Banking Security - Protect Yourself

More and more people have been falling for a persuasive phone scam known as 'vishing'. Be alert so you can protect yourself against it.

Fraudsters have been calling people and posing as someone from a bank's fraud investigation team. They might also say they’re from the police, a telephone or internet service provider, a utility company or some other trusted party. The scammers then try to get debit card details, internet banking login credentials, bank account details, Telephone PINs, One Time Passwords or other personal information.

If you think you received a suspicious call, do not share your information and inform Citi immediately.

Fraudsters may try to take control of your mobile phone by asking your provider to transfer the number to a SIM card that’s in their possession. This allows them to receive all your incoming calls and text messages, while your own phone simply ceases to work.

The fraudster can then conduct illegal activity without your knowledge, receiving calls intended for you thus intercepting security verification passcodes or security call-backs from your bank.

If you identify a SIM card issue on your phone, please call your mobile phone provider and your bank to ensure that you are not a victim of a SIM swap scam.

Named for SMS (Short Message Service), the technology used for mobile phone text messaging, Smishing messages appear to be from a legitimate company and typically contain a link that takes you to a spoof website or asks you to call a phone number. Even if you don't enter any information, selecting the link can lead to other problems, such as installing key logging software or dangerous viruses on your phone.

A fraudster can access all your information using computer malware known as Trojans.

These small programmes are installed on your computer without your knowledge and capture every keystroke you make. The Trojan programme then sends this information to the fraudster.

Because these Trojans are sitting on your own computer, they completely bypass the security of the connection between you and the Citi website. They capture not only your usernames and passwords, but also the answers to every security question you are asked.

By installing trusted security software and ensuring its regularly updated, you can help to guard against Trojans.

Clients sometimes report receiving fraudulent emails that appear to be from Citi or other financial & governmental institutes but which are, in fact, sent by imposters. *Please note, Citi will NEVER ask you to provide mother’s maiden name, personal banking usernames / password, CVV codes, PINs, account numbers or other highly sensitive information. You should not reply to any emails that make such a request.

Criminal activity could be taking place in your inbox right now. Phishing emails, also known as hoax or spoof emails are fraudulent emails that appear to come from a trusted source but are in fact designed to trick you into revealing valuable data. If you click on any of the links, they may take you to a fraudulent website where you'll be asked to “update” or “confirm” sensitive information that could leave your accounts at risk. Phishing emails may also contain links or attachments that could infect your computer with viruses and malware.

Be very suspicious of any business or person who asks for your password, national insurance number, or other highly sensitive information. It’s important that you do not follow the links in the e-mail. Citi will never send you an email asking you for confidential or personal security information. If you receive what you think is a phishing email, please forward it to suspicious.email@citi.com and then delete the email from your inbox.

If we interact or ask for an action from you via email, this will only be to an email you have registered with us. It would be a secured email from DocuSign and we will always authenticate you before seeking information. You can also contact Citi via the online Secure Message Centre.

What to look out for in a phishing mail:

• The email or web address will differ slightly from the bank’s genuine address.
• The email will greet you as “Sir”, “Madam” or “Dear Customer”, rather than using your actual name.
• The email may ask for personal information that your real bank would never request, such as passwords and card / telephone PINs.
• The email may contain a link to a fraudulent website.
• The email may contain grammatical errors.
• The email may contain threats (for example, to close your account or block your card) if you don’t comply with its request immediately.

Treat all unexpected or unsolicited emails with extreme caution, even if they appear to be from a reputable organization. It’s always best to play safe, in case you are in fact dealing with a fraudulent email.

What to do if you think you have received a phishing email:

1. Don’t reply, open any attachments or follow any links.
2. Don’t carry out its instructions or give away any personal information.
3. Ensure your anti-virus software is up to date and run a full scan to remove any threats.
4. Call the bank and reset your Citi Online username and password. That way, if fraudsters have already obtained some of your online banking details, you’ll still prevent them from accessing your account.
5. Forward it to suspicious.email@citi.com and delete the mail from your inbox.

Keep your Citibank Online User ID and Password confidential.

Internet banking users should never disclose their User ID and Password unless it is to use a service that you have signed up to and you're sure that the request for your information is directly related and should also ensure that no one is watching you while you enter your User ID and Password or any confidential information.

