Important Links
A Citi UK customer working on his smart device

Citi Security Centre - Security Update

Security updates

WhatsApp's scams are on the rise, and you could be a fraudsters next target. Fraudsters are using the instant messaging platform WhatsApp to send messages to consumers posing to be a family member, more commonly their child, and their goal is to try to steal your money.

A WhatsApp scam typically involves the following:

  • Fraudsters posing to be a family member, commonly the person's child, stating that their phone is not working and that this is their new number.
  • Fraudsters posing to be from trusted organizations such as HMRC, BT, Citi or even the Police.
  • Fraudsters will create a story to claim that they are in a difficult situation, need help and in urgent need of money.
  • Fraudsters will use a technique called Social Engineering* to try to manipulate you into sending them money.

Here is how to protect yourself from falling victim to a WhatsApp scam:

  • Do not reply to any unexpected messages from unknown numbers you receive on WhatsApp.
  • lf you receive a message from an unknown number claiming that they are a family member, make a phone call to the original number you have saved for that person and ask them to confirm if it is them or not.
  • Block the number that has contacted you.
  • Do not share any personal information over WhatsApp to any unexpected messages from unknown numbers.

Be aware that fraudsters are contacting people out of the blue to ask for their personal information such as your card number and CVV. The caller will purport to be from Citi or another trusted organization and the call will consist of the caller asking you for the One-Time Passcode you will have received, or your personal information. Fraudsters are also attempting to SIM Swap people’s mobile phone numbers. This means to divert all phone calls and SMS text messages to another mobile phone number which the fraudster is in control of. Fraudsters are calling people to purport to be from mobile network providers and asking them to provide a PUK code. If your mobile phone stops working normally, inform both your bank and mobile network provider immediately.

Here’s how you can protect yourself:

  • Do not provide any information to the caller, including your card number, CVV or One Time Passcodes.
  • Citi will never call you asking for any of this information. If you receive a call out of the blue asking for any personal information, end the call immediately.

If you believe you have been a victim of this fraud, please contact us immediately on 0800 00 55 00.

We have become aware of a recent trend where fraudsters are spoofing / impersonating or compromising and gaining access to legitimate business email addresses.

This typically occurs when you are paying for a service from a business, for example renovation work at home or when you are purchasing a property and communicating with your Solicitor over email.

Fraudsters will intervene and email you that looks like it is being sent from a trusted business, when in fact it is the fraudsters that are posing or gained access to the email address account.

Once a fraudster can email to their victim, they typically provide new and fraudulent bank details on an invoice to convince the victim to redirect the payment to the account.

  • Always confirm the bank details directly with the company before making a payment.
  • When paying someone for the first time, transfer a small amount first and check with the company that it has been received.
  • Send the confirmation of payment to the service provider once the invoice has been paid.

If you believe you have been a victim of this scam, then please contact us immediately on 0800 00 55 00.

A remote access scam occurs when an unsolicited caller purports to be from a reputable organization of whom you are likely to have a genuine service or account with, such as your mobile or internet service provider. The caller will claim that you have some form of issue or problem they need to fix.

In order to remediate the issue, they will advise you that they need to take control of your computer or mobile. In order to do this, they will ask you to download remote access software, this in turn enables the caller to take control of your device.

Once they have control of your device, they will ask you to log into your Citi bank online account and potentially any other online bank accounts that you may hold. They will advise that you need to log in so they check that your accounts are ’safe’.

The caller now has access to your online account and all features, including making payments.

How to Protect Yourself

  • Never give remote access to an unsolicited caller and subsequently log into your Citibank online account.
  • A genuine bank or organization will never contact you out of the blue to ask for your PIN, full password, One Time Password or to move money to another account. Only give out your personal or financial details to use a service that you have given your consent to, that you trust and that you are expecting to be contacted by.
  • If you are ever unsure of whom you are speaking to, terminate the call and independently source the telephone number from a reputable source of the company the caller is pertaining to be from.

We have become aware of attempts to impersonate Citibank UK Limited and Citigold Wealth Management through emails, cold calls and fake websites purporting to represent Citi and to offer our products. These fraudsters are sophisticated and in some instances are replicating our genuine product and service documentation.

