Citi Security Centre - Security Update

Warning: WhatsApp Scams

WhatsApp scams are on the rise and you could be a fraudsters next target. Fraudsters are using the instant messaging platform WhatsApp to send messages to consumers posing to be a family member, more commonly their child, and their goal is to try to steal your money.

A WhatsApp scam typically involves the following:

  • Fraudsters posing to be a family member, commonly the persons child, stating that their phone is not working and that this is their new number.
  • Fraudsters will create a story to claim that they are in a difficult situation, need help and in urgent need of money.
  • Fraudsters will use a technique called 'Social Engineering* to try to manipulate you into sending them money.

Here is how to protect yourself from falling victim to a WhatsApp scam:

  • Do not reply to any unexpected messages from unknown numbers you receive on WhatsApp.
  • If you receive a message from an unknown number claiming that they are a family member, make a phone call to the original number you have saved for that person and ask them to confirm if it is them or not
  • Block the number that hascontacted you.
  • Do not share any personal information over WhatsApp to any unexpected messages from unknown numbers.

Warning: 3D Secure Fraud

Be aware that fraudsters are contacting people out of the blue to ask for their personal information such as your card number and CVV. The caller will purport to be from Citi or another trusted organisation and the call will consist of the caller asking you for the One-Time Passcode you will have received, or your personal information. Fraudsters are also attempting to SIM Swap people’s mobile phone numbers. This means to divert all phone calls and SMS text messages to another mobile phone number which the fraudster is in control of. Fraudsters are calling people to purport to be from mobile network providers and asking them to provide a PUK code. If your mobile phone stops working normally, inform both your bank and mobile network provider immediately.

Here’s how you can protect yourself:

  • Do not provide any information to the caller, including your card number, CVV or One Time Passcodes.
  • Citi will never call you asking for any of this information. If you receive a call out of the blue asking for any personal information, end the call immediately.

If you believe you have been a victim of this fraud, please contact us immediately on 0800 00 55 00.

Warning: Business Email Compromise and Invoice & Mandate Scams

We have become aware of a recent trend where fraudsters are spoofing / impersonating or compromising and gaining access to legitimate business email addresses.

This typically occurs when you are paying for a service from a business, for example renovation work at home or when you are purchasing a property and communicating with your Solicitor over email.

Fraudsters will intervene and send you an email that looks like it is being sent from a trusted business, when in fact it is the fraudsters that are posing or gained access to the email address account.

Once a fraudster can send an email to their victim, they typically provide new and fraudulent bank details on an invoice to convince the victim to redirect the payment to the account.

  • Always confirm the bank details directly with the company before making a payment.
  • When paying someone for the first time, transfer a small amount first and check with the company that it has been received.
  • Send the confirmation of payment to the service provider once the invoice has been paid.

If you believe you have been a victim of this scam then please contact us immediately on 0800 00 55 00.

Remote Access Scams

A remote access scam occurs when an unsolicited caller purports to be from a reputable organisation of whom you are likely to have a genuine service or account with, such as your mobile or internet service provider. The caller will claim that you have some form of issue or problem they need to fix.

In order to remediate the issue they will advise you that they need to take control of your computer or mobile. In order to do this they will ask you to download remote access software, this in turn enables the caller to take control of your device.

Once they have control of your device they will ask you to log into your Citi bank online account and potentially any other online bank accounts that you may hold. They will advise that you need to login so they check that your accounts are ’safe’.

The caller now has access to your online account and all features, including making payments.

How to Protect Yourself

  • Never give remote access to an unsolicited caller and subsequently log into your Citibank online account.
  • A genuine bank or organisation will never contact you out of the blue to ask for your PIN, full password, One Time Password or to move money to another account. Only give out your personal or financial details to use a service that you have given your consent to, that you trust and that you are expecting to be contacted by.
  • If you are ever unsure of whom you are speaking to, terminate the call and independently source the telephone number from a reputable source of the company the caller is pertaining to be from.

Warning about Investment Scams

We have become aware of attempts to impersonate Citibank UK Limited and Citigold Wealth Management through emails, cold calls and fake websites purporting to represent Citi and to offer our products. These fraudsters are sophisticated and in some instances are replicating our genuine product and service documentation.

Recently, fraudsters have been offering consumers fake high interest, fixed rate COVID vaccine bonds referencing legitimate Pharmaceutical companies (e.g. Pfizer), whilst using Citibank UK Limited’s firm reference number, address and logo.

The caller now has access to your online account and all features, including making payments.

Here are some ways in which to identify Investment Scams:

  • If you have come across a website offering Citi investment products or have been approached by email (not from our domain), cold call or text message offering an investment opportunity. The offer seems too good to be true; High return with low risk
  • Fraudsters may try to rush or pressurise you into making decisions saying that you need to act now or you will miss out. A legitimate company would never force you into making a decision regarding your investments or wealth
  • You may be asked to pay or transfer money by online payments or wire transfer to an unknown beneficiary

If you’re suspicious about an investment or opportunity then please contact us immediately via or 0800 00 55 00

In order to protect yourself, please remember:

  • We would never cold call, email or text you to offer an investment opportunity out of the blue.
  • In order to make an investment with Citibank UK Limited, you need to have an account with us. We would always open an account face to face, not over the phone or via email.
  • We would only email you using our “” domain and we do not use any variations of this.
  • We would never promise a low risk investment for a high return.

