- Home
- |
- Banking
- |
- Instant Access
- |
- Online & Mobile Services
- |
- Online Services
- |
- Security Centre
Learn how we protect your banking experience at Citi, and how you can protect yourself against identity theft and other security risks at the same time.
As the first step to protect your accounts, we’ll educate you on the different types of fraud that exist – from discovering how to spot and stop fraud, to the additional preventive steps that you can take.
Always remember to check that the citibank.com.sg website has a valid certificate marked Citigroup Inc. [US] and a padlock symbol in the web address bar when you access Citibank Online.
Online Security Tips
Security Alerts and Information
Customers of Citibank Singapore Limited are advised to check this page regularly for the latest security alerts and/or news. If you are unsure whether any call, email or SMS is genuinely from Citibank, please contact us immediately and refrain from taking any further action. Whilst Citibank strives to provide you with the latest security alerts and/or news, please note that this webpage and the examples of scams/phishing listed here are not exhaustive. For latest news on scams/phishing, please refer to www.scamalert.sg which is a website owned and operated by the National Crime Prevention Council of Singapore.
Introducing new security updates on your Citi Mobile® App
Date: 15 September 2023
With the increase and prevalence of malware scams, scammers are employing increasingly sophisticated tactics to deceive users into installing malicious apps (malware) on their devices. Once a malicious app is installed, scammers can remotely access your device and steal sensitive information, including personal data and banking credentials to perform fraudulent monetary transactions.
WHAT CITI IS DOING FOR YOU
As part of our ongoing efforts to provide you with a safe and secure banking environment, we have introduced a new security update on the Citi Mobile® App.
To protect your online banking data, we have enhanced the Citi Mobile® App to restrict your access in the event we detect any apps/tools with risky permission settings attempting to gain access to the Citi Mobile® App on your device.
In order for you to continue accessing the Citi Mobile® App, you are required to disable any risky permission settings (for e.g. stop screen sharing/broadcasting/control) on the other app/tool.
Once such risky permission settings have been disabled, your access to the Citi Mobile® App will no longer be restricted and you may proceed with usage of the Citi Mobile® App.
We will be detecting the following 4 potential risky permission settings on apps/tools attempting to access the Citi Mobile® App on your device:
- 1) Anti Remote Desktop Access
- 2) Suspicious Accessibility Services
- 3) Android Debugging via Developer Options
- 4) Screen Overlay
HOW TO PROTECT YOURSELVES FROM MALWARE?
1) Be Vigilant — Stay Safe and Not Sorry: If the price of an offer is too good to be true, it probably is. Be vigilant and verify the legitimacy of the offer with the company via official sources. Consult your family, friends, or colleagues if you are unsure.
2) Avoid Installing Unknown Apps: Refrain from downloading apps from third-party websites and only download from official app stores like Apple AppStore and Google Play Store. Malicious apps may request for permissions, such as “Accessibility Services”, that are unrelated to their intended functionalities. Review app permissions carefully during installation and reject any suspicious requests.
3) Be Wary of Unusual Payment Requests: Be cautious if the offers require you to use unconventional payment methods, such as gift cards or cryptocurrency. These methods are often favoured by scammers because they are difficult to trace and reverse.
4) Share with Care: Always verify the legitimacy of the offer before sharing with your family, friends, and colleagues. If in doubt, avoid sharing it or enlist their assistance in helping you verify the legitimacy.
WHAT TO DO IF YOU FALL VICTIM TO A MALWARE SCAM?
1) Switch your Device to Flight Mode: If you suspect your device has been infected by malware, switch your device to the flight mode immediately to disconnect from the Internet. This will prevent the scammers from further accessing your device remotely.
2) Activate Kill Switch immediately: On a secondary/uncompromised device, login to the Citi Mobile® App > Settings & More > Activate Kill Switch. Alternatively you can login to Citibank Online or call Citiphone +65 6225 5225 to activate Kill Switch. Click here for more information on activating Kill Switch.
3) Identified Unauthorised Transactions: If there are any unauthorised transactions detected in your bank account(s), contact Citiphone immediately at +65 6225 5225.
4) Report the incident to the police: Reach out to the police and lodge a report.
5) Run an anti-virus scan on your device: Use an anti-virus software which you have downloaded from verified or legitimate sources to scan and remove any malware detected in your device to ensure that known malware in your device is identified and removed.
Keep your cards safe when travelling abroad
Date: 13 June 2022
Thinking about travelling abroad any time soon? With the announcement of the simpler Vaccinated Travel Framework, Singaporeans will now be able to travel abroad easily. If you are planning to travel abroad, please be reminded to stay vigilant during your travels and to keep your credit and debit cards safe to avoid any fraud or theft.
Follow these tips while travelling abroad:
Do not leave your handbags/wallets and cards unattended (e.g. in the overhead compartments of planes or coaches etc.). Use your hotel’s safe to store important documents such as your passport or spare credit card. If your hotel does not provide this option, you can use a lockable suitcase – always remember to lock your suitcase when left unattended. |
Beware of strangers and always check that your wallets/cards are in your possession. |
Be aware of common scams at your travel destination (e.g. elaborate begging or street vendor scams, taxi scams). |
Ensure that the correct card is returned to you after any purchase. |
Be alert at crowded places (e.g. trains, markets, shopping centres, airports etc.). Be wary of where you keep your wallet and watch out for people who bump into you, as they may be trying to swipe it. |
Your credit card information may be stolen digitally via radio-frequency identification (RFID) skimmers. You can consider protecting yourself using RFID-blocking travel wallets during your travels. |
What to do if your credit or debit card was stolen or lost overseas?
