refer to www.scamshield.org.sg |
Date: 04 May 2022
There are scammers sending unsolicited job offers via messaging apps or social media, offering high-paying jobs that require little effort and no experience but victims are required to pay fees or transfer monies before earning commissions. Be wary of unsolicited job offers and stay vigilant by learning about different job scams and what to look out for.
Affiliate Marketing Job ScamThis is a job scam requiring victims to complete easy tasks such as liking social media posts to earn commissions. Victims are instructed to sign up for job packages by making upfront payments but will not receive further commissions after the initial commission. |
|
|
Fake Mobile App Job ScamThis is a job scam requiring victims to download a fake mobile application and top up funds into their accounts for buying and selling products or transferring money or cryptocurrency to bank accounts. Victims will not be able to withdraw their money or commission reflected on the fake mobile app. |
|
|
Warning Letter Job ScamThis is a job scam evolving from the fake mobile app scam where victims who try to quit the job and withdraw money from their accounts, will receive a fake warning letter with a letterhead of local authorities stating that their accounts would be frozen with legal implications. Victims will then be further pressured to make more fund transfers to avoid claimed legal action. |
|
|
EXAMPLE 1 |
EXAMPLE 2 |
You are contacted for a job |
You are promised a large sum of money for very little work or if the salary range is way out for your experience, then be wary. Easy jobs that offer lucrative commissions are simply too good to be true. |
You receive an offer from a free email account eg., @yahoo.com, @gmail.com. |
You are asked to transfer funds to bank accounts or cryptocurrency wallets belonging to individuals that you have not met in person. |
You are asked for confidential information, including bank and credit card details over messaging apps or emails. |
You are hired directly without an interview or meeting your potential employer. |
You are asked to download dubious mobile |
Ignore unsolicited job offers from dubious sources. |
Verify the legitimacy of the job offer directly with the company concerned. |
Do not share personal and banking information, including OTPs. |
Never transfer money/cryptocurrency to strangers or anyone you have not met. |
Do not use your bank account to conduct |
Date: 04 May 2022
There has been a re-emerging trend of scammers pretending to be from the bank contacting victims through a spoofed Citibank Hotline or spoofed SMS headers. They would claim that there are suspicious activities on the victim’s account or that the victim’s cards have been suspended.
Do not fall prey to such scams, as scammers can use the information you provide to them to make unauthorised transactions on your credit/debit cards or bank accounts. To ensure the legitimacy of the links, they should start with https://www.citibank.com.sg/ when you click in.
Example 1 |
Example 2 |
Example 3 |
Example 4 |
The scammers send SMSes with spoofed
Citibank Headers to victims, informing them
that their accounts have been suspended for
security reasons. |
The scammers usually instruct the victims to contact a phone number or click a link to reactivate their accounts. |
Upon calling the number or clicking on the
links, victims are instructed to provide
their personal and banking details for
further verification.
|
The scammer requests the victim to provide account details and OTP (One-Time PIN). |
Fraudulent transactions will then take place on the account. |
Be wary of fake SMS messages with spoofed Citibank Headers. Do also check for grammatical and/or spelling errors. |
Verify the content by calling Citibank directly or reaching us via secured email. |
Never disclose your personal, bank account, credit/debit card details, or OTP to anyone. |
Report any fraudulent credit/debit card charges or account transfers to Citibank immediately. |
The scammer impersonates a 'Bank officer' and calls the victim from phone number +65 6225 5225. |
The scammer informs the victim that there is suspicious activity on the victim’s account and proceeds to ask questions to verify that he/she is the customer. |
The scammer informs the victim that there is a fraudulent transaction on his/her bank account. |
The scammer informs the victim that a bank account has been created at a Citibank branch. The scammer then says that there are two large amount transfers done under the victim’s account (e.g., $100,000 and $150,000). |
The scammer informs the victim that a deposit has been made and the victim has a current account with a fraudulent transaction. |
The scammer requests the victim to provide account details and OTP (One-Time PIN). |
Fraudulent transactions will then take place on the account. |
In all the above scenarios, scammers may ask for your account number, login details, password, and inform you to lodge a Police report.
In some cases when you inform them that you did not open such an account with the bank, they might pretend to transfer you to the Commercial Affairs Department (CAD) to report the fraud application. The person claiming to be from ‘CAD’ may provide you with a reference number for his report (e.g., CAD#63250000) and ask for your personal and banking details such as your NRIC number or credit card number.
