At Citi, we consider your security to be the topmost priority when banking online with us. As users of Citibank Online, please take note of the recommended security measures to further safeguard yourself while using our online banking service.

Preventing Ransomware
Bank safely

  • Always enter the Citibank website address "" or "" directly into your browser address bar before you log in to ensure that you are on the legitimate Citibank website.
  • Always check that the Citibank website address changes from http:// to https:// once you are on the login page.
  • Always look out for a security icon that looks like a lock or key, which normally appears at the bottom of the webpage or next to the URL bar (depending on the browser used), when authentication and encryption is expected.
  • Always review your account details. Log in at least once a week and view your account details to check if there are any transactions you don't recognize.
  • Always update the bank when you change your contact details. This will enable us to contact you in a timely manner if we detect unusual transactions.
  • Always set up account alerts, which are delivered to your mobile phone or email address. Example: set up alerts for large transaction amounts debited from your account.
  • Always check all transaction alerts to help identity suspicious activities in a timely manner.
  • Never disclose your banking details on any third party websites that are not owned by Citi.
  • Never proceed if you encounter a request for information not normally requested for and/or if the online experience differs from previously when using Citibank Online. Contact us immediately if you encounter such incidences.
  • Never close your browser window or leave your browser / computer unattended without logging out. Always click log out when you have finished your banking session.
If you are the target of SMS, email or phone call spamming, be cautious and check for any fraudulent activity in your bank accounts.

Check your Citibank account regularly and contact us immediately at CitiPhone at 03-2383 0000 or login to Citibank Online and chat with our 24/7 e-chat agent should you encounter any difficulties or irregularities.
Protect your username, password and other authentication credentials

  • Always ensure your password is at least 6 alphanumeric characters, without repeating any digit or character more than once.
  • Always select a password or PIN that is not based on the username, personal telephone number, birthday or other personal information.
  • Always memorise your ATM/Telephone PIN, online banking username and password and do not record it anywhere, including your mobile device.
  • Always use a separate password for your online banking purposes and for logging into other non-banking websites.
  • Always ensure that no one is watching you while you key in your username, password, ATM PIN, Telephone PIN or any other sensitive information.
  • Never disclose your username and password to anyone via unsolicited emails or any website other than our official Citibank website.
  • Never reveal your ATM/Telephone PIN, username, password or other authentication credentials such as One-Time PIN (OTP) to anyone EVEN IF they claim to be a staff member of Citi or an officer of a regulatory body.
Notify Citi immediately by calling CitiPhone at 03-2383 0000 or login to Citibank Online and chat with our 24/7 e-chat agent upon knowing that your username and password has been breached.
When using a computer

  • Always make sure your computer's operating system and browser software is updated with the latest security patches.
  • Always configure a personal firewall and install the latest anti-virus software to help prevent unauthorized access to your home computer, particularly when they are linked via broadband connections, digital subscriber lines or cable modems.
  • Always be sure to update the anti-virus and firewall products with the latest security patches on a regular basis.
  • Always clear your browser's cache and history after each session so that your account information is removed, ESPECIALLY if you are using a shared computer.
  • Always make regular backups of critical data.
  • Always consider the use of encryption technology to protect highly sensitive data.
  • Never select the option AUTO SAVE on browsers for storing or retaining your username and password when logging into online banking.
  • Never enable File & Print sharing while online, particularly if you are linked to the internet via any broadband connection, digital subscriber lines or cable modems when using a Windows operating system.
When using a mobile device

  • Always ensure security protections are built in and updated on a regular basis. Having the latest mobile security software, web browser and operating system will help safeguard against virus, malware and other threats.
  • Always protect your personal information. Lost or stolen devices can be used to gather information about you and, potentially, others.
  • Always secure your phone by using a strong passcode or Biometrics (fingerprint/face recognition) to lock/unlock your phone.
  • Always review the privacy policy and understand what data (location, access to your social networks) an application can access on your device before you download it.
  • Always be vigilant against SIM card swap fraud. This allows fraudsters to request a SIM card swap from telecommunications companies and gain access to a customer's mobile number; allowing them to perform fraudulent transactions. If your SIM card is cancelled without your request, contact your telecommunications provider and the bank immediately.
  • Always take precaution by declining any unexpected message or connection attempt as this may be an attempt to send a malicious program to your mobile device. Always decline such attempts in connection when in doubt.
  • Never disclose personal information via text messages, and be wary when opening links in text messages.
  • Never download the Citi Mobile application from any website. ONLY download it from Apple App Store or Google Play. Take note of the official Citi Mobile application icon below.