For Credit Cards: |
|
Step 1: Lock your credit card immediately via the Citi Mobile® App so no one else
can use it.
|
|
Step 2: Report as lost or stolen via the Citi Mobile® App. | |
Step 3: If you would like to terminate your card and request for a replacement, please call our CitiPhone hotline available on the Citibank website. | |
For Debit Cards: |
|
Deactivate your debit card by reporting it as lost and blocking your card(s)
permanently.
|
Getting ready for your trip? Here are some pre-travel preparation tips:
Check if your contact details with the bank is updated
Ensure that all your contact details with the bank are updated so that we can contact you immediately in the case of fraudulent activity. Do note that if you change your SIM card whilst overseas, Citibank will not be able to contact you. To update your contact details, you may log in to the Citi Mobile® App and navigate to “Profile and Settings”. Alternatively, you may also log in to Citibank Online and select “My Profile”. |
Enable your Citialerts to stay updated on your transactions
Ensure that your Citialerts are enabled via Citibank Online so that you can be notified on any transactions on your card(s) and account(s). You will be notified on online outgoing funds transfer from your banking accounts which is S$1 and above. Note: If you have opted to receive SMS for your Citi Alerts, please ensure that you do not swop out your SIM card with the phone number registered with Citi. If you detect any unauthorised transactions on your card(s) and account(s), please report it to us by calling our CitiPhone hotline available on our Citibank website. |
Lock your credit card via the Citi Mobile® if you are not intending to use it overseas
To lock your card, click on “Manage” on your card on the Citi Mobile® App. You may unlock your card just as easily when you need to. |
Be Wary of Impersonation Scams
Date: 05 MAY 2022
There are scammers calling victims and pretending to be a government official (e.g., a police officer, immigration officer, or court official), an employee, or a representative from a bank or courier company. The scammers will use scam tactics to get you to provide your personal banking information, surrender monies to them for investigation, or download remote access software to extract your personal information.
Be wary of impersonation scams and stay vigilant by learning about different impersonation tactics and what to look out for.
Please note that no foreign law enforcement or authority can investigate offences here in Singapore, and no public authority can request that you open a bank account or access your online banking account.
Types of Impersonation Scams
China Official ImpersonationThis scam involves a scammer calling victims and pretending to be a government official or employee of a Chinese bank or courier company, claiming that your identity was used to send parcels containing fake passports, weapons, or to apply for overseas credit cards, involved in money laundering. The victims will be threatened to give personal information such as passport or bank account number, internet banking credentials, or One-Time Password (OTP). |
Police ImpersonationThis scam involves unsolicited robocalls claiming to be from government agencies, transferring you to messaging applications (e.g., Whatsapp, Telegram, LINE) where you will be contacted by a fake policeman. The scammers will share forged documents such as warrant cards, police reports of arrest, or even wear police uniforms with police IDs to dupe and gain the trust of victims. The victims will be instructed to surrender their monies for investigation by making transfers to various bank accounts or to pass the money in person based on the promise that the monies will be returned after investigation. There have been cases where scammers will ask victims to provide banking credentials and set up an e-GIRO link to the victims’ bank account to top up their e-wallets (e.g., Grab e-wallets). |
Telecommunication Representative Impersonation (“Tech Scam”)This scam involves scammers calling victims (typically to their home lines to avoid caller ID) pretending to be a representative from a telecommunication company, where they claimed to have noticed that you have been facing issues with your Wi-Fi or phone lines. The victims will be prompted to download remote access software such as TeamViewer so the scammer can to remotely view your screen as you key in your personal information like banking credentials and OTP. |
What should you look out for?
Calls or messages from courier companies, telcos, or government agencies asking you for your personal particulars, bank account details, or OTPs. Please note that no local government agency/police will contact you using robocalls and instruct you to transfer money to designated bank accounts for investigation or ask for your personal banking information. | |
Scare tactics that link you to crimes such as pending court cases, your mobile number being used in a crime, your Wi-Fi being compromised, or urgent requests that require your immediate attention. | |
Threats by the caller to escalate matters to the police if you do not cooperate. | |
Numbers calling from a ‘+’ number, even if it is ‘+65’, does not mean it is from Singapore. |
What should you do in the above scenarios?
Always verify the caller’s organisation or information shared directly with the source if you are unsure. |
Beware of incoming calls with the "+" prefix as the calls are international incoming calls. |
Never disclose personal particulars, banking, and credit card details and OTPs to anyone, especially over unsolicited phone calls. |
Do not install any software or grant remote access to your devices. |
Hang up immediately if the caller cannot identify himself properly. |
Do not click on URL links provided in unsolicited emails and text messages. |
Citibank customers are advised to install ScamShield (from Government Technology
Agency) from the iOS App Store. The application allows you to block spoofed calls and
SMSes based on a list from the Singapore Police Force, and report scam messages/calls
via the in-app reporting.
For more details, please refer to www.scamshield.org.sg |
Be Wary of Job Scams
Date: 04 May 2022
There are scammers sending unsolicited job offers via messaging apps or social media, offering high-paying jobs that require little effort and no experience but victims are required to pay fees or transfer monies before earning commissions. Be wary of unsolicited job offers and stay vigilant by learning about different job scams and what to look out for.
What are the different types of job scams?
Affiliate Marketing Job ScamThis is a job scam requiring victims to complete easy tasks such as liking social media posts to earn commissions. Victims are instructed to sign up for job packages by making upfront payments but will not receive further commissions after the initial commission. |
|
|
Fake Mobile App Job ScamThis is a job scam requiring victims to download a fake mobile application and top up funds into their accounts for buying and selling products or transferring money or cryptocurrency to bank accounts. Victims will not be able to withdraw their money or commission reflected on the fake mobile app. |
|
|
Warning Letter Job ScamThis is a job scam evolving from the fake mobile app scam where victims who try to quit the job and withdraw money from their accounts, will receive a fake warning letter with a letterhead of local authorities stating that their accounts would be frozen with legal implications. Victims will then be further pressured to make more fund transfers to avoid claimed legal action. |
|
|
Here are just two examples of job scam offers that victims have received via SMS, Whatsapp or Telegram:
EXAMPLE 1 |
EXAMPLE 2 |
What should you look out for?
You are contacted for a job |
You are promised a large sum of money for very little work or if the salary range is way out for your experience, then be wary. Easy jobs that offer lucrative commissions are simply too good to be true. |
You receive an offer from a free email account eg., @yahoo.com, @gmail.com. |
You are asked to transfer funds to bank accounts or cryptocurrency wallets belonging to individuals that you have not met in person. |
You are asked for confidential information, including bank and credit card details over messaging apps or emails. |
You are hired directly without an interview or meeting your potential employer. |
You are asked to download dubious mobile |
What should you do in the above scenarios?