Ignore suspicious-looking calls coming from a ‘+’ number. |
Be wary of providing full bank, debit, and credit card details when asked. |
Citibank will never ask you to provide your OTP or passwords to us. Always verify that the OTP you are entering is related to the transaction that you are performing. This includes authorising an online purchase or adding your credit/debit card to your mobile wallet (Apple, Google, or Samsung Pay) or when the SMS OTP is triggered for your Citi Mobile® App registration. |
Hang up immediately, block, and report if the caller cannot identify themselves. |
Call our hotline numbers directly found behind your debit or credit card, the Citi Mobile® App, or Citibank website if you are suspicious or unsure. |
Date: 1 December 2021
Have you received a suspicious call claiming to be from a telecommunication company, government ministry or an online shopping site? There has been a rise of call related scams where scammers will call you claiming to be a representative from a reputable company and asking for your sensitive personal information such as Credit Card or banking details and OTP (One-Time Pin).
Stay vigilant and safeguard yourself from these call related scams as scammers can use the information you provide to them to make unauthorised transactions on your credit/debit cards or bank accounts.
ALWAYS
|
NEVER
|
Date: 3 September 2021
There has been an increasing trend of phishing scams where scammers trick victims into providing sensitive banking information such as their login credentials, One-Time Pin (OTP), bank account and/or card details, including expiry date and CVV. The scammers use digital platforms of email, SMS, messaging platforms, social media and online advertisements.
It is important that you familiarise yourself with the nature of these common scams to protect yourself from fraudulent fund transfers or charges to
your cards.
ALWAYS
|
NEVER
|
Date: 11 June 2021
There has been a re-emerging trend of scammers pretending to be from the bank
contacting victims through a spoof Citibank hotline or spoof SMS headers. They would
claim that there are suspicious activities on the victim’s account or that the
victim’s cards have been suspended.
Do not fall prey to such scams, as scammers can use the information you provide to
them to make unauthorised transactions on your credit/debit cards or bank accounts.
The scammer impersonates a ‘Bank officer’ and calls the victim from phone number +65 6225 5225. |
The scammer informs the victim that there is a suspicious activity on the victim’s account and proceeds to ask questions to verify that he/she is the customer. |
The scammer requests the victim to provide account details and OTP (One-Time PIN). |
Fraudulent transactions will then take place on the account. |
Example 1 |
Example 2 |
Be wary of fake SMS messages with spoof Citibank headers. Do also check for grammatical and/or spelling errors. |
Verify the content by calling Citibank directly or reach us via secured email. |
Never disclose your personal, bank account, credit/debit card details or OTP to anyone. |
Report any fraudulent credit/debit card charges or account transfers to Citibank immediately. |
Date: 10 February 2021
Due to the current pandemic situation, more people are making payments through e-Wallets such as Apple Pay, Samsung Pay and Google Pay. Recently, there has been an increase in phishing attempts relating to e-Wallets. Hence, it is important that you stay vigilant and familiarise yourself with common scams that take place relating to e-Wallets.
An e-Wallet allows you to turn your smartphone into a mobile
wallet and experience a faster, more convenient and secure way
to pay with just a tap. All you need to do is add your Citi
Cards to the mobile wallet (such as Apple Pay/Samsung Pay/Google
Pay), tap and pay at merchant terminals or online for merchants
that accept e-Wallet as a payment mode.
Click here to learn more about Mobile Payments. |
An e-Wallet scam typically involves the fraudster sending a phishing email or SMS to the victim to request for the victim’s card details on the pretext that the victim’s card details are outdated and require updating, that card details are required to make a refund/credit to them or to deliver a parcel to them. The victim clicks on the URL and is prompted to enter his/her card details and One-Time PIN on a fraudulent website. The fraudster uses these card details to add the victim’s card details into the fraudster’s e‑Wallet. The fraudster then uses this e-Wallet to make transactions which will be charged to the victim’s card. |
What should you look out for?
Emails and text messages making fake offers or claims to trick
recipients into clicking a link, e.g. payment for parcel
delivery, disruptions to services or subscriptions, refunds or
promotions. |
Link redirects victims to fraudulent websites and tricks them into providing credit card details and One-Time PIN (OTP) sent to their phone so credit card can be added to third party wallet (Apple Pay/Samsung Pay/Google Pay) to make unauthorised transactions. |
Match the last four digit of the Device/Digital/Virtual Account Number shown on your device to the last four digit of the Device Account Number mentioned in the email alert sent to your registered email address by Citibank Singapore, upon enrollment of your card to your e-Wallet.