    Citi Mobile Citibank MY
Wireless networks

  • Always set a strong password and encryption for your wireless point. This prevents unauthorised users from accessing and using your wireless connection.
  • Always disable broadcasting of your network name (SSID-Service Set Identifier) to prevent casual surfers from detecting and connecting to your wireless network.
  • Always use strong network encryption e.g. WPA2 to protect your wireless network.
  • Only allow registered machines by enabling MAC address filtering for your wireless network.
  • Modern wireless network routers contain built-in network firewall, ensure that your wireless router's firewall is turned on.
  • Always keep your wireless network router’s software up-to-date.
Important tips when using the ATM
  • Apply ATM cards only for accounts used regularly.
  • Keep a minimal amount of money in the accounts that are linked to the ATM cards.
  • Be alert and watch out for any suspicious persons or activities around the ATM. Be alert of anyone loitering in close proximity to or even at a distance from the ATM location.
  • If you notice any "unauthorized" devices or objects fixed to the ATM, do not use the ATM machine and report it immediately to CitiPhone.
  • If you withdraw cash, put it away immediately. Do not count it at the ATM machine.
  • When leaving an ATM location make sure you are not being followed by anyone. Make your way to a police station, crowded area or well-lit location immediately if you are being followed.
  • Do not accept any offers of assistance with the ATM from strangers.
  • Never lend your ATM card to anyone.
If you need help, use the phone located at the ATM machines to contact CitiPhone for help.
Citibank Security
Protecting our customers and providing a secure online banking/ATM/Telephone Banking experience is top priority at Citi. Here's the list of features we work with to make banking with us safer:

Online banking:
  • Data Protection
    All data sent to and from Citibank is "scrambled" and "reassembled" between Citibank and your personal computer or mobile device using 256-bit encryption. The connection is secured using TLS 1.2, AES with 256 bits encryption
    (High); RSA with 2048 bits for validation and key exchange.
  • Secured log in using username and password
    Only customers using their Citibank Online username and password or QR Login will be able to access their accounts.
  • One-Time PIN (OTP)
    Whether you are logging on from home, the office or elsewhere, the One-Time PIN (OTP) when used with your username and password, provides additional protection against unauthorised access of your online account information and from various forms of online fraud. With Citi Mobile Token feature on your Citi Mobile app, you can now authenticate all your online banking transactions securely, easily and instantly. You no longer have to wait for a One-Time-PIN (OTP) via SMS.
  • Date and Time of Last Login
    Every time you sign on to Citibank Online, you see the date and time of your last login shown under the main menu.
  • Transaction Signing
    For enhanced online banking security, you will need to authenticate any payments or transfers of RM10,000 and above on Citibank Online and Citi Mobile.
  • Automatic time out
    When there is no activity for a certain timeframe, Citi will terminate the customer's secured Citibank Online session to help protect against unauthorized access.
  • Strict protection of customer information
    Citi has strict standards of security and confidentiality to safeguard our customer information.

ATM transactions
The ATM PIN is encrypted for the whole duration of the ATM transaction thus ensuring a secure environment for your transactions performed via the ATM.

Telephone Banking transactions through Interactive Voice Response (IVR):
The Telephone PIN is encrypted for the whole duration of the telephone session thus ensuring a secure
   environment for your transactions performed via telephone banking.

If the Telephone PIN is incorrectly keyed in for 3 consecutive times, the telephone PIN and its corresponding
   Self-Service Phone Banking Service will be disabled.