Ignore unsolicited job offers from dubious sources. |
Verify the legitimacy of the job offer directly with the company concerned. |
Do not share personal and banking information, including OTPs. |
Never transfer money/cryptocurrency to strangers or anyone you have not met. |
Do not use your bank account to conduct |
Beware of fake SMSes with spoofed Citibank Headers & calls from spoofed Citibank Hotlines
Date: 04 May 2022
There has been a re-emerging trend of scammers pretending to be from the bank contacting victims through a spoofed Citibank Hotline or spoofed SMS headers. They would claim that there are suspicious activities on the victim’s account or that the victim’s cards have been suspended.
Do not fall prey to such scams, as scammers can use the information you provide to them to make unauthorised transactions on your credit/debit cards or bank accounts. To ensure the legitimacy of the links, they should start with https://www.citibank.com.sg/ when you click in.
How to spot a fake SMS with spoofed Citibank Header?
Example 1 |
Example 2 |
Example 3 |
Example 4 |
The scammers send SMSes with spoofed
Citibank Headers to victims, informing them
that their accounts have been suspended for
security reasons. |
The scammers usually instruct the victims to contact a phone number or click a link to reactivate their accounts. |
Upon calling the number or clicking on the
links, victims are instructed to provide
their personal and banking details for
further verification.
|
The scammer requests the victim to provide account details and OTP (One-Time PIN). |
Fraudulent transactions will then take place on the account. |
What should you look out for?
Be wary of fake SMS messages with spoofed Citibank Headers. Do also check for grammatical and/or spelling errors. |
Verify the content by calling Citibank directly or reaching us via secured email. |
Never disclose your personal, bank account, credit/debit card details, or OTP to anyone. |
Report any fraudulent credit/debit card charges or account transfers to Citibank immediately. |
What should you look out for?
The scammer impersonates a 'Bank officer' and calls the victim from phone number +65 6225 5225. |
The scammer informs the victim that there is suspicious activity on the victim’s account and proceeds to ask questions to verify that he/she is the customer. |
The scammer informs the victim that there is a fraudulent transaction on his/her bank account. |
The scammer informs the victim that a bank account has been created at a Citibank branch. The scammer then says that there are two large amount transfers done under the victim’s account (e.g., $100,000 and $150,000). |
The scammer informs the victim that a deposit has been made and the victim has a current account with a fraudulent transaction. |
The scammer requests the victim to provide account details and OTP (One-Time PIN). |
Fraudulent transactions will then take place on the account. |
In all the above scenarios, scammers may ask for your account number, login details, password, and inform you to lodge a Police report.
In some cases when you inform them that you did not open such an account with the bank, they might pretend to transfer you to the Commercial Affairs Department (CAD) to report the fraud application. The person claiming to be from ‘CAD’ may provide you with a reference number for his report (e.g., CAD#63250000) and ask for your personal and banking details such as your NRIC number or credit card number.
What should you do?
Ignore suspicious-looking calls coming from a ‘+’ number. |
Be wary of providing full bank, debit, and credit card details when asked. |
Citibank will never ask you to provide your OTP or passwords to us. Always verify that the OTP you are entering is related to the transaction that you are performing. This includes authorising an online purchase or adding your credit/debit card to your mobile wallet (Apple, Google, or Samsung Pay) or when the SMS OTP is triggered for your Citi Mobile® App registration. |
Hang up immediately, block, and report if the caller cannot identify themselves. |
Call our hotline numbers directly found behind your debit or credit card, the Citi Mobile® App, or Citibank website if you are suspicious or unsure. |
What should you do?
-
Citibank will never ask you to log in to your e-banking with an embedded hyperlink or request
that you enter personal information, for example reactivating your credit card or providing your
card details via the hyperlink in an SMS.
-
Please check if the received links are legitimate by ensuring the link starts with
https://www.citibank.com.sg/
-
You should never reveal your banking details (e.g., your login credentials and passwords,
security token, unlock code, one-time password (OTP), ATM Card/Credit Card Personal
Identification Number (PIN), account balance, identity card/passport number, ATM card image,
banking statement or other sensitive information) to any third party or unauthorised app.
Remember that our staff will not ask for the above information via phone call, SMS, and/or email.
- Remember that the risks of scanning an unknown QR code are similar to clicking on links in unknown messages, especially while making payments or transactions using QR codes. It is best only to use QR codes to pay in secure and familiar environments.
Protect Yourself Against Vishing Scams
Date: 1 December 2021
Have you received a suspicious call claiming to be from a telecommunication company, government ministry or an online shopping site? There has been a rise of call related scams where scammers will call you claiming to be a representative from a reputable company and asking for your sensitive personal information such as Credit Card or banking details and OTP (One-Time Pin).
Stay vigilant and safeguard yourself from these call related scams as scammers can use the information you provide to them to make unauthorised transactions on your credit/debit cards or bank accounts.
Find out about a common shopping site vishing scam scenario
Find out about a common telecommunication company vishing scam scenario
Important things to take note of
ALWAYS
|
NEVER
|
What should you do when you receive suspicious calls?
If you encounter any suspicious calls and have provided your personal details, please contact the Citi Hotline immediately.
Beware of Phishing Scams
Date: 3 September 2021
There has been an increasing trend of phishing scams where scammers trick victims into providing sensitive banking information such as their login credentials, One-Time Pin (OTP), bank account and/or card details, including expiry date and CVV. The scammers use digital platforms of email, SMS, messaging platforms, social media and online advertisements.
It is important that you familiarise yourself with the nature of these common scams to protect yourself from fraudulent fund transfers or charges to
your cards.
What do Phishing Scams look like?
Advertisements
Advertisements for incredible offers or flash deals expiring within the hour, with common phrases such as “not to be missed”Claims of issues with delivery or request of shipping fees
Messages that claim incorrect delivery details or request additional delivery fees before your product can be sentClaims of windfall
Announcements declaring you the winner of a lucky draw or contest randomly picked by the companyClaims of requiring renewal or verification
Messages that claim you have any unpaid fees, expiring subscriptions, refunds to be credited or security updates verificationImportant things to take note of
ALWAYS
|
NEVER
|
Beware of Calls from Spoof Citibank Hotlines & Fake SMSes with Spoof Citibank Headers
Date: 11 June 2021
There has been a re-emerging trend of scammers pretending to be from the bank
contacting victims through a spoof Citibank hotline or spoof SMS headers. They would
claim that there are suspicious activities on the victim’s account or that the
victim’s cards have been suspended.
