Online Security

Banking Fraud and Scams

Variants of the DYRE malware continue to target online banking customers worldwide.

DYRE, also known as Dryeza, is a malicious program used by cybercriminals to steal online banking credentials and perform fraudulent transactions. DYRE is usually spread by phishing emails containing attachments or hyperlinks that, once opened, can exploit your computer's existing security flaws to install the malware. Once installed, DYRE can redirect websites through servers operated by criminals, allowing them to capture and alter data in real time.

Signs of a DYRE infection include:

  • Repeated request for User ID, Password and/or One-Time PIN (OTP)
  • Changes in the appearance or procedures of online banking
  • Delays and persistent "loading" screens.

Citi recommends customers remain alert for malware threats and review our Online Security Tips.

Customers who notice unusual behaviour in their online banking or believe their computer may be infected should immediately contact Citi's 24-hour CitiPhone helpdesk on 13 24 8413 24 84 or +61 2 8225 0615+61 2 8225 0615 if you are overseas.

What is SIM Porting Fraud & SIM Swapping Fraud?

SIM Porting Fraud is the act in which a fraudster requests for your existing mobile number to be moved (or "ported") to another phone carrier without your consent or knowledge.
SIM Swapping Fraud is the act in which a fraudster requests for a new SIM card to be issued for your existing mobile by approaching your mobile operator without your consent or knowledge.

With the mobile phone now being the primary method that people access their banking accounts and other important services, keeping your mobile safe is more important than ever. A fraudster gaining access to your mobile phone by means of SIM Porting or SIM Swapping can lead to unauthorised access to your digital accounts by intercepting authorisation texts or overriding touch authentication.

How does it work?

  • The fraudster obtains the victim's personal details via various techniques including mail theft, online compromises (e.g. malware, Trojans), phone and email phishing scams or through the illegal purchase of stolen personal data etc.
  • The fraudster approaches victim's mobile operator with the victim's identity and requests for issuance of a duplicate SIM card or requests for the mobile number to be ported.
  • The victim's mobile operator deactivates the original SIM card and issues a replacement SIM or ports the number to the new operator.
  • The fraudster is now able to carry out financial transactions without the victim's consent or knowledge by intercepting calls or texts, receiving one time passwords or PINs and overriding touch authentication on the swapped or ported SIM.

Tips to safeguard yourself

  • If your mobile service stops working unexpectedly, check in with your mobile service provider immediately.
  • Be vigilant of SMS text messages from your mobile service provider advising you of a swapping or porting request.
  • Never disclose your internet banking password, ATM PIN or telephone PIN to anyone. Citi will never ask you for these details via any of our communications to you.
  • Beware of unsolicited calls, texts or emails asking for personal or financial information even if they appear to be from your bank or a reputable company.
  • Do not open or forward emails that you suspect might be spam and never open any attachments or click into any links.
  • Be careful of what personal details you share on social media platforms as fraudsters can use these to anticipate likely answers to security questions.
  • Ensure you have up to date anti-virus protection software installed on your computer.

Email scams

  • You may receive phishing emails that contain links or malicious attachments that could capture your details or harm your device. These emails seek to trick people into giving out personal details including banking details. They are designed to look legitimate and often contain a corporate logo.
  • Regularly visit our Latest Security Alerts section for information on scams targeting Citi customers or customers of other financial institutions.

Malicious software

  • Malware, or malicious software, is an intrusive program that fraudsters try to install on your computer or device. Malware, such as a virus or Trojan, can disrupt or slow down operation, gather personal and financial details, extract funds or perform other fraudulent activities under your name.
  • Malware is usually sent as an attachment to emails claiming to be from a trusted source, or disguised as genuine software.

Phishing over the phone

  • Phishing, traditionally where emails seek to trick people into disclosing their account or personal details, is now increasingly happening over the phone. Be particularly vigilant if you're asked to disclose any online banking sign in details SMS code sent to your mobile.
  • Protect your SMS code like you would a password or a PIN. Disclosing your SMS code contravenes our terms and conditions and may find you liable for any losses due to fraud on your account.

SMS phishing

  • Fraudsters can spoof the sender name so they may appear to be from a trusted source. These SMSs often use scare tactics and contain links to fake websites in an attempt to capture your passwords and other sensitive information.

