Citi Security Centre - Security Update

Authorised Push Payment (APP) Scams

An APP scam occurs when a fraudster uses a technique called social engineering to persuade you to send money to another account. Fraudsters will trick you into trusting them before they manipulate you to send the money.

Fraudsters will try to pressure you into making a decision, or more importantly making a payment, before you are able to realise that you are falling victim to a scam.

To define an APP scam and understand how it differs from falling victim of an account takeover; an APP scam is when you are the one that authorises the payment, whereas an account takeover is where the fraudster is the one that has fraudulently gained access to your account and makes the payment without your knowledge.

Here are some APP Scams and how to recognise them:

Purchase Scams

Fraudsters trick people into thinking they are paying for legitimate goods and services, when actually they do not exist.

These are usually advertised on social media or online retailers, with images taken from genuine sellers to make the listing appear to be as genuine as possible.

What does it look like?

  • The item could be heavily discounted or considerably cheaper compared to other listings to appear more attractive.
  • The seller asks you to pay by bank transfer instead of using the platforms secure payment option.
  • The email confirmation of your order is sent from an email address domain that does not match that of the genuine sender.

Stop and think:

  • If it’s too good to be true, then it probably is not.
  • Always use the secure payment method option on genuine online retailers, for example PayPal.
  • Take your time to read online reviews on the website you are purchasing from. Do your research on the sellers and check if they are genuine.
  • Ask as many questions as you can about the service or goods you are looking to purchase to try and catch the fraudster.
  • Always access the website you are purchasing from by typing it into your web browser and always be wary of clicking on links in unsolicited emails or text messages.

WhatsApp Scams

WhatsApp scams are on the rise and you could be a fraudsters next target. Fraudsters are using the instant messaging platform WhatsApp to send messages to consumers posing to be a family member, more commonly their child, and their goal is to try to steal your money.

A WhatsApp scam typically involves the following:

  • Fraudsters posing to be a family member, commonly the persons child, stating that their phone is not working and that this is their new number.
  • Fraudsters will create a story to claim that they are in a difficult situation, need help and in urgent need of money.
  • Fraudsters will use a technique called ‘Social Engineering’ to try to manipulate you into sending them money.

Here is how to protect yourself from falling victim to a WhatsApp scam:

  • Do not reply to any unexpected messages from unknown numbers you receive on WhatsApp.
  • If you receive a message from an unknown number claiming that they are a family member, make a phone call to the original number you have saved for that person and ask them to confirm if it is them or not.
  • Block the number that has contacted you.
  • Do not share any personal information over WhatsApp to any unexpected messages from unknown numbers.

Impersonation Scams

Fraudsters convince their victims to make a payment or disclose their personal information whilst pretending to be from trusted organisations such as HMRC, BT, Citi, or even the Police. These scams often begin with a phone call or text message that appears to be genuine due to the criminals using a tactic called ‘spoofing’. This makes their call or text appear genuine by cloning the number or sender ID which the organisation uses. Do not attempt to make a payment to anyone who contacts you out of the blue.

What does it look like?

  • Fraudsters attempt to appear genuine by cloning the number or sender ID which the organisation uses. It may appear that the call, text or email you receive is coming from the correct number or email from your bank. For example, the incoming text you receive will state it is from “Citi UK”, when in fact it is a fraudster making it appear that way.
  • You will be asked to transfer money to a “safe” account. Citi will never ask you to do this.
  • You will be contacted by someone pretending to be from your internet service provider to convince you to allow them remote access to your computer.

Stop and think:

  • Your bank or any government or official organisation will never ask you to transfer money to a safe account, or contact you to ask for your personal information like your card PIN, or online banking details or One Time Passwords (OTP’s).
  • Contact your bank or the organisation you wish to contact using a known email or phone number.
  • Do not give anyone remote access to your computer.
  • You can forward suspicious emails to spoof@citi.com and report@phishing.gov.uk and suspected scam texts to your mobile network provider by forwarding them to 7726. An easy way to remember 7726 is that they are the numbers on your telephone keypad that spell out the word ‘SPAM’.

Investment Scams

An investment scam is where fraudsters attempt to impersonate financial institutions and create websites that appear to be genuine with information about high return investment opportunities.

Recently, fraudsters have been offering consumers fake high interest, fixed rate COVID vaccine bonds referencing legitimate Pharmaceutical companies (e.g. Pfizer), whilst using Citibank UK Limited’s firm reference number, address and logo.

What does it look like?

  • An email, call or text message offering an investment opportunity.
  • A website that appears to be from a legitimate financial organisation which is selling investment products and offering you low risk investment for a high return.
  • A fake site, a caller or someone behind an email asking you to pay or transfer money by online payments or wire transfer.
  • Fraudsters trying to rush or pressurise you into making decisions. A legitimate company would never force you taking a rushed decision regarding your investments & wealth.
  • An offer that seems too good to be true; High return with low risk. Don’t proceed until you are comfortable the offer is legitimate.
  • Fraudsters are known to target previous victims of investment fraud, with further fraudulent investment schemes or by claiming that they can recover lost money. You may be asked to pay an upfront fee but will not get back your money.

Stop and think:

  • We would never cold call or email you to offer an investment opportunity out of the blue.
  • To make an investment with Citibank UK Limited, you need to have an account with us.
  • We would only email you using @citi.com domain and we do not use any variations of this.
  • Check the FCA website and use their register to ensure the investment is legitimate and there is no known bad information against the company.
  • We would never promise high returns on a low risk investment.