Please visit this website to learn more about Investment Scams and how they operate:

Please also take FCA’s quick Scam Smart Test:


New Citi security SMS

We will alert you by SMS if we identify suspicious activity on your debit card purchases.

We'll only ever ask you to reply to an SMS that has been sent from either 63363 or +447860065121.

Learn more >


Citi Mobile® Token


Learn more >




How Citi protects you

Learn more >

Scam Advice

Learn more >

How to protect yourself

Learn more >

Need help regarding fraud?

Learn more >


Payment Services Directive 2 (PSD2)

Payment Services Directive 2 (PSD2)

Further changes resulting from the European Union’s Payment Services Directive 2 (PSD2) are coming into effect on 14 March 2020. These changes are designed to better protect you when you make payments and access your transaction details. Please be aware that additional changes will come into effect later in 2020 and in 2021 and we will write to you in advance detailing those changes.

What does it mean for Citi clients?

This means there will be extra levels of security when you take certain actions related to making payments and accessing your information.

What changes should I expect?

Some of your transactions may require additional levels of security

The new Strong Customer Authentication (SCA) requirements will have an impact on the way you transact on your account. They will require a higher level of authentication (authorisation by you) for certain types of transactions, e.g. where you are paying someone you have never paid before. This includes the introduction of two-factor authentication and generation of an authentication code for certain transactions. A factor can be one of the following options:

Knowledge: Something only you know (e.g. your Citi Unlock Code)

Possession: Something only you have (e.g. your Mobile phone)

Inherence: Something unique to you (e.g. your Fingerprint)

Two different factors will be required to make certain types of transaction e.g. When you are using the Citi Mobile © UK App, your two factor authentication will be Knowledge (your Citi Unlock Code) AND Possession (the presence of the app on your Mobile Phone).

An authentication code will be generated based on this two-factor authentication.

Changes to the way you transact on your account

Citi Mobile® Token – Push Notification on your mobile phone

If you have enabled Citi Mobile® Token with Push Notifications (a pop –up notification on your phone), you won’t need to enter an authentication code for your transactions, instead, you will be asked to authenticate yourself within the app, and an authentication code will be generated and verified automatically. You will be asked to opt in for this feature when you open your Citi Mobile® UK App.

To find out more about this new experience click here

If you have not enabled Citi Mobile® Token with Push Notifications, you will be asked to authenticate manually by generating a code using Citi Mobile® Token or using an SMS One-Time Password (an “SMS OTP”).

If you receive an SMS OTP, this will include the payee nickname and transaction amount in order to provide greater clarity on which transactions the OTP is being used to verify.

You will no longer be able to complete a transaction with just your signature.

As Citi Debit Cards have chip functionality, you will no longer be able to complete a transaction using your signature where the payment machine is chip-enabled. Instead, you must authenticate using your PIN.

Extra levels of security for your contactless payments

Occasionally you will be asked to put your card into a payment machine and provide your PIN, rather than using the contactless option. This is an extra level of security to ensure it is you that is using your card. We may ask you for your pin on the sixth contactless payment. There are some types of payments that are not included in this change (e.g. unattended terminals).

To better improve your contactless payment experience, we will be issuing new cards to a number of clients over the coming months. We will notify you if this is relevant to your card.

Changes to the way you access your account online

Additional security measures for accessing transactions.

Every 90 days we will ask you to authenticate yourself using either the Citi Mobile® Token or SMS OTP when logging in to Citi Online or your Citi Mobile® UK App

Within these 90 days, we will be able to provide you access to your balance and transactional information up to 90 days old without continuing to ask for verification. If you want to access transactional information older than 90 days, we will ask you to authenticate yourself using either the Citi Mobile® Token or SMS OTP.

Depending on the actions you are taking on your account we may ask you to authenticate yourself at other times.

Third party payment service provider (TPP) and their permissions when accessing your account

A TPP can allow you to view your accounts with us and other banks in one place as well as allowing you to make payments directly from your account. TPPs can only access your account information and make payments from your account with your permission. If you allow a TPP access we will treat an instruction from a TPP as if it was from you.

TPPs have to be authorised by the UK’s Financial Conduct Authority (FCA) or another European Regulator before allowing them to access your account. TPP’s are also required to comply with the PSD2 requirements by 14 March 2020 and this will change the way in which they can access your account. Where a TPP is not compliant, we are not able to permit them to continue accessing your account in the same way they used to and you may receive unexpected SMS OTPs during this time. In order to prevent these SMS OTPs from occurring, the best thing you can do is contact your TPP to remove their access.