Credit card fraud can occur when someone obtains your credit card details and uses them over the phone or on the Internet to make purchases in your name. You should always carefully check your statement each month to determine if there are charges for purchases you did not make.

Fraud can also occur when a person assumes your entire identity and obtains credit cards in your name.

If you suspect that fraud has occurred on your card, it's important to contact CitiPhone immediately on 13 24 8413 24 84 or +61 2 8225 0615+61 2 8225 0615 if you are overseas. We will assist you with stopping your card (as well as any other card affected) and investigating the fraudulent activity.

Citi related scam

Report all suspicious emails by forwarding them as an attachment to Citi - spoof@citicorp.com - for further investigation and action.

Non Citi related scam

Report any non Citi related scams to SCAMwatch an independent website run by the Australian Competition & Consumer Commission (ACCC).

SCAMwatch provides information to consumers and small businesses on how to recognise, avoid and report scams. Anything reported to SCAMwatch will be analysed and acted on by the ACCC.

Stay up to date

Register for Stay Smart Online Alert Service, a free Government-run service to alert you of new online threats as they are identified.

How we protect you

Our card deactivation feature allows you to immediately block your credit card in the event that you misplace it or it is stolen.

Learn how to deactivate your credit card

Our Two-Way SMS Alert service has been designed to help you keep your credit card purchases safe. It ensures a quick and easy two-way communication with Citi in the event of any suspicious activity being detected when making a purchase.

  • The Two-Way SMS alert service is set up for all Citi credit card holders. The service will immediately notify you of any transactions deemed to be suspicious and allow you to confirm by replying to our SMS:
    • Reply 1 to confirm the transaction as Genuine
    • Reply 2 to confirm the transaction as Fraud
  • An SMS will be sent from +61 488 952 484+61 488 952 484 containing the transaction information. We will not ask for any further information other than a reply of either "1" or "2". By replying to our SMS you can confirm whether the transaction we are asking about was made by you (SMS cost will be as per charges by your telecommunication provider)
  • To benefit from this service please ensure you have provided us with your current mobile phone number. Updating your contact details is easy at Citibank Online. Visit Citibank.com.au/updateme to watch our demonstration video.

The Citi One-Time PIN (OTP) adds to the security of your account when you are transacting online. All major transactions, including adding a payee will require an OTP to be completed.

You can receive an OTP as an SMS or generate one using the Mobile OTP function on the Citi Mobile® App. You will need to ensure your mobile number is up-to-date. Updating your contact details is easy at Citibank Online. Visit Citibank.com.au/updateme to watch our demonstration video.

Learn more about Citi OTP

Citi Mobile® Token improves your online banking security by providing a secure two-factor authentication. This works by combining 'something that you know' and 'something that you have' (passcode and mobile phone) to ensure that you are the only person that can access your account.

Citi Mobile® Token allows you to generate a One-Time PIN, without your mobile phone requiring an internet connection or network coverage, providing convenient online banking anywhere, anytime.

Learn more about Citi Mobile® Token

The Online Authorisation Code (OAC) is a security feature of Citibank Online that provides you with added protection when you are adding a new payee. When adding a new payee, the OAC will be sent to your registered mobile phone number via SMS before you can transfer funds. Please ensure your mobile number is up-to-date. Updating your contact details is easy at Citibank Online. Visit Citibank.com.au/updateme to watch our demonstration video.

Citibank is committed to providing a secure banking environment for our customers. Citibank uses the latest technology and systems to deliver a range of security initiatives as part of an ongoing program to enhance the security of our online banking website.

  • The Citibank Online website is constantly monitored by dedicated personnel 24 hours a day who review the website to identify opportunities to enhance the site's security and to maintain all the internet banking services available for our customers.
  • A digital certificate (found by clicking on the Padlock Icon in the Status Bar at the foot of the page ) is used to verify the identity and authenticity of Citibank's websites.
  • Immediately upon signing in to Citibank Online, you will see the date and time of your last sign in. Contact CitiPhone immediately on 13 24 8413 24 84 (+61 2 8225 0615+61 2 8225 0615 if calling from overseas) if you notice a discrepancy in the date and time of your last sign in.
  • All communication sent from your computer to our secure systems is encrypted to ensure the confidentiality of all data sent and received.
  • Citibank customers are able to contact CitiPhone 24 hours a day, seven days a week for assistance with any queries. If you believe your account has been compromised in any way, call CitiPhone immediately on 13 24 8413 24 84 or +61 2 8225 0615+61 2 8225 0615 if calling from overseas.