Recently, fraudsters have been offering consumers fake high interest, fixed rate COVID vaccine bonds referencing legitimate Pharmaceutical companies (e.g. Pfizer), whilst using Citibank UK Limited’s firm reference number, address and logo.

Here are some ways in which to identify Investment Scams:

  • If you have been approached by an email, call or text message offering an investment opportunity.
  • If you found a website which is selling Citi investment products and offering you low risk investment for a high return.
  • A fake site, a caller or someone behind an email may ask you to pay or transfer money by online payments or wire transfer.
  • Fraudsters may try to rush or pressurize you into making decisions. A legitimate company would never force you taking a rushed decision regarding your investments & wealth.
  • The offer seems too good to be true; High return with low risk. Don’t proceed until you are comfortable the offer is legitimate.

If you’re suspicious about an investment or opportunity, then please contact us immediately via www.citibank.co.uk or 0800 00 55 00.

Please visit this website to learn more about Investment Scams and how they operate: https://www.youtube.com/watch?v=V54GH_GgiMY

In order to protect yourself, please remember:

  • We would never cold call or email you to offer an investment opportunity out of the blue.
  • In order to make investment with Citibank UK Limited, you need to have an account with us. We would always open an account face to face, not over the phone or via email.
  • We would only email you using @citi.com domain and, we do not use any variations of this.
  • We would never promise a low risk investment for a high return.
  • If you have any doubt, call us immediately on 0800 00 55 00.

Please also take FCA’s quick Scam Smart Test: https://www.fca.org.uk/scamsmart/scam-or-smart-game

What's the threat?

The personal information you share on the internet can be invaluable to a fraudster. It’s really important that you protect your personal information online at all times, otherwise your identity and your money could be at risk.

Authentic-looking emails will sometimes be sent to unsuspecting internet users to drive them to a fake website in an attempt to steal their login details or personal information. This is known as ‘phishing’. Phishing is a growing problem amongst internet users, and there’s a very real chance that one day you may receive one of these fraudulent emails.

In addition, if you receive what you think is a phishing email, please forward it to spoof@citi.com and then delete it from your inbox. It’s very important that you don't click on any links or provide any personal details.

There are many types of malicious software; all can be used to try and steal your login details and personal information or damage the files on your computer. They’re fairly common and without any protection it’s very likely they will infect your computer. Here are some common types of malicious software:

Virus: A virus has the ability to replicate itself and can infect a computer without the permission or knowledge of the user. A computer virus attaches itself to files or programs and spreads through the system quickly, often having a damaging effect.

Worm: A worm is similar to a computer virus, but worms differ in how they are spread. A virus must be executed (run) for it to infect other systems, whereas a worm actively transmits itself.

Trojan Horse: A Trojan Horse is a malicious program which pretends to be something harmless; authors of viruses and worms often use Trojans as a way of starting virus or worm outbreaks.

Fake antivirus: Fake antivirus software is a form of Trojan Horse software which claims to be genuine antivirus software, but exists for the sole purpose of extracting money from unsuspecting users. Fake antivirus software may also function as spyware.

Spyware: Spyware is a name given to any malicious program which steals information for the benefit of its creator or controller. Most banking related malicious software falls into this category. Spyware can be contracted in a number of different ways; viruses, worms, Trojans and fake antivirus software may all contain spyware.

New Citi security alerts

We will continue to alert you by SMS if we identify suspicious debit card purchases, however you may now also receive an email or an automated call.

Important
Our number has changed. We will only ever ask you to reply to alerts sent from:

SMS
63363
+44 7860 065 121 (outside UK)

Email
securityalert@security5.citi.com

Voice alert
08082800912
+448082800912 (outside UK)

stopfraudtake

A dog wearing a helmet

Learn more >

Shoping and paying securely online

Two people shaking hands

How Citi protects you



Learn more >

A Citi UK customer working on his smart device

How to protect yourself



Learn more >

A man talking on his mobile phone

Need help regarding fraud?


