Deceitful Citibank Scam Lets Cybercriminals Access Your Account

Deceitful Citibank Scam Lets Cybercriminals Access Your Account


A new Citibank email phishing scam has emerged. The scam implements several convincing tactics in order to trick customers into handing over access to their bank accounts.

The fake domain name and webpage use authentic-looking Citibank logos and color schemes to give users a false sense of security as they log in to their account, allowing scammers full control of their information.

Continue reading to learn more about how the Citibank phishing scam works, and what you need to look out for.

How the Citibank Scam Works

Once the scam tricks the customer into visiting the fake website, it prompts them to enter their username and password. The following screen will request personal information such as name, birth date, address, and the last four digits of their social security number.

The next screen will ask the user to input their debit card information. The customer’s submissions are all stored to the scammer’s server.

Once this process is complete, the user will see a landing page with the words “Authenticating… please wait. This may take up to one minute.”

According to, “It is believed, but not confirmed, that during this period the phishing page will attempt to login to Citibank using the credentials provided by the victim. This [process] is done in the background.”

If the attacker is successful in accessing the account and the user has OTP (One-Time PIN) authentication, Citibank will send a code to the user’s cell phone. Since this code comes straight from Citibank, victims do not suspect a thing.

If everything goes according to plan, the scam artist will have full control over the entire account.

How to Avoid the Scam

The Citibank phishing scam, first discovered by the Malware Hunter Team, begins with an incorrect URL.

Always remember to carefully read the domain name before entering any confidential information online.

Scammers also count on users being very distracted, even while logging in to websites that contain private information. Nowadays, people use their mobile devices to access almost everything.

According to Colin Bastable, CEO of security awareness & training company Lucy Security, “Many users access their email and bank accounts on mobile devices, while multi-tasking (unfortunately for example, while driving), and this makes it harder to spot phishing sites.”

One user on an online forum offered the following words of wisdom:

“Like dialing the correct phone number or sending mail to the correct postal address, using the correct URL is a basic principle of remote communication. As long as there is a user base that refuses to pay attention to the URL, this will be a viable con.”