Online Security

We protect. We care. When you are with Citibank you are guaranteed in security. Find out how Citibank has endeavored to protect you.

Latest Security Alerts

One Time Password (OTP) is the key to your financial transactions. Do not share the OTP sent by the bank with anyone for any purpose, even if the person claims to be from Citibank.

Phishing/Smishing/Vishing scam

These scams are the fraudulent practice of sending emails or SMS claiming to be from reputable companies (including Citibank, tax authorities…) to steal confidential information about your card & bank accounts.

Don't fall victim to fraudulent mobile applications!

There are mobile applications like TestFairy, AWS Device Farm where developers test and enhance their mobile applications before release. These developers sometimes invite testers through email or public link.

Taking advantage of these initiatives, fraudsters can scheme customers into downloading malicious applications via platforms like App Store (for iOS)/Google Play (for Android).

These applications allow fraudsters to access customer's mobile device and obtain confidential information for immediate or later misuse.

How does SCAM work?

Online advertisements offer cash advance from credit card with little or free of charge, asking customers to fill in forms or download applications with their banking credentials. Fraudsters talk customers into providing OTP to perform unauthorized transactions.

Impersonating financial companies to offer loans, fraudsters ask customers to install loan applications and demand customers to deposit some amount as income proof.

Intentionally transferring a small amount to a customer account, then contacting the customer via phone or via SMS under Bank name to inform them about the wrong transaction, requesting the customer to access a malicious link to take over personal information.

Impersonating Bank brand to inform customers of abnormal activities and guide customers to access phishing links.

Scamsters may contact you with too-good-to-be-true like loan package at a low rate of interest, service upgrade, lucky draw winning, overseas remittance, free gifts, police investigation without an indictable offence, etc.

How to protect yourself

Protect Yourself from Fraud

Here are few types of fraud and the preventive steps that you can take to prevent yourself from becoming a victim.


Phishing emails, also known as hoax or spoof emails, are fraudulent emails that appear to be sent from a trusted source but are in fact, designed to trick you into revealing valuable data such as your User ID, password, card details and One-Time Pin (OTP).

Be aware of emails claiming to be Citi

Be aware of emails claiming to be Citi

Be aware of emails claiming to be Citi

  • Always check the sender's email address.
  • Remember that Citi will never ask you to confirm a payment or transaction via email.
  • If in doubt, don't click the link and report to Citi's fraud reporting service.

Be aware of websites imitating Citi

Be aware of websites imitating Citi

Be aware of websites imitating Citi

  • Check web-link URL is
  • Always type within the internet browser address bar.
  • If ever in doubt, don't enter any information within the website & report to Citi's fraud reporting service.

Never enter your details into website unless you see the padlock icon + address

Never enter your details into website unless you see the padlock icon + address

Never enter your details into website unless you see the padlock icon + address

  • Ensure that the padlock icon is displayed on the internet browser address bar.
  • Your internet browser address bar should always display "https" instead of "http" when banking with Citi online.


SMiShing messages appear to be from a legitimate company and typically contain a link that takes you to a spoof website, or it may ask you to call a phone number. Even if you don't enter any information, clicking the link can lead to other problems, such as installing malicious software or dangerous viruses to your phone.


You may receive an SMS from a fraudster posing as your bank requesting you to share personal information, such as account or card details.

You may receive an SMS from a fraudster posing as Citibank, requesting you to share personal information, such as account or card details.

In most cases you will be directed to a fraudulent lookalike website that requests you to enter your:

In most cases you will be directed to a fraudulent lookalike website that requests you to enter your:

  • Card details
  • Name & Address
  • User ID & Password
  • One-Time PIN (OTP)

Fraudsters can utilise your details to make immediate purchases or fund transfers.

Fraudsters can utilise your details to make immediate purchases or fund transfers.


We're constantly updating and improving our wide variety of security measures, providing you the confidence you need when using Citi Mobile® or Citibank Online®.

Web Security

  • Our 256-bit SSL (Secure Sockets Layer) encryption engine provides industry standard levels of security, ensuring your information can't be accessed by anyone else.

    Secure Sockets Layer
  • The green address bar on Citi websites indicates that the site has undergone extensive vetting by our security teams and has been granted a security certificate known as an Extended Validation SSL Certificate.
  • For safety, we’ll suspend your online access if three failed login attempts are made. We’ll also block access to cash machines if the wrong PIN is entered three times.
  • You are recommended to use supported and updated browsers to ensure your internet banking is secured at all times.
  • Every time you sign in to Citibank Online®, the date and time of your last visit are shown. If you didn't sign in then, this will indicate an unauthorised account access has occurred.

2-way SMS Notification

2 way SMS verification
  • Our 2-Way SMS service alerts you of any suspicious transactions on your account. It is important that you respond to us immediately:
    • You should reply to the SMS with "1" if the transaction is authorised by you or "2" if the transaction is not authorised by you.
  • Please note
    • You will receive the SMS from the number 6058 ("Short Code") if your registered mobile is a Vietnam number and ("Long Code") +61 42630 6058 if your registered number is not a Vietnam number*.
    • We will not ask for any additional information to be provided other than "1" or "2".
    • If you are overseas or holding onto an overseas mobile number, please send your reply to Long Code +61 42630 6058.
    • Please contact us if you have any issues.
  • You can stay on top of your account activities with customized Citi Alerts, where you can get SMS or email notifications whenever there is a specific transaction on your account.

Citi Mobile® Token

  • Citi Mobile® Token is a feature within the Citi Mobile® App that authenticates transactions as an alternative to other authentication methods such as Online Security Device, or One-Time PIN (OTP) via SMS.
  • The benefits of Citi Mobile® Token are:



    Protected by a 6-digit Unlock Code chosen by you and restricted to one device of your choice.