Safeguard Yourself

Online banking/ATM/Telephone Banking users also have a role to play to ensure that they are protected at all times.

  • Log in to Citi Mobile® App to verify your card transactions and identify any unauthorised transactions.
  • Always safeguard your username, password, ATM PIN, Telephone PIN or other authentication credentials such as One-Time PIN (OTP).
  • Always make sure that no one is watching you, while you key in your username, password and/or PIN.
  • Always read the websites privacy policies prior to providing any confidential information.
  • Always practice safe social networking. Understand, update, and frequently check the account, privacy and security settings on your social networking profiles. Know what information you are sharing and with whom.
  • Always check your account statements to ensure transactions are accurate and to detect any fraudulent transactions. Sign up for Citi Alerts to receive free notifications on your account activities.
  • Always read information and security warnings posted on Citibank's website for the latest updates.
  • Always read and follow Citi's recommended online security tips to ensure the safeguarding of your personal information and computer.
  • Never use easy-to-guess characters or numbers as your online banking password, ATM PIN and Telephone PIN, such as your date of birth, telephone number or simple sequential numbers including ‘qwerty’, ‘password’, 111111 and 123456. Once a password or PIN is chosen, memorise them and never write them down on anything that you carry with you, including on the back of your card.
  • Never use the same username and password that you use for social networking sites to access Citibank Online. At the same time, do not post any information which may help identity theft, for example your contact and employment details.
  • Never use a shared computer or device on an untrusted network to perform any online banking transactions, including on a computer in an internet cafe, a computer in a public kiosk or via a public WiFi network.
  • Never leave your computer unattended while you are still engaged in an online banking session.
  • Never disclose your authentication credentials to anyone over the telephone, mail, SMS or over the internet, including the staff of Citi or regulatory bodies.
  • You are responsible for abiding to Citi's terms & conditions for online banking/ ATM/Telephone Banking.
  • You are required to read and understand the terms and conditions prior to commencing your online banking activities.
  • If you believe that your username, password, ATM PIN, Telephone PIN is compromised or that someone has transferred / may transfer money from your account or otherwise has operated or access your account without your permission, you should notify Citi immediately by calling CitiPhone at 03-2383 0000. Alternatively you can login to Citibank Online and chat with our 24/7 e-chat agent and change your PIN immediately.
  • You must always use reasonable precaution to prevent the loss of your card. If your card is lost or stolen, you must notify CitiPhone at 03-2383 0000. Alternatively you can login to Citibank Online and chat with our 24/7 e-chat agent, followed by a written confirmation together with a copy of police report no later than seven (7) days from the occurrence of the event. Your maximum liability for unauthorized transaction*, as a consequence of a lost/stolen card shall be limited, provided that you have not acted fraudulently or have not failed to inform us as soon as reasonably practicable after having found that your credit card is lost or stolen.
You may also contact our dedicated Fraud Hotline at +603 2383 4883 should you observe any fraudulent transactions on your card.

*For the avoidance of doubt, the term transaction includes Citibank debit card transactions, point of sale terminal, internet transaction or such other terminals or channels that are available to Citi.

At Citi, we're constantly updating our security technology to protect your privacy and confidentiality. It is as important that you take the necessary measures to safeguard yourself.

Protect Yourself Against Fraud

Scam emails

Scam emails are fraudulent (a.k.a. spoofing, impostor, or phishing) e-mails that appear to be sent from a legitimate source. These fraudulent emails attempt to trick you into providing sensitive personal information either by replying to the e-mail or by including links to a fake website that will attempt to get you to disclose personal data or login credentials.

Protect yourself:
  • Never disclose personal, financial or credit card information to unknown or suspicious websites. Citi or regulators will NEVER send emails, SMSes, Facebook messages, or Tweets asking for identity confirmation or security details.
  • Never open email attachments from strangers, install software or run programs of an unknown origin.
In case of any uncertainty, contact us immediately via CitiPhone at 03-2383 0000 or alternatively you can login to Citibank Online and chat with our 24/7 e-chat agent.