Do not fall prey to such scams, as scammers can use the information you provide to
them to make unauthorised transactions on your credit/debit cards or bank accounts.
What is Spoof Citibank Hotline?
The scammer impersonates a ‘Bank officer’ and calls the victim from phone number +65 6225 5225. |
The scammer informs the victim that there is a suspicious activity on the victim’s account and proceeds to ask questions to verify that he/she is the customer. |
The scammer requests the victim to provide account details and OTP (One-Time PIN). |
Fraudulent transactions will then take place on the account. |
What should you do?
- Ignore suspicious looking calls coming from a ‘+’ number.
- Be wary of providing full bank, debit and credit card details when asked.
- Citibank will never ask you to provide your OTP to us.
- Hang up immediately, block and report if the caller cannot identify themselves.
- Call our hotline numbers directly found behind your debit or credit card, the Citi Mobile® App or Citibank website if you are suspicious or unsure.
What is SMS with Spoof Citibank Header?
Example 1 |
Example 2 |
- The scammers usually instruct the victims to contact a phone number included in the SMS in order to reactivate their card.
- Upon calling such a number, victims are instructed to provide their NRIC, bank account and/or credit/debit card details for further verification.
- The scammer requests the victim to provide account details and OTP (One-Time PIN).
- Fraudulent transactions will then take place on the account.
What should you look out for?
Be wary of fake SMS messages with spoof Citibank headers. Do also check for grammatical and/or spelling errors. |
Verify the content by calling Citibank directly or reach us via secured email. |
Never disclose your personal, bank account, credit/debit card details or OTP to anyone. |
Report any fraudulent credit/debit card charges or account transfers to Citibank immediately. |
Protect yourself from e-Wallet scams
Date: 10 February 2021
Due to the current pandemic situation, more people are making payments through e-Wallets such as Apple Pay, Samsung Pay and Google Pay. Recently, there has been an increase in phishing attempts relating to e-Wallets. Hence, it is important that you stay vigilant and familiarise yourself with common scams that take place relating to e-Wallets.
What is an e-Wallet?
An e-Wallet allows you to turn your smartphone into a mobile
wallet and experience a faster, more convenient and secure way
to pay with just a tap. All you need to do is add your Citi
Cards to the mobile wallet (such as Apple Pay/Samsung Pay/Google
Pay), tap and pay at merchant terminals or online for merchants
that accept e-Wallet as a payment mode.
Click here to learn more about Mobile Payments. |
What is an e-Wallet scam?
An e-Wallet scam typically involves the fraudster sending a phishing email or SMS to the victim to request for the victim’s card details on the pretext that the victim’s card details are outdated and require updating, that card details are required to make a refund/credit to them or to deliver a parcel to them. The victim clicks on the URL and is prompted to enter his/her card details and One-Time PIN on a fraudulent website. The fraudster uses these card details to add the victim’s card details into the fraudster’s e‑Wallet. The fraudster then uses this e-Wallet to make transactions which will be charged to the victim’s card. |
What should you look out for?
Emails and text messages making fake offers or claims to trick
recipients into clicking a link, e.g. payment for parcel
delivery, disruptions to services or subscriptions, refunds or
promotions. |
Link redirects victims to fraudulent websites and tricks them into providing credit card details and One-Time PIN (OTP) sent to their phone so credit card can be added to third party wallet (Apple Pay/Samsung Pay/Google Pay) to make unauthorised transactions. |
How to check that the card is added to your own e-Wallet
Match the last four digit of the Device/Digital/Virtual Account Number shown on your device to the last four digit of the Device Account Number mentioned in the email alert sent to your registered email address by Citibank Singapore, upon enrollment of your card to your e-Wallet.
Important things to take note of
ALWAYS
|
NEVER
|
Loan Scam
Date: 19th October 2020
We have been alerted of customers receiving unsolicited text messages from unlicensed moneylenders offering loan and loan services.
The message may purport to be sending from "Citibank" or other financial institutions to convince you that they are legitimate. Victims were instructed to transfer monies to the fraudster as a deposit before the loan can be disbursed. After the victims have transferred the monies, the victims find that the fraudsters are no longer contactable.
Examples of loan scam messages
What you should do
Ignore the message |
Block and report the numbers on the platform where you received the message |
For more information, please refer to www.scamalert.sg.
Impersonation and Technical Support Scam
Date: 24th July 2020
In the first 3 months of 2020, at least S$41.3 million were lost to scammers, based on cases that were reported to the Singapore Police.
As of 5 June 2020, it was reported in the news that more than S$7 million has been lost to scammers who were posing as technical support staff from January to April 2020, an increase of more than 40 times from the same period in 2019.
We would like to remind our customers to be wary of phone calls or SMSes claiming to be from banks, government agencies, courier or telco companies or any technical support teams requesting for you to provide them with your banking or log in credentials, perform funds transfers or asking you to update your information with them.
These calls/SMSes prey on your fears by making you think that your data/accounts have been compromised or that there are illegal activities linked to you, your account or your IP address.
In these calls:
We set out below, a step-by-step flow of the latest impersonation and technical support scams that have been reported. Please take some time to read this and share with your family and loved ones.
Here is a typical flow of impersonation scam:
Customer receives a call from someone claiming to be from a Bank/Telco/Government agency/ Courier company, informing him/her that his/her internet account has been hacked and used for illegal activities.
The call is then transferred to a Police/Interpol/Cybercrime police etc.
Customer is advised by the impersonator to download a screen sharing software and then log in to his/her Citi account during the screen sharing, in order to catch the fictitious hacker.
In certain cases, impersonator will provide the payee details to customer and advise customer to perform the fund transfer to the payee directly.