    Enter your unique Unlock Code to instantly authenticate your transactions initiated in Citi Mobile® App on your Citi Mobile® Token enabled device. No more waiting for an OTP via SMS, or worrying about misplacing your Online Security device.



    Authenticates all online transactions such as payments and transfers, adding new payee and updating your contact details. It also generates OTP for online purchases.

  • With the Citi Mobile® Token, you can instantly authenticate all transactions initiated in the Citi Mobile® App. You can also instantly generate OTP with your unique Unlock Code to authenticate transactions on Citibank Online® or for online purchases.
  • After enrolling to Citi Mobile® Token, you should not share or reveal your Unlock Code to anyone, including Citibank.

Misplaced your card? Lock your card on the Citi Mobile® App

Lock your card
  • If you’ve misplaced your card, you can temporarily lock your card at Citi Mobile® App so that no one else can use it. You can unlock your card just as easily when you need to.
  • While your card is locked, you will not be able to use it for point-of-sale transactions. However, any recurring payment instructions that you may have established on your card will not be affected.
  • To terminate your card and request for a replacement if your card is lost or stolen, please call our Citiphone hotline.

If you receive a suspicious email that appears to have been sent by Citibank, contact CitiPhone immediately at
(84 28) 3521 1111 (84 28) 3521 1111. Forward all suspicious emails as an attachment to email for further investigation and action.

You can verify that you are communicating with a genuine financial institution by examining the website certificate during a secure session. This will verify the identity of the specific website you are accessing as well as validate that the site is secure and genuine. It also ensures that no other website can assume the identity of the original secure site. Please refer to your internet browser's documentation for instructions on how to view a certificate. Always ensure that you are using a secure website when submitting credit card or other sensitive information. To make sure you are on a secure web server, check the beginning of the website address in your browser's address bar - it should read https://, rather than just http://.

Report the theft of information to Citibank by contacting CitiPhone as quickly as possible at (84 28) 3521 1111 (84 28) 3521 1111.

Web browsers use standard security protocols like Secure Socket Layer (SSL), and Secure Hyper Text Transfer Protocol (S-HTTP) to enable private information to be transmitted safely over the Internet. When you visit a website with the SSL protocol, a secure connection is created between your computer and the website server you are visiting. Once this connection is established, you can transmit any amount of information to the web server safely. In contrast, the S-HTTP is designed to transmit individual messages securely.

For most web browsers such as Microsoft Internet Explorer and Netscape Navigator, a secure, encrypted session will be indicated by a closed padlock or an unbroken key icon that appears in the lower left or right hand corner of the browser window. You should also check the address bar of your browser. If the website address starts with "https://" rather than the standard "http://" then the session is secure.

Some phishing attacks use viruses and/or Trojans to install programs called "key loggers" onto your computer. These programs capture and send out any information that you type to the phisher, including account numbers, usernames and passwords. In this case, you should:

  • Install and/or update anti-virus and personal firewall software.
  • Update all virus definitions and perform a full scan.
  • Confirm every connection your firewall allows.

Digital certificates are issued by extensively audited and controlled certification authorities to authenticate a website or elements of websites. The certificate identifies the originator of the site and verifies that it has not been tampered with. When your web browser is presented with a certificate, it will check to see if a legitimate certification authority issued the certificate. If there is a match, your session will continue. Otherwise, your browser will issue a warning, and your safest action is to cancel your activity.

If a secure session is established and the information is encrypted during transmission, then others will not be able to view your information. However, you should be aware that some web browsers will store information on your computer even after you are finished conducting your online activities; this is called caching. Therefore, you should close your browser once you are finished using the Internet, particularly if you visit secure sites to conduct financial transactions, check account balances or view any other information that you regard as private and confidential.

Email sent over the Internet is generally not secure unless it is encrypted. In reality, most email programs currently do not have this capability. As most email transmissions are not secure, you should never send any personal or financial information, such as your credit card number, over email.


Minimum System Requirements

To continue to protect your data to the highest standard, from early 2018 to access Citibank Online® and Citi Mobile® App via your smartphone, tablet and desktop please ensure that your browser and operating systems meet the minimum requirements found here (link). You will need to update or upgrade your browser / operating system in order to continue to use Citibank Online® and the Citi Mobile® App.

How can I tell which browser version I am using?

Depending on the type of browser you are using, you can determine the version in your browser under:

  • About Internet Explorer
  • About Mozilla Firefox
  • About Google Chrome
  • About Safari

If you do not update your browser or operating systems, you will not be able to connect to Citibank Online® or use Citi Mobile® App and will be presented with the following error page for example:

Error Page

Minimum System Requirements


Chrome 30 / Win 7

Firefox 31.3.0 ESR / Win 7

IE 11 / Win 7

Opera 17 / Win 7

Firefox 27 / Win 8

IE 11 / Win 8.1

IE 11 / Win 10 Preview

Edge 12 / Win 10

Firefox 49 / XP SP3

Chrome 49 / XP SP3

Chrome 34 / OS X

Firefox 29 / OS X

Safari 7 / OS X 10.9

Safari 8 / OS X 10.10

Safari 10 / OS X 10.12


Android 4.4.2

IE 11 / Win Phone 8.1

Edge 13 / Win Phone 10

Safari 5 / iOS 5.1.1

You can download a new browser from:

Microsoft Internet Explorer™:

Google Chrome:

Mozilla Firefox:



  • Wide choice of deposits to secure your future.
  • Smooth, Safe, Sensible way to Citibank Online<sup>®</sup>.