• Memorise your User ID and Password and do not record it anywhere. Under no circumstances should you reveal your User ID and Password to anyone even if they purport to be a staff of Citibank unless it is to use a service that you have signed up to and you're sure that the request for your information is directly related.
• Do not use a shared computer or device that cannot be trusted for internet banking such as the computer at an Internet café. These devices may be installed with certain software that could capture your personal information prior to your approval.

Make sure your computer is protected against viruses, spyware, malware and other threats by installing the latest security software, web browser, and operating system. Where possible, we recommend setting your software to check automatically for updates each time you connect to the internet. In addition to your computer, remember that smartphones, gaming systems and other web-enabled devices also need protection from viruses and malware.

Make sure both your computer and mobile operating system and browser software are updated with the latest security patches. Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.

We recommend that you use a firewall to reduce the likelihood of unauthorised access to your computer from the internet. If you use a firewall, ensure that it is updated regularly.

If you use a wireless network to access the internet, make sure it’s password protected for security. If it isn’t, other people may be able to access your internet and your internet sessions.

When accessing Citi Online from a computer that’s not your own, make sure it has antivirus software, a firewall and the latest software updates.

Ideally, we’d recommend that you don’t use a publicly available computer (a computer in an internet café, for example) to access your accounts.

Always keep your Personal Identification Number (PIN) secret and secure. No one should ever legitimately ask you to reveal your card PIN , Telephone banking PIN or Citi Online PIN. That includes anyone purporting to be from Citi, the police or any similar authority.

The only time you will ever be asked for your telephone PIN (TPIN) is when you call our telephone banking service, CitiPhone.

• Don’t let anyone else know your PIN or use your card.
• When you first receive your PIN, memorise it and then destroy the notification.
• Shield your PIN when authorising a purchase or withdrawing cash from an ATM.
• Never enter your PIN into websites or order forms, and never disclose it to anyone else, whether in person or over the phone.
• We also recommend that you change your PIN regularly.

When using a cash machine, follow the steps below to keep your card secure.

• Shield your PIN when you enter it.
• Immediately report any signs that the machine has been tampered with, or if it does not return your card.
• Don’t allow yourself to be distracted.

Your personal information and card details can be obtained from receipts or statements. To protect your identity, tear up or shred any sales receipts, ATM receipts, letters or statements before throwing them away.

Keep a close watch on your transactions. Regularly review transactions on your bank statements to make sure they only reflect the purchases you’ve made.

Aside from the traditional risks to mobile phones such as theft, loss and the disclosure of your private contacts, a number of new threats have recently arisen. These are associated mainly with the new generation of smartphones, especially those with Bluetooth technology and access to the internet:

• Smart phone viruses.
• Phishing by phone.
• The fraudulent use of your data connection over a Bluetooth link.
• Accessing usernames and passwords that have been stored on your device during internet use.
  
  Remember: it’s not 'just a phone'.

• Treat your smartphone like a wallet. Keep it safe and with you at all times.
• Think of your smartphone as a computer - all the same security rules apply. This includes checking the authenticity of websites, not clicking on links from people you don’t know and watching out for phishing scams that ask for personal information.
• If you decide to sell, recycle or trade in your smartphone, make sure you delete all your personal information first. Most smartphones have a 'reset to factory settings' option on the menu. And don’t forget to remove or wipe any memory cards too.

Text wisely, and safely.

Before you respond to any text message, learn how to distinguish a genuine text from a "SMiShing" message that may have been sent by a scam artist.

How to protect yourself

• Avoid selecting links in unsolicited text messages — instead, go directly to the company's website and fill out information there.
• Don't respond to unknown numbers — if you're suspicious about a banking phone number received via text message, always call the toll-free number on the back of your debit card instead.
• Install software with discretion — only install software from reputable companies or from providers you trust.
• If you suspect that you’ve received a fraudulent text message, please forward it to us. After forwarding the text message, you should delete it from your device.

If you have already replied to a text message with personal information and now think the text was fraudulent, call us immediately at: 0800 00 55 00

An increasing number of mobile phones can access the internet in the same way as your home computer or laptop. You should therefore protect your phone in the same way as you would your computer.