ALWAYS
|
NEVER
|
Date: 19th October 2020
We have been alerted of customers receiving unsolicited text messages from unlicensed moneylenders offering loan and loan services.
The message may purport to be sending from "Citibank" or other financial institutions to convince you that they are legitimate. Victims were instructed to transfer monies to the fraudster as a deposit before the loan can be disbursed. After the victims have transferred the monies, the victims find that the fraudsters are no longer contactable.
What you should do
Ignore the message |
Block and report the numbers on the platform where you received the message |
For more information, please refer to www.scamalert.sg.
Date: 24th July 2020
In the first 3 months of 2020, at least S$41.3 million were lost to scammers, based on cases that were reported to the Singapore Police.
As of 5 June 2020, it was reported in the news that more than S$7 million has been lost to scammers who were posing as technical support staff from January to April 2020, an increase of more than 40 times from the same period in 2019.
We would like to remind our customers to be wary of phone calls or SMSes claiming to be from banks, government agencies, courier or telco companies or any technical support teams requesting for you to provide them with your banking or log in credentials, perform funds transfers or asking you to update your information with them.
These calls/SMSes prey on your fears by making you think that your data/accounts have been compromised or that there are illegal activities linked to you, your account or your IP address.
In these calls:
We set out below, a step-by-step flow of the latest impersonation and technical support scams that have been reported. Please take some time to read this and share with your family and loved ones.
Here is a typical flow of impersonation scam:
Customer receives a call from someone claiming to be from a Bank/Telco/Government agency/ Courier company, informing him/her that his/her internet account has been hacked and used for illegal activities.
The call is then transferred to a Police/Interpol/Cybercrime police etc.
Customer is advised by the impersonator to download a screen sharing software and then log in to his/her Citi account during the screen sharing, in order to catch the fictitious hacker.
In certain cases, impersonator will provide the payee details to customer and advise customer to perform the fund transfer to the payee directly.
During screen sharing, impersonator is able to see customer’s User ID, Password and One-time PIN (OTP). He then uses the OTP to download Citi Mobile® Token, adds a payee and performs fund transfer or advises you to add payee and perform fund transfer to the payee.
Customer is told to ignore all SMS alerts from Citi as that is the bank’s practice. Any amount transferred will be refunded to him/her as it is used as a “bait” to catch the hacker. The impersonator will assure the customer that the money will be returned the customer.
When customer tries to call the impersonator to check on the return of funds, the impersonator is uncontactable. Monies would have already been transferred out of his/her banking accounts.
Below is a typical flow of a technical support scam.
Date: 24th April 2019
Description: Do not use 3rd Party Mobile Applications / Websites for viewing Online Banking Details
We are aware that there are 3rd Party Mobile Applications / Websites that allow customers to have a consolidated view of their financial expenses / transactions across multiple banks, credit card, investments, equity trades, and loan accounts in one place.
Citibank would like to remind our customers not to download any 3rd Party Mobile Applications / Websites to view / access your Citibank Online accounts. There is a potential risk of your online banking credentials being compromised as Username and Password has been shared with the application.
To protect yourself, always exercise the following precautions:
Use of Citibank Online is personal to you and no third party should be allowed to access/view your account/account information via Citibank Online, whether or not you have consented to such third party’s access. This is to prevent any unauthorized access or use of your account and account information. You are responsible for keeping any of your log-in credentials (including User ID and Password) confidential and you cannot reveal your log-in credentials to any third party.
Where you have revealed your log-in credentials to a third party, please note that Citibank is not liable for and you have to compensate us for any losses arising out of any use of your log-in credentials. In such an event, we also have the right, from a risk management perspective, to suspend your access to Citibank Online at any time.
Date: 14th April 2019
Description: Please note that we will send you email notifications from the following Citibank email addresses.
Email Addresses |
---|
alerts@citibank.com.sg |
statements@citibank.com.sg |
advices@citibank.com.sg |
welcome@citibank.com.sg |
marketing@citibank.com.sg |
services@citibank.com.sg |
chargeback@citibank.com.sg |
customerservice@citibank.com.sg |
client@experience.citi.com |
customerservice@thankyou.citi.com |
Date: 5th September 2018
Description: Be alert to emails and SMS scams.
