Online & Mobile Fraud


Online & Mobile Fraud

Malware, or malicious software, is generally used to describe any harmful program that can be installed on a user's device without their consent.The term covers a broad spectrum of malicious programs, including viruses, Trojans, ransomware and spyware.

When installed, these programs are capable of:

  • Recording usernames, passwords and other sensitive information
  • Capturing keystrokes from your keyboard or taking screenshots of sites you have visited
  • Encrypting your device to extort a ransom
  • Modifying the screens you are able to see while using internet banking
  • Setting up payments without your knowledge - or even allowing a fraudster to take remote control of your device.

Phishing/Spear Phishing

Online & Mobile Fraud

Phishing is the use of fraudulent emails or social media posts to trick a victim into revealing sensitive information, or clicking on an infected hyperlink. Spear Phishing is an evolution of the same scam in which the fraudster uses personalized details (such as the recipien's name) to make an email or post seem particularly believable.

A Spear Phishing attack normally begins by cyber criminals collecting personal information about their intended targets from public sources such as company webpages and social networking sites. Using this information, the fraudsters then create personalized communications that appear legitimate and send them to groups of people with something in common, such as working for the same company. The email appears to come from a well-known organization or a person of authority and usually contains embedded hyperlinks. When users click on the hyperlinks, they are either brought to a fraudulent website – €where additional personal or account information is collected – or malware is downloaded onto their computer.

How to protect yourself from Phishing

  • Do not click on embedded hyperlinks or open attachments in emails from senders you do not recognize.
  • Be vigilant to changes in the look, style, and tone of emails from regular senders. This includes changes in the quality of the spelling or grammar used within the email.
  • Remember that most companies, including Citi, will never request personal or account information via email.
  • Do not provide personal or company information on unfamiliar websites, and use caution when posting your personal information on social networking sites or discussion forums.
  • If you are ever in doubt, check that the message is genuine by asking the company itself. Make sure you obtain the contact details from an independent source, rather than calling the numbers or following the links provided in the suspicious email.

Social Engineering

Online & Mobile Fraud

Social engineering refers to the psychological manipulation of people into performing actions or divulging confidential information for the purpose of fraud. Social engineering is normally attempted via telephone and attempts to take advantage of our natural tendency to accept people at their word or manipulate our willingness to help.

The term 'Social Engineering' covers a wide variety of fraudulent activity, but some of the more common attacks include:

  • Callers masquerading as senior business leaders or members of Human Resources to request information about employees
  • Callers pretending to be from an IT service desk and asking for company information or requesting a screen sharing session
  • Callers pretending to be from Citi (or any other bank) to test or synchronize your CitiBusiness® Online security token

How to protect yourself from Social Engineering

  • Never provide personal/business information to an unknown caller. Even the most trivial piece of information can later be used to assist the fraudster.
  • Use official corporate directories to respond to requests for information. Do not call unknown numbers or send information to unknown email addresses.
  • Do not transfer unknown callers internally as this may unintentionally add credibility to the caller.
  • If you feel suspicious, offer to call the person back with the requested information. You can then verify the legitimacy of the request (by replying via a number/email address obtained from an independent source) before disclosing any sensitive information.
  • Do not share your screen with anybody you do not know or cannot independently verify.