For example, if you use your smartphone to log into a website, key information such as usernames and passwords could be stored on it. Beware that if your phone is then stolen, the thief may be able to access these security details.

To help keep your passwords safe on your smartphone, follow the steps below:

• Use the PIN or passcode function to secure your handset. Don’t rely on the default factory settings and create a combination that won’t easily be guessed by others.
• Set your device to lock automatically if you haven’t used it for a few minutes.
• Make sure any applications you use do not store your login details or allow automatic log-in.
• Never store login or password reminders in your contacts list or text messages.
• When using your smartphone to browse the internet, don’t save usernames and passwords, even if given the option. In particular, never save passwords that you use to access online banking or sites containing confidential personal information.

When using your smartphone online or when downloading applications, follow the tips below to help keep your details safe:

• If you’re about to run an application downloaded from the internet, make sure you understand the risks of doing so. Don’t fall into the trap of downloading hoax or illegal software that could contain a virus.
• Take the same care when using your smartphone in public as you would when using a public computer.
• Avoid using online banking in public areas. You don’t know who may be watching as you enter your security details (this is known as “shoulder surfing”).
• Check for regular updates on your service provider’s website to see if there are any security or software updates for your phone.

If you’re using the internet via an unsecured Wi-Fi connection, you need to understand the risks. Potential threats include the theft of your data, or the possibility of being re-directed to a website that will capture your details or download a virus to your phone. If you’re using Wi-Fi in a public place, make sure it’s secure.

• Think twice about storing any personal information on your phone. Many of us store our home telephone number as 'Home' in our contacts list. Determined fraudsters can call the number, claiming to be someone else, and use the conversation to find out more about you.
• Think carefully about what information you share online and how it could be misused. Your smartphone holds a great deal of personal information in a single place, making it fairly easy for fraudsters to work out who you bank with, where you’ve recently made transactions, and the names of your family members. They can also glean other details from emails and other documents.

If you synchronise your mobile phone with your home or work computer, there is a high chance that personal information you thought you were leaving at home is actually being carried around in your pocket. Make sure you know what data is saved to your mobile and, if you don’t need to be carrying it with you, change your synchronisation settings to stop it copying over.

The small screen size on a mobile phone can make it more difficult to spot fraudulent websites, so it’s critical to make the relevant checks. For example: keep an eye on the web address to make sure you are not being diverted to another site.

Mobile banking can be a very efficient way to manage your finances, but you should only use applications written and published by your bank. Avoid third party software and make sure you follow the password advice above.

• Watch out for prompts or warnings asking if you want to allow software to install or run; if you don’t know what it is or what it relates to, don’t install it. Mobile handsets are relatively secure devices, but criminals get around this by trying to dupe users into downloading malicious software themselves.
• If you are accessing a public wireless network, turn off your Bluetooth connection when you’re not using it. This will minimise the risk of infections or interception. In general, using your 3G network is a more secure option.

Until recently, viruses affecting smartphones were not a major threat, with very few attacks occurring. However, as demand for smartphones increases, so does the risk that they’ll be targeted by fraudsters.

So far, most of the virus attacks on smartphones have caused relatively little damage, either to the device itself or to the users’ identity. Even so, you should still be mindful of the risks and do what you can to minimise the chance of becoming a victim:

• Be wary of downloading applications from untrusted sites.
• Anti-virus software is available for your smart phone - for example from F-Secure.
• Use your Bluetooth safely (see Bluetooth section for more information).

Bluetooth is a short-range wireless network that allows devices like smartphones, computers and headsets to communicate with each other. While this way of communicating isn’t inherently unsafe, it does need to be used properly to avoid risks.

• If your smartphone has Bluetooth capability, turn it off when you’re not using it.
• If you use Bluetooth, make sure your phone is not left in ‘discoverable’ mode.
• Create ‘Pairing’ or trusted links between your device and your friends’ devices, but don’t do this in public in case someone is scanning when you make the connection.
• If possible, restrict your Bluetooth to allow only 'paired' devices.

It's when someone obtains essential information about you — such as your national insurance number, date of birth, and mother's maiden name — and uses it to open credit card accounts, loans and even mortgages in your name.