We would like to remind our customers to remain vigilant when responding to emails and SMS messages from senders masquerading as popular brands, often requesting for you to:
As a further tactic to convince victims of the authenticity of these scams, a One-Time Pin (OTP) will be sent to the mobile phone number that you've just provided. Unfortunately, with the successful solicitation of this information, the scammer would have gathered the necessary details to perform unauthorized transactions on your Citi Cards.
Date: 7th August 2018
Description: We have detected phishing emails and webpages targeting Citi customers. These phishing emails comes from a non-Citi email address and requests Citi customers click on a hyperlink to unlock / update their online banking / credit card account.
If a customer falls victim to the phishing email and clicks on the hyperlink, they will be redirected to a page URL that is not official Citi website, requesting for a user's information (Username and Password), followed by a request to provide an SMS OTP. Such websites are used to conduct card not present transactions but may also be utilized in order to steal personally identifiable data, username-password combinations, OTPs or infect a user's device as well as fraudulent enrollment of Citi © Mobile Token (which may be used to carry out payments to these fraudsters).
Date: 20th July 2018
Description: SingHealth has reported a data breach affecting more than 1.5 million SingHealth patients. Patient data stolen included personally identifiable information such as names, addresses, birthdays, and NRIC numbers. Approximately 160,000 patients had details of medical prescriptions stolen. Stolen credentials may be used to conduct social engineering and phishing scams. Such scams utilize personally identifiable information to appear legitimate.
Date: 20th May 2018
Description: We have detected multiple Phishing Emails. The sender email addresses varies from those ending with @gmail.com, @hotmail.com, @yahoo.com, etc. They contain messages including the requirement to update account details due to system maintenance or "New Message from Citibank". A hyperlink that purports to be a Citibank hyperlink (but is not) is also included in the message and takes customer to URLs that does not belong to official Citibank. The site has the same look and feel of that of Citibank Online. Such websites are designed to trick users into providing their online banking and credit card details to conduct fraudulent / unauthorized bank transfers and / or credit card transactions. Credit Card details provided could also be used to enroll for Payment Wallets such as Samsung Pay, Android Pay, Google Pay and Apple Pay.
Here are few types of fraud and the preventive steps that you can take to prevent yourself from becoming a victim.
Impersonation scams are calls from people claiming to be government officials or staff members of any agency asking for personal details. Callers may claim your identity was used for suspicious activity and may intimidate you into giving them personal information such as your passport, bank account number, internet banking credentials or One-Time PIN (OTP).
Do not follow the caller’s instructions, including allowing remote access to your electronic or mobile devices. In some cases, scammers may threaten you not to talk to anyone about your situation so that you are unable to verify if it is a scam. |
Do not disclose your banking or card credentials and One-Time PIN (OTP), and do not lend your ATM/ Credit Card/ Hardware Token to anyone. |
Read carefully the content of any OTP received and never disclose your OTP to anyone over the phone or to unfamiliar websites. |
Always review any SMS or email notifications from Citibank relating to your account and report any unauthorised transactions to Citibank immediately. |
Phishing emails, also known as hoax or spoof emails, are fraudulent emails that
appear to be sent from a trusted source but are in fact, designed to trick you into
revealing valuable data such as your User ID, password, card details and
One-Time Pin (OTP).
Be aware of emails claiming to be Citi
Be aware of websites imitating Citi
SMiShing messages appear to be from a legitimate company and typically contain a link that takes you to a spoof website, or it may ask you to call a phone number. Even if you don't enter any information, clicking the link can lead to other problems, such as installing malicious software or dangerous viruses to your phone.
You may receive an SMS from a fraudster posing as Citibank, requesting you to share personal information, such as account or card details.
In most cases you will be directed to a fraudulent lookalike website that requests you to enter your:
Fraudsters can utilise your details to make immediate purchases or fund transfers.
Here are some tips on how you can keep your card safe from fraudulent activities.
To learn more on how you can protect yourself online, click here
You have an important role to play to ensure that you and your account(s) are protected while banking with us electronically. Here are some useful tips:
The E-Payments User Protection Guidelines (the “Guidelines”) issued by the Monetary Authority of Singapore (“MAS”) set out the expectations of MAS of any responsible financial institution that issues or operates a protected account. The Guidelines also cover duties of account holders and account users of protected accounts, and provide guidance on the liability for losses arising from unauthorised and erroneous transactions.