Spyware is a piece of software installed in your computer that collects information about you and your internet traffic. It is stored in your PC (with/without your consent) when you download certain software, games, screensavers, etc. from the web. It usually claims to be able to improve your computer's performance.

Spyware can be used maliciously to gain access to your passwords, usernames, card numbers and internet browsing history. They can also be used to scan files on your hard drive and slow down your computer by consuming system resources leading to system instability or a crash.

Protect yourself:
  • Never log in to Citibank Online if you suspect that a spyware is installed on your computer.
  • Install antivirus/antispyware application which is able to detect and disable/cleanse malicious malware.
In case of any uncertainty, contact us immediately via CitiPhone at 03-2383 0000 or alternatively you can login to Citibank Online and chat with our 24/7 e-chat agent.
Embedded links

Cyber criminals may use embedded links to trick you into clicking on them to download malware to your computer or network in order to collect your personal or confidential information.

Only click on embedded links from trusted sources to avoid running the risk of malware being downloaded to your computer or network.
Money mule

A "money mule" is a person who receives and transfers money on behalf of fraudsters. In effect, the money mule’s bank account acts as a transit point.

Scammers, likely to be members of foreign syndicates, pose as lonely individuals seeking companionship and love online. They befriend victims on social media sites and after gaining their trust, ask the victims to open a new bank account or use an existing bank account to receive money. When the money is deposited into account, the victim is asked to pass or send the money to another person or company, usually based overseas. Alternatively, scammers post job advertisements on online job portals or social media platforms for the position of "agent". The "agents" will earn commission for receiving and transferring money for a "legitimate" company.

Protect yourself:
  • Do not give your particulars or bank account details to people offering commission for transferring money to another account.
  • Do not give your personal and bank account details to people you have never met before.
  • Do not give your personal or bank account details to companies with no street address or a complete address. This is to avoid being tracked down.
  • Do not allow others to use your bank account to carry out transactions.
  • Beware of jobs that require you to use your own personal bank account to receive money from unknown sources.

QRishing or QR Code Scam is another form of phishing used to trick you into scanning a fake Quick Response (QR) code which may redirect you to malicious sites. Find out how you can stay safe.

  • Look out for any signs of tampering on the original QR code. Make sure the QR code is not covered by a transparent sheath with a different QR code.
  • Never disclose your personal information or login credentials on suspicious websites after scanning a QR code.
  • Verify that the merchant or recipient's name is correctly displayed before proceeding with any QR payments.
Phishing scams

Phishing occurs when fraudsters send out fraudulent emails to random email addresses. These emails usually contain a link to a look-alike website to mislead you into entering sensitive financial information such as your account number and PIN. This will enable the fraudsters to capture your account information and access your bank accounts.

These bogus websites are designed to trick customers into revealing sensitive customer information in particular login credential and certain alphabets from the original website address could be replaced with one that is Cyrillic and is fake. For instance alphabet “a” in original website is not the same as “α“ in the fake website www.citibα created by fraudsters.

Protect yourself – be aware:
  • If you suspect you've been sent a fraudulent email, contact our CitiPhone at 03-2383 0000 immediately or alternatively you can login to Citibank Online and chat with our 24/7 e-chat agent or forward the entire phishing email as an attachment to
  • Do not click on any hyperlinks provided in email attachments or hyperlinks from suspicious sources - if you need to access Citibank online, independently navigate to Citibank’s website.
  • Citi reports phishing sites to “Safe Browsing” as soon as they are identified. This presents anyone accessing that particular site with a red screen notifying them that they are attempting to visit a phishing site. If the person still wants to visit the site after being warned they have the ability to click on the proceed button.

    Below are the specifics on Google’s Safe Browsing:
    Approximately one billion people use Google Safe Browsing. We help tens of millions of people every week protect themselves from harm by showing warnings to users of Google Chrome, Mozilla Firefox and Apple Safari when they attempt to navigate to websites that would steal their personal information or install software designed to take over their computers.

