Warning about COVID-19 Scams:
Be aware that fraudsters are sending text messages and emails claiming to be the NHS, offering the opportunity to sign up for the COVID-19 vaccine. The text or email will ask the recipient to click on a link which will take them to an online form which requests personal and financial details:
- Do not click on links shared via text message and email or input any personal or financial information.
- The NHS will never ask you for your bank account information, card details, PIN or banking password.
- The NHS will never ask you to prove your identity by sending copies of personal documents such as your passport.
If you believe you have been a victim of this scam then please contact us immediately on 0800 00 55 00.
Remote Access Scams
A remote access scam occurs when an unsolicited caller purports to be from a reputable organisation of whom you are likely to have a genuine service or account with, such as your mobile or internet service provider. The caller will claim that you have some form of issue or problem they need to fix.
In order to remediate the issue they will advise you that they need to take control of your computer or mobile. In order to do this they will ask you to download remote access software, this in turn enables the caller to take control of your device.
Once they have control of your device they will ask you to log into your Citi bank online account and potentially any other online bank accounts that you may hold. They will advise that you need to login so they check that your accounts are ’safe’.
The caller now has access to your online account and all features, including making payments.
How to Protect Yourself
- Never give remote access to an unsolicited caller and subsequently log into your Citibank online account.
- A genuine bank or organisation will never contact you out of the blue to ask for your PIN, full password, One Time Password or to move money to another account. Only give out your personal or financial details to use a service that you have given your consent to, that you trust and that you are expecting to be contacted by.
- If you are ever unsure of whom you are speaking to, terminate the call and independently source the telephone number from a reputable source of the company the caller is pertaining to be from.
Warning about Investment Scams
We have become aware of attempts to impersonate Citibank UK Limited and Citigold Wealth Management through emails, cold calls and fake websites purporting to represent Citi and to offer our products. These fraudsters are sophisticated and in some instances are replicating our genuine product and service documentation.
Recently, fraudsters have been offering consumers fake high interest, fixed rate COVID vaccine bonds referencing legitimate Pharmaceutical companies (e.g. Pfizer), whilst using Citibank UK Limited’s firm reference number, address and logo.
Here are some ways in which to identify Investment Scams:
- If you have been approached by an email, call or text message offering an investment opportunity.
- If you found a website which is selling Citi investment products and offering you low risk investment for a high return.
- A fake site, a caller or someone behind an email may ask you to pay or transfer money by online payments or wire transfer.
- Fraudsters may try to rush or pressurise you into making decisions. A legitimate company would never force you taking a rushed decision regarding your investments & wealth.
- The offer seems too good to be true; High return with low risk. Don’t proceed until you are comfortable the offer is legitimate.
If you’re suspicious about an investment or opportunity then please contact us immediately via www.citibank.co.uk or 0800 00 55 00.
Please visit this website to learn more about Investment Scams and how they operate: https://www.youtube.com/watch?v=V54GH_GgiMY
In order to protect yourself, please remember:
- We would never cold call or email you to offer an investment opportunity out of the blue.
- In order to make investment with Citibank UK Limited, you need to have an account with us. We would always open an account face to face, not over the phone or via email.
- We would only email you using @citi.com domain and we do not use any variations of this.
- We would never promise a low risk investment for a high return.
- If you have any doubt, call us immediately on 0800 00 55 00.
Please also take FCA’s quick Scam Smart Test: https://www.fca.org.uk/scamsmart/scam-or-smart-game
What's the threat?
The personal information you share on the internet can be invaluable to a fraudster. It’s really important that you protect your personal information online at all times, otherwise your identity and your money could be at risk.
Authentic-looking emails will sometimes be sent to unsuspecting internet users to drive them to a fake website in an attempt to steal their log in details or personal information. This is known as ‘phishing’. Phishing is a growing problem amongst internet users and there’s a very real chance that one day you may receive one of these fraudulent emails.
In addition, if you receive what you think is a phishing email, please forward it to firstname.lastname@example.org and then delete it from your inbox. It’s very important that you don't click on any links or provide any personal details.
There are many different types of malicious software; all can be used to try and steal your log in details and personal information or damage the files on your computer. They’re fairly common and without any protection it’s very likely they will infect your computer. Here are some common types of malicious software:
Virus: A virus has the ability to replicate itself and can infect a computer without the permission or knowledge of the user. A computer virus attaches itself to files or programs and spreads through the system quickly, often having a damaging effect.
Worm: A worm is similar to a computer virus, but worms differ in how they are spread. A virus must be executed (run) for it to infect other systems, whereas a worm actively transmits itself.
Trojan Horse: A Trojan Horse is a malicious program which pretends to be something harmless; authors of viruses and worms often use Trojans as a way of starting virus or worm outbreaks.