During screen sharing, impersonator is able to see customer’s User ID, Password and One-time PIN (OTP). He then uses the OTP to download Citi Mobile® Token, adds a payee and performs fund transfer or advises you to add payee and perform fund transfer to the payee.
Customer is told to ignore all SMS alerts from Citi as that is the bank’s practice. Any amount transferred will be refunded to him/her as it is used as a “bait” to catch the hacker. The impersonator will assure the customer that the money will be returned the customer.
When customer tries to call the impersonator to check on the return of funds, the impersonator is uncontactable. Monies would have already been transferred out of his/her banking accounts.
Below is a typical flow of a technical support scam.
Customers are reminded to exercise caution at all times.
Take note of the following important pointers:
Treat them like your ATM PIN.
Customer Advisory – 3rd Party Mobile Applications / Websites
Date: 24th April 2019
Description: Do not use 3rd Party Mobile Applications / Websites for viewing Online Banking Details
We are aware that there are 3rd Party Mobile Applications / Websites that allow customers to have a consolidated view of their financial expenses / transactions across multiple banks, credit card, investments, equity trades, and loan accounts in one place.
Citibank would like to remind our customers not to download any 3rd Party Mobile Applications / Websites to view / access your Citibank Online accounts. There is a potential risk of your online banking credentials being compromised as Username and Password has been shared with the application.
To protect yourself, always exercise the following precautions:
- Do not download any 3rd Party Mobile Applications to view your online banking details.
- Do not input your Citibank Online Username and Password when requested by such applications / websites.
- If already inputted, immediately change Username and Password.
Use of Citibank Online is personal to you and no third party should be allowed to access/view your account/account information via Citibank Online, whether or not you have consented to such third party’s access. This is to prevent any unauthorized access or use of your account and account information. You are responsible for keeping any of your log-in credentials (including User ID and Password) confidential and you cannot reveal your log-in credentials to any third party.
Where you have revealed your log-in credentials to a third party, please note that Citibank is not liable for and you have to compensate us for any losses arising out of any use of your log-in credentials. In such an event, we also have the right, from a risk management perspective, to suspend your access to Citibank Online at any time.
Citi Email Addresses
Date: 14th April 2019
Description: Please note that we will send you email notifications from the following Citibank email addresses.
Email Addresses |
---|
alerts@citibank.com.sg |
statements@citibank.com.sg |
advices@citibank.com.sg |
welcome@citibank.com.sg |
marketing@citibank.com.sg |
services@citibank.com.sg |
chargeback@citibank.com.sg |
customerservice@citibank.com.sg |
client@experience.citi.com |
customerservice@thankyou.citi.com |
Customer Advisory
Date: 5th September 2018
Description: Be alert to emails and SMS scams.
We would like to remind our customers to remain vigilant when responding to emails and SMS messages from senders masquerading as popular brands, often requesting for you to:
- Complete a survey or a quiz, with the promise of cash prizes, loyalty points or air miles.
- Provide your card number, in order to participate in the survey or quiz.
- Provide your mobile phone number.
As a further tactic to convince victims of the authenticity of these scams, a One-Time Pin (OTP) will be sent to the mobile phone number that you've just provided. Unfortunately, with the successful solicitation of this information, the scammer would have gathered the necessary details to perform unauthorized transactions on your Citi Cards.
To protect yourself, always exercise the following precautions:
- When clicking on a link from an email, always check that the internet address that you are directed to is legitimate by verifying it in the web browser. If you're unsure, please check this with the brand or merchant.
- Never disclose your card numbers on merchant websites that have internet addresses that look incorrect.
- Check if the web browser displays a Locked Padlock icon. Reputable sites would have these.
- Never disclose your OTP to websites that you might be unfamiliar with.
- Always check your account statements regularly to detect any unauthorized transactions. For a real-time view of your transactions, login to the Citi Mobile® App.
Phishing Emails
Date: 7th August 2018
Description: We have detected phishing emails and webpages targeting Citi customers. These phishing emails comes from a non-Citi email address and requests Citi customers click on a hyperlink to unlock / update their online banking / credit card account.
If a customer falls victim to the phishing email and clicks on the hyperlink, they will be redirected to a page URL that is not official Citi website, requesting for a user's information (Username and Password), followed by a request to provide an SMS OTP. Such websites are used to conduct card not present transactions but may also be utilized in order to steal personally identifiable data, username-password combinations, OTPs or infect a user's device as well as fraudulent enrollment of Citi © Mobile Token (which may be used to carry out payments to these fraudsters).
How can you protect yourself from this?
- Be alert. Minimize clicking on links in emails as these may not be legitimate.
- Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application .
- Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.
Customer Advisory
Date: 20th July 2018
Description: SingHealth has reported a data breach affecting more than 1.5 million SingHealth patients. Patient data stolen included personally identifiable information such as names, addresses, birthdays, and NRIC numbers. Approximately 160,000 patients had details of medical prescriptions stolen. Stolen credentials may be used to conduct social engineering and phishing scams. Such scams utilize personally identifiable information to appear legitimate.
How can you protect yourself from this?
- Be alert. Do not provide personal or bank information to unsolicited callers.
- Never give out any sensitive personal information (including login passwords or one-time passwords) over the phone or via email. Our staff will never ask you for such information.
- Contact Citiphone immediately if you are in any doubt of a call, SMS or email's validity.
SMS Phishing
Date: 20th May 2018
Description: We have detected multiple Phishing Emails. The sender email addresses varies from those ending with @gmail.com, @hotmail.com, @yahoo.com, etc. They contain messages including the requirement to update account details due to system maintenance or "New Message from Citibank". A hyperlink that purports to be a Citibank hyperlink (but is not) is also included in the message and takes customer to URLs that does not belong to official Citibank. The site has the same look and feel of that of Citibank Online. Such websites are designed to trick users into providing their online banking and credit card details to conduct fraudulent / unauthorized bank transfers and / or credit card transactions. Credit Card details provided could also be used to enroll for Payment Wallets such as Samsung Pay, Android Pay, Google Pay and Apple Pay.
How can you protect yourself from this?
- Be alert. Minimize clicking on links in SMSs as these may not be legitimate.