    For Internet Explored (IE) users:
    Microsoft has their own version of Safe Browsing called “SmartScreen URL Filtering”. This doesn’t require anyone reporting the urls to them, it automatically detects what a phishing site and puts up a message warning users that the site they are attempting to visit is not safe.

Citi will NEVER send emails to customers to verify confidential, personal or account information.
Pretext calling

Pretext calling is a deceptive means of obtaining personal information and unauthorised disclosure of your financial information. Fraudsters may pretend to be bank officers to obtain your account number or credit card number and other information required. Upon obtaining your information, the fraudsters may call your bank posing as you and perform transactions using your account.

Another form of pretext calling is when fraudsters request for your confirmation on transactions that were supposedly made with your credit cards. When you inform fraudsters that you do not have such credit cards, you are provided with a fake Bank Negara Malaysia telephone number in order to lodge a report. Upon calling, the fraudsters will request for personal information which will subsequently be used for fraudulent activities.

Protect yourself:
  • Monitor and pay attention to your credit card and bank statements to ensure your transactions are accurate.
  • Do not share personal information, such as account numbers, passwords, National Registration Identity Card (NRIC) number and other personal information over the telephone, email, SMS or internet, unless you know who you are dealing with.
  • Store your personal information in a safe place and shred your old credit card receipts, ATM receipts, old account statements, and any other correspondences prior to disposing them.
Bank Negara Malaysia will NEVER request for your personal or financial information through SMS or telephone calls and will never ask anyone to transfer money to any third party account.

Pharming is a scamming practice in which a malicious code is installed on a personal computer or server, misdirecting you to fraudulent websites without your knowledge or consent. Pharming can be conducted either by changing the host file on your computer by exploitation of a vulnerability in DNS server software.

Protect yourself:
  • If you access websites which requires your personal information, ensure the website address has https:// in its URL.

Keylogging is a form of online fraud where the keys inputted on a keyboard is captured, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored.

Protect yourself:
  • Install anti-spyware applications which are able to detect and disable/cleanse keylogging softwares.
Citibank Online’s One-Time PIN (OTP) is SAFE from keylogging as each PIN is invalidated as soon as it is used.
Keylogging on ATM

Keylogging on an ATM is known as overlaying ATMs keyboard pin pad to capture people's PINs. The device is designed to look like an integrated part of the ATM so that bank customers are unaware of its presence.

Protect yourself:
  • If you notice any "unauthorized" devices or objects fixed to the ATM, do not use the ATM machine and report it immediately to CitiPhone.
  • If you notice anything strange at the ATM, leave immediately. If you have already started a transaction, cancel it and leave immediately.
Citi ONLY uses certified encrypting pin pad for all the ATMs.
Keylogging on mobile - Interactive Voice Response (IVR)

Keylogging on mobile phones has been known in the market for a number of years. The main purpose of such spyware is to capture and transmit information including email, SMS and keystrokes on the cell phone without the user of the phone being aware of it.

Protect yourself:
  • Review the privacy policy and understand what data (location, access to your social networks) an application can access on your device before you download it.
  • Take precaution by declining any unexpected message or connection attempt as this may be an attempt to send a malicious program to your mobile device. Always decline such attempts in connection when in doubt.
  • Avoid downloading Citibank Mobile application from any site unless it is from Apple App Store and Google Play sites.
SMS spoofing

SMS spoofing uses the short message service (SMS) to set who the message appears to come from by replacing the originating mobile number (sender ID) with alphanumeric text. Spoofing has both legitimate uses (setting the company name from which the message is being sent, setting your own mobile number, or a product name) and illegitimate uses (such as impersonating another person, company or product).