Some important definitions in the Guidelines include:
In accordance with the Guidelines, Citibank would like our customers and account users of protected accounts to take note of (a) their duties set out in section 3 of the Guidelines, and (b) Citibank’s duties set out in section 4 (excluding paragraph 4.3) of the Guidelines. You should note that except for paragraphs 4.2 to 4.6, 4.10 to 4.12 and 4.14 to 4.16, section 4 of the Guidelines do not apply to Citibank in respect of any credit card, charge card or and debit card issued by Citibank. Please carefully review the Guidelines here.
We would like to draw your attention to para 3 of the Guidelines which provides for the customer/account user’s duties. Some of these duties are highlighted below. These are not intended to be exhaustive and you should refer to the Guidelines (link above) for further details on customer/account user’s duties.
(a) Provide contact information, opt to receive all outgoing transaction notifications and monitor notifications. It is your responsibility to provide us with complete and accurate contact information in order for us to send you notification alerts for transactions, activation of digital security token and the conduct of high-risk activities. You are also responsible to (i) enable notification alerts via SMS, email or in-app/push notification (i.e. Citi Alerts) on any device (used to receive transaction notifications from Citibank); (ii) opt to receive notification alerts for all outgoing transactions of (any amount that is above the transaction notification threshold) made from your protected account, activation of digital security token and the conduct of high-risk activities made from your protected account, and (iii) monitor the transaction notifications sent to you or the designated account contact. (For this reason, Citibank will assume that you will monitor such notification alerts without further reminders or repeat notifications.)
If you wish to update your transaction notification threshold and preferred mode of notification for outgoing transaction alerts, please log in to the Citi Mobile® App and select “Manage alert preferences”. For International Personal Bank Singapore customers, you can log in to Citibank Online and navigate to 'Manage Alerts' under 'My Profile'.
(b) Protect your access codes. You should protect the access codes that you use to authenticate any payment transaction or your identity (e.g. your password or OTP) and not voluntarily disclose these to any third party, including the staff of Citibank. You should not keep a record of any access code in a way that allows any third party to easily misuse the access code.
(c) Secure access to your protected account. You should only download our Citi Mobile App from official sources. You should ensure that you have strong passwords and install and maintain your device with the latest anti-virus software. You should not root or jailbreak your device nor download and install applications from third-party websites outside official sources (“sideload apps”), in particular, unverified applications which request device permissions that are unrelated to their intended functionalities.
(d) Read content sent with access codes. You should read the content of the messages containing the access codes and verify that the stated recipient or activity is intended prior to completing transactions or high-risk activities.
(e) Obtain Citibank’s website addresses and phone numbers from official sources and contact Citibank using contact details from official sources. You should refer to official sources (for example the MAS Financial Institutions Directory, the Citi Mobile App or the back of your Citibank-issued credit card or debit card) to obtain our website addresses and phone numbers.
(f) You should not click on links or scan QR codes. You should not click on links or scan QR codes purportedly sent by Citibank unless you are expecting to receive information on Citibank products and services via these links or QR codes. Citibank will not send you links or QR codes which directly result you in providing us any access code or to make a payment transaction or high-risk activity.
(g) You should understand the risks and implications of performing high-risk activities. Before performing any high-risk activities, you should read Citibank’s risk warning message and ensure you understand the risks and implications of proceeding. By proceeding, you are deemed to have understood the risks and implications as presented by Citibank.
(h) You should report unauthorised activities on your protected account and provide the required information to Citibank. You should report any unauthorised activity on your protected account to Citibank as soon as practicable, and no later than 30 calendar days after receipt of any transaction notification alert for any unauthorised activity. In connection with your report, you should provide us with any of the information as set out in section 3.18 of the Guidelines upon our request within a reasonable time.
(i) You should activate the Citibank Kill Switch. If you are notified of any unauthorized transactions and have reason to believe that your account has been compromised or if you are unable to contact Citibank, you should activate the Citibank Kill Switch available on the Citi Mobile App, as soon as practicable, to block further mobile and online access to your protected account. Please refer to https://www.citibank.com.sg/personal-banking/online-services/kill-switch for more details.
(j) You should make a police report if you suspect you are a victim of scam or fraud. Citi requires you to provide a police report to facilitate our claims investigation process. You should fully cooperate with the Police and provide evidence (such as furnishing your mobile device to the Police for forensics investigation).