- Check that you are using the official Citi website. Always type the Citibank Online website URL directly into the address bar of your browser. If you are on mobile, consider using the official Citibank Mobile application .
- Never reply to unsolicited SMSs. Responses to such SMSs could be used by fraudsters to socially engineer information or trick users into performing unwanted actions.
- Only provide your credit card details if you're making a direct purchase. Always check that you intend to conduct a credit card transaction and do not provide an OTP to authorize payment if you are not.
- Citi will never request for your PIN, password or OTP through phone call, email or SMS. Call Citiphone immediately if you notice unknown transactions appearing on your account.
Protect Yourself from Fraud
Here are few types of fraud and the preventive steps that you can take to prevent yourself from becoming a victim.
Impersonation Scam
Impersonation scams are calls from people claiming to be government officials or staff members of any agency asking for personal details. Callers may claim your identity was used for suspicious activity and may intimidate you into giving them personal information such as your passport, bank account number, internet banking credentials or One-Time PIN (OTP).
How to protect yourself against impersonation scams:
Do not follow the caller’s instructions, including allowing remote access to your electronic or mobile devices. In some cases, scammers may threaten you not to talk to anyone about your situation so that you are unable to verify if it is a scam. |
Do not disclose your banking or card credentials and One-Time PIN (OTP), and do not lend your ATM/ Credit Card/ Hardware Token to anyone. |
Read carefully the content of any OTP received and never disclose your OTP to anyone over the phone or to unfamiliar websites. |
Always review any SMS or email notifications from Citibank relating to your account and report any unauthorised transactions to Citibank immediately. |
Phishing
Phishing emails, also known as hoax or spoof emails, are fraudulent emails that
appear to be sent from a trusted source but are in fact, designed to trick you into
revealing valuable data such as your User ID, password, card details and
One-Time Pin (OTP).
Be aware of emails claiming to be Citi
- Always check the sender's email address.
- Remember that Citi will never ask you to confirm a payment or transaction via email.
- If in doubt, don't click the link and report to Citi's fraud reporting service .
Be aware of websites imitating Citi
- Check web-link URL is citibank.com.sg
- Always type citibank.com.sg within the internet browser address bar.
- If ever in doubt, don't enter any information within the website & report to Citi's fraud reporting service .
SMiShing
SMiShing messages appear to be from a legitimate company and typically contain a link that takes you to a spoof website, or it may ask you to call a phone number. Even if you don't enter any information, clicking the link can lead to other problems, such as installing malicious software or dangerous viruses to your phone.
HOW TO RECOGNISE SMS FRAUD
You may receive an SMS from a fraudster posing as Citibank, requesting you to share personal information, such as account or card details.
In most cases you will be directed to a fraudulent lookalike website that requests you to enter your:
- Card details
- Name & Address
- User ID & Password
- One-Time PIN (OTP)
Fraudsters can utilise your details to make immediate purchases or fund transfers.
Security Tips
- Remove file and printer sharing when your computer is connected to the Internet.
- Regularly backup critical data and encrypt these data with minimal 128-bit encryption.
- Delete junk or chain emails
Keep Your Card Safe At All Times
Here are some tips on how you can keep your card safe from fraudulent activities.
To learn more on how you can protect yourself online, click here
You have an important role to play to ensure that you and your account(s) are protected while banking with us electronically. Here are some useful tips:
Your Role and Responsibility
The E-Payments User Protection Guidelines (the “Guidelines”) issued by the Monetary Authority of Singapore (“MAS”) set out the expectations of MAS of any responsible financial institution that issues or operates a protected account. The Guidelines also cover duties of account holders and account users of protected accounts, and provide guidance on the liability for losses arising from unauthorised and erroneous transactions.
Some important definitions in the Guidelines include:
-
(1) a "payment account" as:
- (a) any account, or any device or facility (whether in physical or electronic form), that —
- (i) is held in the name, or associated with the unique identifier, of any person, and is used by that person for the initiation of a payment order or the execution of a payment transaction, or both; or
- (ii) is held in the names, or associated with the unique identifiers, of 2 or more persons, and is used by any of those persons for the initiation of a payment order or the execution of a payment transaction, or both; and
- (b) an account which includes a bank account, debit card, credit card or charge card.
- (2) a “payment transaction” as the placing, transfer or withdrawal of money, whether for the purpose of paying for goods or services or for any other purpose, and regardless of whether the intended recipient of the money is entitled to the money, where the placing, transfer or withdrawal of money is initiated through electronic means and where the money is received through electronic means.
-
(3) a “protected account” as any payment account that:
- (a)is held in the name of one or more persons, all of whom are either individuals or sole proprietors;
- (b) is capable of having a balance of more than S$1,000 (or equivalent amount expressed in any other currency) at any one time, or is a credit facility;
- (c) is capable of being used for electronic payment transactions; and
- (d) where issued by a relevant payment service provider is a payment account that stores specified e-money.
-
(4) an "unauthorised transaction" (in relation to any protected account) as any payment transaction initiated by any person without the actual or imputed knowledge and implied or express consent of an account user of the protected account. This includes “seemingly authorised transactions” as defined in the Guidelines to the Shared Responsibility Framework.
The following are examples of payment transactions that do not fall within the scope of unauthorised transactions:- (a) The account user knew of and intended to make the payment transaction, notwithstanding that the transaction could have arisen as a result of falling victim to a scam (e.g., e-commerce, government-official impersonation, job, investment or love scams);
- (b) The transaction was performed by a person as a result of the account holder sharing access and usage of their devices with the person, or storing the person’s biometrics identities on their devices. The account holder is deemed to have consented to the use of his account by this person.
-
(5) the “transaction notification threshold” means—
- (a) the threshold for transaction alerts set by the account holder; or
- (b) if the account holder did not set any threshold for transaction alerts, the default industry-baseline transaction notification threshold.
In accordance with the Guidelines, Citibank would like our customers and account users of protected accounts to take note of (a) their duties set out in section 3 of the Guidelines, and (b) Citibank’s duties set out in section 4 (excluding paragraph 4.3) of the Guidelines. You should note that except for paragraphs 4.2 to 4.6, 4.10 to 4.12 and 4.14 to 4.16, section 4 of the Guidelines do not apply to Citibank in respect of any credit card, charge card or and debit card issued by Citibank. Please carefully review the Guidelines here.