Protect yourself:
  • If you suspect any SMS spoofing, you should notify Citi immediately by calling CitiPhone at 03-2383 0000 or alternatively you can login to Citibank Online and chat with our 24/7 e-chat agent.
Citi will NEVER request for your personal details via SMS.
Types of ATM fraud
  • ATM Card skimming
    Instances where a skimming device is used to copy an ATM card's security information on its magnetic stripe in order to reproduce the customer's information on a counterfeit card.
  • ATM Card jamming
    Instances where an ATM's card reader is tampered with the intention to trap a customer's card. The criminal removes the card once the customer has walked away from the ATM Machine.
  • ATM Card swapping
    Instances where a customer's card is swapped with another card without their knowledge during an ATM transaction.
  • Shoulder surfing
    Instances where an individual stands next to someone and observe as they enter a PIN number at an ATM machine.
  • Compromise of ATM PIN number
    Instances where either the customer's ATM PIN is obtained via observation i.e. "shoulder surfing" or the ATM PIN is illegally recorded by a hidden camera.
Minimize your risk of falling victim to ATM card fraud:
  • When choosing a PIN, don't use common numbers like the last six digits of your IC or your date of birth.
  • Once you have chosen a PIN, memorize it. Never write it down on anything that you carry with you, including the back of your card.
  • Try using the same ATM for your transactions. When you are familiar with it, you will be able to recognize changes to it.
  • Be alert and vigilant when conducting transactions at any ATM, and be sure not to be distracted by strangers.
  • Be mindful when entering your PIN in the presence of others near the ATM.
  • If your card is withheld by the ATM, report it immediately to CitiPhone hotline.
  • Do not respond to any mobile phone text messages or emails requesting for personal information, especially your PIN and passwords to your banking account. Banks will never request for such information in this way. If you do receive such call or text message, take down the caller's details and call the bank directly to verify their identity with the bank's customer service centre.
Minimize your loss if you do fall victim:
  • If your ATM card has been lost, stolen or otherwise compromised, immediately call the bank to cancel the card and get another with a new PIN.
  • If you have reason to believe that an identity thief has tampered with your bank accounts, cheques or ATM card, close the account immediately.
  • Check your bank statements regularly even after you have reported your ATM card missing. If you find any suspicious charges, notify the bank immediately.
Types of telephone banking fraud
  • Telephone Tapping
    Telephone tapping is the unauthorized monitoring of telephone and Internet conversations and/or key tone by a third party. Telephone Tapping is possible on a public switched telephone network and can be difficult to detect.
Protect yourself:
Minimum Sys Req

At Citi, we consider your security to be the topmost priority when banking online with us. To continue protecting your data for a more secure banking experience, from early 2018, TLS 1.2 will be required to access Citibank Online and
Citi Mobile® app via your smartphone, tablet and desktop.

What is TLS 1.2 ?

Transport Layer Security (TLS) is a cryptographic protocols that provide communications security over a computer network. The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications which enables secure “https://” connections to websites.

Please ensure that your browser and operating systems meet the minimum requirements listed below. You will need to update or upgrade your browser / operating system in order to continue using Citibank Online and the Citi Mobile® app.

How can I tell which browser version I am using?

Depending on the type of browser you are using you can determine the version in your browser under:

  • About Internet Explorer
  • About Mozilla Firefox
  • About Google Chrome
  • About Safari

If you do not update your browser or operating systems, you will not be able to access Citibank Online or use Citi Mobile® app and will be presented with the following error page for example:

Minimum Browser / Operating System Requirement (Citibank Online)

Chrome 109.x / Win 10 Edge or Edge 109.x / Win 10
Firefox 102.x / Win 10 Safari 15.x / OS 10.14
Android 8.x iOS 13.x

Minimum Operating System Requirement (Citi Mobile® app)

Apple iOS
iOS 13.x
Android 8.x
If you suspect any breach of your account, transaction(s) that you did not initiate, or other irregularities concerning your account, notify Citi immediately by calling CitiPhone at 03-2383 0000. Alternatively, you can log in to Citibank Online and chat with our 24/7 e-chat agent.

You may also contact our dedicated Fraud Hotline at +603 2383 4883 should you observe any fraudulent transactions on your card.

While we investigate, our officers may ask you to provide more details surrounding the incident to allow us to resolve your case as quickly and as efficiently as possible.
Last modified: 20th March 2023