Cryptocurrency Scams

Fraudsters may offer you tempting investment opportunities in cryptocurrencies. You should conduct your own research. If you are looking to invest your money in Bitcoin or other currency, then it is best to get an opinion from a qualified financial advisor or check the FCA warning list. If you are requested to pay money to a wallet provider then it is important to ensure this wallet is in your own name and only you have access to it. Do not give control of this wallet to anyone.

What does it look like?

  • Fraudsters will contact their victims and use social media platforms to advertise false investments in trading cryptocurrencies.
  • They will convince victims to register for cryptocurrency investment websites, using their personal details such as card details.
  • The victim is instructed to make an initial minimum deposit. After which the fraudster will call the victim again to convince them to invest again to achieve higher profit.
  • Fraudsters are known to target previous victims of investment fraud, with further fraudulent investment schemes or by claiming that they can recover lost money. You may be asked to pay an upfront fee but will not get back your money.

Stop and think:

  • Take your time and think before you make a decision. A genuine financial organisation will never contact you and pressure you to move or invest money.
  • Check the FCA website and use their register to ensure the investment is legitimate and there is no known bad information against the company.
  • Avoid out of the blue investment offers, especially cold callers.

Advanced Fee Scams

This scam is when the victim is convinced to pay an upfront fee to receive a prize or service or high value goods which never appear.

What does it look like?

  • You are asked to pay an upfront fee to receive money or a prize/service that you weren’t expecting.
  • You are told that it is fully refundable, and the funds will be used as a deposit.
  • You are put under pressure to make a payment as soon as possible.
  • The website domain name does not match the sender of the email.

Stop and think:

  • Always question any claims that state you are due money as a prize of any goods or services you haven’t ordered or are unaware of.
  • You will not be asked to pay an upfront fee to claim prize money.
  • Be aware and suspicious of fake profiles on social media websites.

Romance Scams

A Romance Scam is where a fraudster uses a fake social media, dating site or gaming site account to build a relationship with you (also known as Catfishing) and eventually convincing you to send them money. Fraudsters use information they find on social media to create these fake profiles and identities to target you. Typically, victims of romance scams are often vulnerable in some way and more susceptible to believing the ‘story’ they are told.

Fraudsters that use this type of scam often try to gain your trust and convince you that you are in a genuine relationship. They will begin to use persuasive language towards you so that money they request do not catch you by surprise. The requests will typically be for things that may make you feel sympathetic with them, such as medical care or overdue mortgage payments.

What does it look like?

  • You have met someone online and they seem trustworthy and let you know that they have romantic feelings for you.
  • The person will suggest taking the conversation away from the website you have met on to a more private form of communication, such as email, phone, or instant messaging.
  • They claim to be from the UK but generally are operating from an overseas country.

Stop and think:

  • Do not send money to anyone you have never met in person.
  • Stay alert to spelling and grammatical errors and inconsistencies in any stories they may tell.
  • Thoroughly research the person you think you are speaking to.
  • Ask trusted members of family or friends for advice.
  • Only accept friend requests or begin talking to people online you know and trust.

Money Mules

‘Money mules’, or ‘money transfer agents’ as they are sometimes called, are people recruited by criminals to help transfer fraudulently obtained money from bank accounts. The funds that the criminals try to transfer are usually stolen or obtained because of scam emails and Trojan (a type of computer virus that takes control of your computer) scams. Since most of the fraudsters are located overseas and as it is not possible to make cross-border transfers out of some countries online bank accounts, a "money mule" or "money transfer agent" is required to launder the funds obtained.

While money mules are usually accomplices of the fraudsters and are aware of the nature of the activity, the criminals also try to dupe innocent victims into laundering money on their behalf. A Money Mule is attracted through a website, spam email, internet chat, or newspaper advertisements. After being recruited by the fraudsters, money mules receive funds into their accounts and they then withdraw the money and send it overseas using a wire transfer service, minus a certain commission payment.

What does it look like?

  • Offers of quick cash.
  • Job adverts that appear to be genuine.

Stop and think:

  • The consequences of becoming a money mule and to understand more why fraudsters target you, please visit www.moneymules.co.uk.

Invoice and Mandate Scams

In this scam, the victim attempts to make a payment to settle a legitimate obligation with a legitimate payee but the scammer manages to intervene to convince the victim to redirect the payment to the scammers account.

What does it look like?

  • New bank details are provided to you that are from an existing service provider that differs from the account details you were originally provided.
  • You receive more frequent invoices for a product or service.

Stop and think:

  • Always confirm the bank details directly with the company before making a payment. You can do this by contacting the company via a telephone number you know belongs to them and ask them to verify the bank account information.
  • When you are paying someone for the first time, transfer a small amount first and check if the payment has been received.
  • Send the confirmation of payment to the service provider once the invoice has been paid.
 Two people shaking hands
A Citi UK customer working on his smart device
A man talking on his mobile phone

Warning about COVID-19 Scams

Be aware that fraudsters are sending text messages and emails claiming to be NHS, offering the opportunity to sign up for the COVID-19 vaccination. The text or email will ask the recipient to click on a link which will take them to an online form which requests personal and financial details.

  • Do not click on links shared via text message and email or input any personal or financial information.
  • The NHS will never ask you for your bank account information, card details, PIN or a banking password.
  • The NHS will never ask you to prove your identity by sending copies of personal documents such as your passport.

If you believe you have been a victim of this scam then please contact us immediately on 0800 00 55 00.


 

If you have any concerns regarding security
please call the Citi Security Team on:

 
 

0800 096 68 00

+44 203 569 99 98
If calling from outside the UK