Fake antivirus: Fake antivirus software is a form of Trojan Horse software which claims to be genuine antivirus software but exists for the sole purpose of extracting money from unsuspecting users. Fake antivirus software may also function as spyware.
Spyware: Spyware is a name given to any malicious program which steals information for the benefit of its creator or controller. Most banking related malicious software falls into this category. Spyware can be contracted in a number of different ways; viruses, worms, Trojans and fake anti-virus software may all contain spyware.
New Citi security alerts
We will continue to alert you by SMS if we identify suspicious debit card purchases, however you may now also receive an email or an automated call.
our number has changed. We will only ever ask you to reply to alerts sent from:
+44 7860 065 121 (outside UK)
+448082800912 (outside UK)
Payment Services Directive 2 (PSD2)
Payment Services Directive 2 (PSD2)
Further changes resulting from the European Union’s Payment Services Directive 2 (PSD2) are coming into effect on 14 March 2020. These changes are designed to better protect you when you make payments and access your transaction details. Please be aware that additional changes will come into effect later in 2020 and in 2021 and we will write to you in advance detailing those changes.
What does it mean for Citi clients?
This means there will be extra levels of security when you take certain actions related to making payments and accessing your information.
What changes should I expect?
Some of your transactions may require additional levels of security
The new Strong Customer Authentication (SCA) requirements will have an impact on the way you transact on your account. They will require a higher level of authentication (authorisation by you) for certain types of transactions, e.g. where you are paying someone you have never paid before. This includes the introduction of two-factor authentication and generation of an authentication code for certain transactions. A factor can be one of the following options:
Knowledge: Something only you know (e.g. your Citi Unlock Code)
Possession: Something only you have (e.g. your Mobile phone)
Inherence: Something unique to you (e.g. your Fingerprint)
Two different factors will be required to make certain types of transaction e.g. When you are using the Citi Mobile © UK App, your two factor authentication will be Knowledge (your Citi Unlock Code) AND Possession (the presence of the app on your Mobile Phone).
An authentication code will be generated based on this two-factor authentication.
Changes to the way you transact on your account
Citi Mobile® Token – Push Notification on your mobile phone
If you have enabled Citi Mobile® Token with Push Notifications (a pop –up notification on your phone), you won’t need to enter an authentication code for your transactions, instead, you will be asked to authenticate yourself within the app, and an authentication code will be generated and verified automatically. You will be asked to opt in for this feature when you open your Citi Mobile® UK App.
If you have not enabled Citi Mobile® Token with Push Notifications, you will be asked to authenticate manually by generating a code using Citi Mobile® Token or using an SMS One-Time Password (an “SMS OTP”).
If you receive an SMS OTP, this will include the payee nickname and transaction amount in order to provide greater clarity on which transactions the OTP is being used to verify.
You will no longer be able to complete a transaction with just your signature.
As Citi Debit Cards have chip functionality, you will no longer be able to complete a transaction using your signature where the payment machine is chip-enabled. Instead, you must authenticate using your PIN.
Extra levels of security for your contactless payments
Occasionally you will be asked to put your card into a payment machine and provide your PIN, rather than using the contactless option. This is an extra level of security to ensure it is you that is using your card. We may ask you for your pin on the sixth contactless payment. There are some types of payments that are not included in this change (e.g. unattended terminals).
To better improve your contactless payment experience, we will be issuing new cards to a number of clients over the coming months. We will notify you if this is relevant to your card.
Changes to the way you access your account online
Additional security measures for accessing transactions.
Every 90 days we will ask you to authenticate yourself using either the Citi Mobile® Token or SMS OTP when logging in to Citi Online or your Citi Mobile® UK App
Within these 90 days, we will be able to provide you access to your balance and transactional information up to 90 days old without continuing to ask for verification. If you want to access transactional information older than 90 days, we will ask you to authenticate yourself using either the Citi Mobile® Token or SMS OTP.
Depending on the actions you are taking on your account we may ask you to authenticate yourself at other times.
Third party payment service provider (TPP) and their permissions when accessing your account
A TPP can allow you to view your accounts with us and other banks in one place as well as allowing you to make payments directly from your account. TPPs can only access your account information and make payments from your account with your permission. If you allow a TPP access we will treat an instruction from a TPP as if it was from you.
TPPs have to be authorised by the UK’s Financial Conduct Authority (FCA) or another European Regulator before allowing them to access your account. TPP’s are also required to comply with the PSD2 requirements by 14 March 2020 and this will change the way in which they can access your account. Where a TPP is not compliant, we are not able to permit them to continue accessing your account in the same way they used to and you may receive unexpected SMS OTPs during this time. In order to prevent these SMS OTPs from occurring, the best thing you can do is contact your TPP to remove their access.