Learn more >

Payment Services Directive 2 (PSD2)

Further, changes resulting from the European Union’s Payment Services Directive 2 (PSD2) are coming into effect on 14 March 2020. These changes are designed to better protect you when you make payments and access your transaction details. Please be aware that additional changes will come into effect later in 2020 and in 2021 and, we will write to you in advance detailing those changes.

What does it mean for Citi clients?

This means there will be extra levels of security when you take certain actions related to making payments and accessing your information.

What changes should I expect?

Some of your transactions may require additional levels of security

The new Strong Customer Authentication (SCA) requirements will have an impact on the way you transact on your account. They will require a higher level of authentication (authorization by you) for certain types of transactions, e.g. where you are paying someone you have never paid before. This includes the introduction of two-factor authentication and generation of an authentication code for certain transactions. A factor can be one of the following options:

Knowledge: Something only you know (e.g. your Citi Unlock Code)

Possession: Something only you have (e.g. your Mobile phone)

Inherence: Something unique to you (e.g. your Fingerprint)

Two different factors will be required to make certain types of transaction, e.g. When you are using the Citi Mobile © UK App, your two-factor authentication will be Knowledge (your Citi Unlock Code) AND Possession (the presence of the app on your Mobile Phone).

An authentication code will be generated based on this two-factor authentication.

Changes to the way you transact on your account

Citi Mobile® Token – Push Notification on your mobile phone

If you have enabled Citi Mobile® Token with Push Notifications (a pop –up notification on your phone), you won’t need to enter an authentication code for your transactions, instead, you will be asked to authenticate yourself within the app, and an authentication code will be generated and verified automatically. You will be asked to opt in for this feature when you open your Citi Mobile® UK App.

To find out more about this new experience, click here

If you have not enabled Citi Mobile® Token with Push Notifications, you will be asked to authenticate manually by generating a code using Citi Mobile® Token or using an SMS One-Time Password (an “SMS OTP”).

If you receive an SMS OTP, this will include the payee nickname and transaction amount in order to provide greater clarity on which transactions the OTP is being used to verify.

You will no longer be able to complete a transaction with just your signature.

As Citi Debit Cards have chip functionality, you will no longer be able to complete a transaction using your signature where the payment machine is chip-enabled. Instead, you must authenticate using your PIN.

Extra levels of security for your contactless payments

Occasionally you will be asked to put your card into a payment machine and provide your PIN, rather than using the contactless option. This is an extra level of security to ensure it is you that is using your card. We may ask you for your pin on the sixth contactless payment. There are some types of payments that are not included in this change (e.g. unattended terminals).

To better improve your contactless payment experience, we will be issuing new cards to a number of clients over the coming months. We will notify you if this is relevant to your card.

Changes to the way you access your account online

Additional security measures for accessing transactions.

Every 90 days, we will ask you to authenticate yourself using either the Citi Mobile® Token or SMS OTP when logging in to Citi Online or your Citi Mobile® UK App

Within these 90 days, we will be able to provide you access to your balance and transactional information up to 90 days old without continuing to ask for verification. If you want to access transactional information older than 90 days, we will ask you to authenticate yourself using either the Citi Mobile® Token or SMS OTP.

Depending on the actions you are taking on your account, we may ask you to authenticate yourself at other times.

Third party payment service provider (TPP) and their permissions when accessing your account

A TPP can allow you to view your accounts with us and other banks in one place, as well as allowing you to make payments directly from your account. TPPs can only access your account information and make payments from your account with your permission. If you allow a TPP access, we will treat an instruction from a TPP as if it was from you.

TPPs have to be authorized by the UK’s Financial Conduct Authority (FCA) or another European Regulator before allowing them to access your account. TPP’s are also required to comply with the PSD2 requirements by 14 March 2020 and this will change the way in which they can access your account. Where a TPP is not compliant, we are not able to permit them to continue accessing your account in the same way they used to, and you may receive unexpected SMS OTPs during this time. In order to prevent these SMS OTPs from occurring, the best thing you can do is contact your TPP to remove their access.


If you have any concerns regarding security, please call
the Citi Security Team on:

0800 096 68 00

+44 203 569 99 98
If calling from outside the UK