We would like to draw your attention to para 3 of the Guidelines which provides for the customer/account user’s duties. Some of these duties are highlighted below. These are not intended to be exhaustive and you should refer to the Guidelines (link above) for further details on customer/account user’s duties.
(a) Provide contact information, opt to receive all outgoing transaction notifications and monitor notifications. It is your responsibility to provide us with complete and accurate contact information in order for us to send you notification alerts for transactions, activation of digital security token and the conduct of high-risk activities. You are also responsible to (i) enable notification alerts via SMS, email or in-app/push notification (i.e. Citi Alerts) on any device (used to receive transaction notifications from Citibank); (ii) opt to receive notification alerts for all outgoing transactions of (any amount that is above the transaction notification threshold) made from your protected account, activation of digital security token and the conduct of high-risk activities made from your protected account, and (iii) monitor the transaction notifications sent to you or the designated account contact. (For this reason, Citibank will assume that you will monitor such notification alerts without further reminders or repeat notifications.)
If you wish to update your transaction notification threshold and preferred mode of notification for outgoing transaction alerts, please log in to the Citi Mobile® App and select “Manage alert preferences”. For International Personal Bank Singapore customers, you can log in to Citibank Online and navigate to 'Manage Alerts' under 'My Profile'.
(b) Protect your access codes. You should protect the access codes that you use to authenticate any payment transaction or your identity (e.g. your password or OTP) and not voluntarily disclose these to any third party, including the staff of Citibank. You should not keep a record of any access code in a way that allows any third party to easily misuse the access code.
(c) Secure access to your protected account. You should only download our Citi Mobile App from official sources. You should ensure that you have strong passwords and install and maintain your device with the latest anti-virus software. You should not root or jailbreak your device nor download and install applications from third-party websites outside official sources (“sideload apps”), in particular, unverified applications which request device permissions that are unrelated to their intended functionalities.
(d) Read content sent with access codes. You should read the content of the messages containing the access codes and verify that the stated recipient or activity is intended prior to completing transactions or high-risk activities.
(e) Obtain Citibank’s website addresses and phone numbers from official sources and contact Citibank using contact details from official sources. You should refer to official sources (for example the MAS Financial Institutions Directory, the Citi Mobile App or the back of your Citibank-issued credit card or debit card) to obtain our website addresses and phone numbers.
(f) You should not click on links or scan QR codes. You should not click on links or scan QR codes purportedly sent by Citibank unless you are expecting to receive information on Citibank products and services via these links or QR codes. Citibank will not send you links or QR codes which directly result you in providing us any access code or to make a payment transaction or high-risk activity.
(g) You should understand the risks and implications of performing high-risk activities. Before performing any high-risk activities, you should read Citibank’s risk warning message and ensure you understand the risks and implications of proceeding. By proceeding, you are deemed to have understood the risks and implications as presented by Citibank.
(h) You should report unauthorised activities on your protected account and provide the required information to Citibank. You should report any unauthorised activity on your protected account to Citibank as soon as practicable, and no later than 30 calendar days after receipt of any transaction notification alert for any unauthorised activity. In connection with your report, you should provide us with any of the information as set out in section 3.18 of the Guidelines upon our request within a reasonable time.
(i) You should activate the Citibank Kill Switch. If you are notified of any unauthorized transactions and have reason to believe that your account has been compromised or if you are unable to contact Citibank, you should activate the Citibank Kill Switch available on the Citi Mobile App, as soon as practicable, to block further mobile and online access to your protected account. Please refer to https://www.citibank.com.sg/personal-banking/online-services/kill-switch for more details.
(j) You should make a police report if you suspect you are a victim of scam or fraud. Citi requires you to provide a police report to facilitate our claims investigation process. You should fully cooperate with the Police and provide evidence (such as furnishing your mobile device to the Police for forensics investigation).
An account user would be responsible for actual loss arising from an unauthorised transaction if such account user’s recklessness was the primary cause of loss. Recklessness would include the situation where the account user deliberately did not comply with the duties set out in section 3 of the Guidelines, which includes the duty to enable transaction alerts. It is therefore important for you to read and understand your duties under section 3 of the Guidelines and to understand that the preferences you set for transaction alerts (including how low or high your selected threshold amount is, and the types of transactions for which you elect to receive notifications) would affect how the liability framework in section 5 of the Guidelines would be applied and how any claim by you in relation to an unauthorised transaction would be resolved.
As set out in the Guidelines, examples of conduct that constitute recklessness and could lead to losses from unauthorised transactions include:
-
- (a) storing access code in a manner that can be easily accessed by any third party;
- (b) knowingly sharing or surrendering access codes to non-account users, resulting in completed transactions;
- (c) ignoring notifications, alerts or warnings from the responsible FI;
- (d) following instructions of third parties to open new bank or card accounts without a reasonable basis;
- (e) retaining sideloaded apps which are unverified or request device permissions that are unrelated to their intended functionalities; and
- (f) selecting a numeric or alphabetical access code that is easily recognisable, such as one which represents their birth date, or part of their name, if the responsible FI has:
- • specifically instructed the account holder not to do so, and
- • warned the account holder of the consequences of doing so.
Liability Framework for Unauthorised Transactions under the Guidelines
The Guidelines set out in section 5, a liability framework relating to unauthorized transactions effected on a protected account. For the avoidance of doubt, the section 5 liability framework does not apply in respect of any Citibank credit card, charge card or debit card (please refer to the relevant cardholder agreements for the terms regarding liability).
Further, Customers should note that the Guidelines provide that “where any account user knew of and consent to a transaction (“authorised transaction”), such a transaction is not an unauthorised transaction, notwithstanding that the account holder may not have consent to the transaction.
The information set out below has been distilled from section 5 of the Guidelines and is not intended to be exhaustive. Customers are advised to read the Guidelines for full details.
Scenario (1): Customer is liable for actual loss
The customer will be liable for the actual loss arising from an unauthorized transaction on a protected account if the customer/account user’s recklessness was the primary cause of the loss. Recklessness would include the situation where any account user deliberately did not comply with section 3 of the Guidelines. Please also refer to the above examples of conduct that constitute recklessness.