• Make your User ID and Password as secure as possible. Create a password that only you would know.
• Change your Password. Remember to change your online banking password every 30-60 days using the Citi Online Service Center.
• Don't send sensitive information by email. Never email your password, account number, national insurance number or other sensitive information to anyone. When communicating with Citibank, use our secure online Message Center.
• Never leave your computer unattended. When you complete your banking tasks, always end your web session by signing off.
• Be careful how much personal information you post online. When visiting social networks, remember that sharing information like your birth date, phone number, e-mail address, location and photos can put your identity at risk.
• Never write down PINs and passwords. Memorize them instead.

Identity thieves can strike even if you've been very careful with your personal information. Some hints of identity theft may include:

• Failing to receive bills or other mail.
• Receiving cards or billing statements for accounts you never applied for.
• Receiving calls from debt collectors or companies about merchandise or services you didn't buy.

If you think you may be a victim, you can obtain a copy of your credit report from each of the three major credit reporting agencies. If it's accurate and includes only those activities you've authorised, chances are your identity wasn't stolen.

Did you know...

• You should make sure we have your current contact information so we can reach you if fraudulent activity is suspected on your account(s). View the information we have on file for you.
• If your identity is ever stolen, use the free services offered by our Citi^®Identity Theft Solutions specialists to help re-establish your credit.

Citi has a presence in several social networking sites that help us keep in touch with our customers. They include the following:

• Facebook — join the conversation on the Citi UK Facebook page.
• Twitter — There's a whole community of Citi users getting important information via Twitter. Send a tweet to @AskCiti for customer service questions. For news, information and offers from Citi, follow @Citibank.
• YouTube — The Citi YouTube channel showcases some of our latest efforts and innovations to serve our customers.

With more and more people joining social networks, there has been increased danger of social engineering, a form of identity theft where thieves gather personal information from publically accessible sections of social networking sites.

By taking the following precautions, you can guard against social networking fraud.

• Before joining a social networking site or community, research it online to make sure it's legitimate.
• Don’t use the same username and password to log into social networking sites that you use for your Citi accounts.
• Never share personal information such as User IDs, PINs and account numbers on social media sites.
• Create a screen name that doesn't reveal too much about you.
• Be careful when clicking links. Even if the message appears to come from a friend, contact the sender directly to make sure it's authentic.
• Post only information you are comfortable with others seeing, and regard information posted on social media sites as public and permanent.
• Use privacy settings to limit access to your information.
• Never include any information that can help thieves steal your identity, such as your address, phone number or even employment information.

Did you know...

• Citi will never ask you to include your account number or other account access information in a Tweet. If Customer Service needs more information, they will send you a direct message (DM) asking for your phone number.
• Citi will often use the abbreviated URL [https://on.citi/] when sharing links on Facebook and Twitter. This helps to let you know it's from a trusted source.
• Citi will never send you a Tweet or Facebook message asking for account information.

Share scams are predominately run from boiler rooms; in which fraudster’s cold call their victims with the sole intention to sell non-existent shares. They can be very persuasive and at times forceful in delivering their scam. They will assure high returns on the shares which will never materialise. If it sounds too good to be true it probably is….

https://www.youtube.com/watch?v=V54GH_GgiMY

Romance fraud is a scam employed by fraudsters into developing an online romance built on lies and deception with the intention to request money from their victim. Fraudsters will build up a relationship and once they have their victims trust they will fabricate elaborate stories to gain money. Eventually they will cease contact with their victims once they have been successful in extracting savings/money from them. This type of scam is on the increase.

‘Money mules’, or ‘money transfer agents’ as they are sometimes called, are people recruited by criminals to help transfer fraudulently obtained money from bank accounts. The funds that the criminals try to transfer are usually stolen or obtained as a result of phishing and Trojan scams. Since most of the fraudsters are located overseas and is not possible to make cross-border transfers out of India online bank accounts overseas, a "money mule" or "money transfer agent" is required to launder the funds obtained.

While money mules are usually accomplices of the fraudsters and are aware of the nature of the activity, the criminals also try to dupe innocent victims into laundering money on their behalf. A Money Mule is attracted through a website, spam email, internet chat, or newspaper advertisements. After being recruited by the fraudsters, money mules receive funds into their accounts and they then withdraw the money and send it overseas using a wire transfer service, minus a certain commission payment.