How to protect yourself

Before signing in to Citibank Online

  • Protect your computer and information with some easy-to-use tools such as firewall programs, email filters, anti-virus software and spyware filters.
  • Review your account statements as soon as you receive them and notify Citibank immediately of any unauthorised transactions.
  • Always type www.citibank.com.au into your browser when signing on to Citibank Online.

While signed in to Citibank Online

  • Citi emails may contain links to the Citibank website. Please ensure the mail is from Citi prior to clicking on any links.
  • Before submitting information through a website, look for the "padlock" icon on your browser's status bar or that the website address starts with "https://" and not just "http://"- when such security details are present, your information is in a secured session
  • Misspelled words either in the email message or within the website may signal a potential scam
  • Always exit Citibank Online by clicking on the "sign-off" option, do not just close your browser
  • Report all suspicious emails by forwarding them as an attachment to Citi - spoof@citicorp.com - for further investigation and action
  • If you suspect your account has been compromised in any way, call CitiPhone immediately on 13 24 8413 24 84 (+61 2 8225 0615+61 2 8225 0615 if calling from overseas)

Customers should understand that Citibank will never send emails to customers to verify personal and/or account information.

It is important you disregard and report emails which:

  • Request any customer information - including your ATM PIN or account details. Therefore, customers should not reply to emails that request such information.
  • Advise you to contact a phone number to verify your card or account details. Always call CitiPhone on 13 24 8413 24 84 (+61 2 8225 0615+61 2 8225 0615 if calling from overseas).
  • Instructing you to login or apply for a product via a link in an email.

Beware of suspicious telephone calls.

  • Citibank won't contact you by phone with the offer of a preapproved credit card. If you receive a phone call from someone offering you a preapproved Citibank credit card - on the basis you supply them with personal information such as drivers licence, address details, income details - report it to the police or contact Citibank on 13 24 8413 24 84.

Be wary of scams

  • Use caution when receiving a phone call from someone claiming to be from a reputable organisation and consider what they are asking for. Never give them remote access to your computer. If in doubt, ask for a reference number and call back on a trusted number (i.e. from the phone book) to confirm the call was genuine. Visit Scam Watch for more info.

Regularly change passwords for everything online

  • We recommend setting a reminder to change them every couple of months.

Securely dispose of sensitive documents

  • Don't simply throw your bank documents, bills etc. in the bin. These should be shredded or destroyed.

Secure your mailbox

  • Use a padlock or PO box and report any missing mail to the relevant provider.

Be guarded with your social media accounts

  • Be familiar with your privacy settings and ensure you only share what you want with who you want. Consider hiding things like your date of birth, work information & contact details.

Protect your PIN

  • Keep your ATM PIN secure and never disclose it to anyone
  • Change your Citibank ATM PIN on a regular basis
  • Do not select an easily identifiable ATM PIN like 1111, 1234 or dates of birth
  • Never disclose your ATM PIN to anyone, not even to a Citibank representative
  • Install security software, turn on automatic updates and scan your computer regularly.
  • Keep your operating system updated.
  • Avoid using shared computers or devices as they may have malware that could compromise the security of your online activity.

Don't fall for SMS phishing

  • Fraudsters can spoof the sender name so they may appear to be from a trusted source. These SMSs often use scare tactics and contain links to fake websites in an attempt to capture your passwords and other sensitive information.

Keep your operating system and apps updated

  • Go to iTunes for Apple devices, Samsung or Google play store for Android devices and the Microsoft or Windows Phone Store for Windows devices.

Stay clear of unsafe or fake apps

  • Only download apps from official app stores and never from a link within an email or SMS.

Protect your device

  • Use a security app such as McAfee Multi Access.

Tighten your mobile service security

  • Call your mobile service provider and ask if they can add a keyword to your account and call them immediately if you notice unexpected or unusual service outages.

Use a passcode

  • Protect access to your mobile device particularly if you have apps linked to your credit card.

Credit cards are widely accepted in most countries so you don't need to carry as much cash. However, there are risks to using your card overseas such as card theft and skimming.

Learn more about travelling overseas
Online Banking Demo Videos
video close