Scenario (2): Customer is not liable for any loss
The customer is not liable for any loss arising from an unauthorized transaction if the loss arises from any action or omission by Citibank and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.
Any action or omission by Citibank includes the following:
- (a) fraud or negligence by Citibank, its employee, its agent or any outsourcing service provider contracted by Citibank to provide Citibank's services through the protected account;
- (b) non-compliance by Citibank or its employee with any requirement imposed by MAS on Citibank in respect of its provision of any financial service; and
- (c) non-compliance by Citibank with any duty set out in section 4 of the Guidelines.
Scenario (3): Loss resulting from any action or omission of any independent third party
The customer is not liable for the first S$1,000 of loss arising from an unauthorised transaction, if the loss arises from any action or omission by any third party not referred to in scenario (2) above, and does not arise from any failure by any account user to comply with any duty in section 3 of the Guidelines.
Last updated: 16 December 2024
Other Advisory
Always make sure that you have entered your User ID and Password and other confidential information in the legitimate Citibank Website by entering Citibank's Website address https://www.citibank.com.sg or https://www.citigold.com.sg directly onto your Web browser.
We're constantly updating and improving our wide variety of security measures, providing you the confidence you need when using Citi Mobile or Citibank Online.
Web Security
-
Our 128-bit SSL (Secure Sockets Layer) encryption engine provides industry standard levels of security, ensuring your information can't be accessed by anyone else.
- The green address bar on Citi websites indicates that the site has undergone extensive vetting by our security teams and has been granted a security certificate known as an Extended Validation SSL Certificate.
- For safety, we’ll suspend your online access if three failed login attempts are made. We’ll also block access to cash machines if the wrong PIN is entered three times.
- You are recommended to use supported and updated browsers to ensure your internet banking is secured at all times. Learn More
- Every time you sign in to Citibank Online, the date and time of your last visit are shown. If you didn't sign in then, this will indicate an unauthorised account access has occurred.
2-way SMS Notification
-
Our 2-Way SMS service alerts you of any suspicious transactions on your
account.
It is important that you respond to us
immediately:
- You should reply to the SMS with "1" if the transaction is authorised by you or "2" if the transaction is not authorised by you.
-
Please note
-
You will receive the SMS from the number 72484 ("Short Code") if
your registered mobile is a Singapore number and +65 9657 2484
("Long Code") if your registered number is not a Singapore number*. - We will not ask for any additional information to be provided other than "1" or "2".
- If you are overseas or holding onto an overseas mobile number, please send your reply to +65 9657 2484.
- Please contact the Fraud Hotline +6563375519 if you have any issues.
-
You will receive the SMS from the number 72484 ("Short Code") if
your registered mobile is a Singapore number and +65 9657 2484
- You can stay on top of your account activities with customised Citi Alerts, where you can get SMS or email notifications whenever there is a specific transaction on your account. Learn More
Citi Mobile® Token
- Citi Mobile® Token is a feature within the Citi Mobile® App that authenticates transactions as an alternative to other authentication methods such as Online Security Device, or One-Time PIN (OTP) via SMS.
-
The benefits of Citi Mobile Token are:
SECURE
Protected by a 6-digit Unlock Code chosen by you and restricted to one device of your choice.
INSTANT
Enter your unique Unlock Code to instantly authenticate your transactions initiated in Citi Mobile® App on your Citi Mobile® Token enabled device. No more waiting for an OTP via SMS, or worrying about misplacing your Online Security device.
EASY
Authenticates all online transactions such as payments and transfers, adding new payee and updating your contact details. It also generates OTP for online purchases.
- With the Citi Mobile® Token, you can instantly authenticate all transactions initiated in the Citi Mobile® App. You can also instantly generate OTP with your unique Unlock Code to authenticate transactions on Citibank Online or for online purchases. To learn more, click here
- After enrolling to Citi Mobile® Token, you should not share or reveal your Unlock Code to anyone, including Citibank.
Misplaced your card? Lock your card on the Citi Mobile® App
- If you’ve misplaced your card, you can temporarily lock your card at Citi Mobile® App so that no one else can use it. You can unlock your card just as easily when you need to.
- While your card is locked, you will not be able to use it for point-of-sale transactions. However, any recurring payment instructions that you may have established on your card will not be affected.
- To terminate your card and request for a replacement if your card is lost or stolen, please call our Citiphone hotline.
If you suspect there are unauthorised transactions on your account or you wish to report suspicious emails, SMS messages or phishing websites:
Step 1
Call
- CitiPhone banking: (65) 6225-5225
- Commercial Bank hotline: (65) 6238 8833
Email: spoof@citicorp.com.
Step 2
Change your Citibank Online User ID, Password and ATM PIN immediately.
Social Media Impersonation Scam
Date: 24 May 2021
Stay vigilant online against the recent increase of Social Media impersonation and phishing scams. It is important that you familiarise yourself with the nature of these common scams to protect yourself from fraudulent fund transfers or charges to your cards.
What do Social Media Impersonation Scams Look Like?
The scammer contacts you via social media platforms such as Facebook messenger or Instagram impersonating as your friend, family member or follower by using comprised or spoofed social media accounts.
The scammer requests for your mobile phone number and/or mobile phone provider on the pretext of helping you sign up for fake contests or promotions on online shopping platforms.
The scammer asks for your credit card details, including your card number, expiry date and the three digits on the back of your card, on the pretext of helping you claim a prize or reward.
Some scammers are able to provide personal information to convince you of their identity.
The scammer then asks for the SMS OTP from your mobile phone to access your account until you suspect something is wrong or your credit limit is reached.
What Should You Look Out For?
What do Phishing Scams Look Like?
You receive an SMS, email, pop-up message or advertisement regarding an incredible offer on Instagram or Facebook.
After clicking on the link, you are directed to a website that resembles the actual company’s website.
You are required to enter your credit card details, including your card number, expiry date and the three digits on the back of your card.
You are prompted to enter your OTP to complete the transaction.
What Should You Look Out For?
Important things to take note of
ALWAYS
NEVER