An account user would be responsible for actual loss arising from an unauthorised transaction if such account user’s recklessness was the primary cause of loss. Recklessness would include the situation where the account user deliberately did not comply with the duties set out in section 3 of the Guidelines, which includes the duty to enable transaction alerts. It is therefore important for you to read and understand your duties under section 3 of the Guidelines and to understand that the preferences you set for transaction alerts (including how low or high your selected threshold amount is, and the types of transactions for which you elect to receive notifications) would affect how the liability framework in section 5 of the Guidelines would be applied and how any claim by you in relation to an unauthorised transaction would be resolved.
As set out in the Guidelines, examples of conduct that constitute recklessness and could lead to losses from unauthorised transactions include:
The Guidelines set out in section 5, a liability framework relating to unauthorized transactions effected on a protected account. For the avoidance of doubt, the section 5 liability framework does not apply in respect of any Citibank credit card, charge card or debit card (please refer to the relevant cardholder agreements for the terms regarding liability).
Further, Customers should note that the Guidelines provide that “where any account user knew of and consent to a transaction (“authorised transaction”), such a transaction is not an unauthorised transaction, notwithstanding that the account holder may not have consent to the transaction.
The information set out below has been distilled from section 5 of the Guidelines and is not intended to be exhaustive. Customers are advised to read the Guidelines for full details.
Scenario (1): Customer is liable for actual loss
The customer will be liable for the actual loss arising from an unauthorized transaction on a protected account if the customer/account user’s recklessness was the primary cause of the loss. Recklessness would include the situation where any account user deliberately did not comply with section 3 of the Guidelines. Please also refer to the above examples of conduct that constitute recklessness.
Scenario (2): Customer is not liable for any loss
The customer is not liable for any loss arising from an unauthorized transaction if the loss arises from any action or omission by Citibank and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.
Any action or omission by Citibank includes the following:
Scenario (3): Loss resulting from any action or omission of any independent third party
The customer is not liable for the first S$1,000 of loss arising from an unauthorised transaction, if the loss arises from any action or omission by any third party not referred to in scenario (2) above, and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.
Last updated: 16 December 2024
Always make sure that you have entered your User ID and Password and other confidential information in the legitimate Citibank Website by entering Citibank's Website address https://www.citibank.com.sg or https://www.citigold.com.sg directly onto your Web browser.
We're constantly updating and improving our wide variety of security measures, providing you the confidence you need when using Citi Mobile or Citibank Online.
Our 128-bit SSL (Secure Sockets Layer) encryption engine provides industry standard levels of security, ensuring your information can't be accessed by anyone else.
The benefits of Citi Mobile Token are:
Protected by a 6-digit Unlock Code chosen by you and restricted to one device of your choice.
Enter your unique Unlock Code to instantly authenticate your transactions initiated in Citi Mobile® App on your Citi Mobile® Token enabled device. No more waiting for an OTP via SMS, or worrying about misplacing your Online Security device.
Authenticates all online transactions such as payments and transfers, adding new payee and updating your contact details. It also generates OTP for online purchases.
If you suspect there are unauthorised transactions on your account or you wish to report suspicious emails, SMS messages or phishing websites:
Call
Email: spoof@citicorp.com.
Change your Citibank Online User ID, Password and ATM PIN immediately.
Social Media Impersonation Scam
Date: 24 May 2021
Stay vigilant online against the recent increase of Social Media impersonation and phishing scams. It is important that you familiarise yourself with the nature of these common scams to protect yourself from fraudulent fund transfers or charges to your cards.
What do Social Media Impersonation Scams Look Like?
The scammer contacts you via social media platforms such as Facebook messenger or Instagram impersonating as your friend, family member or follower by using comprised or spoofed social media accounts.
The scammer requests for your mobile phone number and/or mobile phone provider on the pretext of helping you sign up for fake contests or promotions on online shopping platforms.
The scammer asks for your credit card details, including your card number, expiry date and the three digits on the back of your card, on the pretext of helping you claim a prize or reward.
Some scammers are able to provide personal information to convince you of their identity.
The scammer then asks for the SMS OTP from your mobile phone to access your account until you suspect something is wrong or your credit limit is reached.
What Should You Look Out For?
What do Phishing Scams Look Like?
You receive an SMS, email, pop-up message or advertisement regarding an incredible offer on Instagram or Facebook.
After clicking on the link, you are directed to a website that resembles the actual company’s website.
You are required to enter your credit card details, including your card number, expiry date and the three digits on the back of your card.
You are prompted to enter your OTP to complete the transaction.
What Should You Look Out For?
Important things to take note of
ALWAYS
NEVER