Protect Yourself Against Fraud

Identifying Fraud Early is Paramount

Fraud Detection & Early Warning

Citi's Fraud Early Warning systems review your accounts for fraudulent activity, free of charge. You can help protect yourself from fraud by familiarizing yourself with the many ways in which fraud can appear on your account, email, phone, or your computer.

As a Citi Commercial cardholder, you can be assured that we are constantly trying to improve ways to help safeguard and protect you and your account. Through monitoring of our customers' accounts using sophisticated technology, we often detect fraud or unauthorized use before you are even aware of it. If we notice suspicious activity on your card, we may contact you by phone, text or email* to confirm you have authorized that purchase.

*Note that we will never ask you to provide confidential information through text or email.

CitiManager® via Webpage and Mobile App – An Overview of Security Features

When you access CitiManager via the webpage or via the mobile app current security technologies are used to help keep your information safe:

256Bit SSL Encryption

When you access your accounts and perform activities on CitiManager, your information is protected by 256-bit SSL encryption. Encryption is technology that secures information transmitted over the internet by scrambling it so that it's unreadable without a secret key or password to "decrypt" it. It helps ensure that hackers or other third parties can't intercept data while it's en route.

Extended Validation (EV) SSL Certificate

The green address bar and padlock on the CitiManager webpage is a security feature supported by newer browsers that allows you to visually validate that the site you are transacting with has undergone an extensive outside security audit.

Additional Authentication

When you perform sensitive or high risk online transactions, or if our controls determine that your login attempt may be unauthorized, Citi will send you a one-time-use passcode to verify your identity.

Date/ and Time Stamp

Every time you sign-in to CitiManager, we display the date and time of your last visit and the device used to sign-in. If you didn't sign-in then, you'll know there has been unauthorized account access.

Session Timeouts

If you're signed in and not using CitiManager for several minutes, your session will "time out." To resume your activity, you'll need to log in again.

Automatic Notifications

Citi will automatically send an email or SMS confirmation for many activities conducted via CitiManager – especially if they are risky. As an important account monitoring tool, these notifications allow a timely response for customers who did not make a change, and provide peace of mind for those who did initiate the change themselves.

Fraud Protection

If Citi determines that your login credentials have been compromised, your online and mobile access may be automatically blocked, reducing the likelihood of an unauthorized person accessing your information. Citi then sends you a notification with a prompt to reset your password to safely regain access.

Accessing CitiManager from your mobile device

Citi uses a variety of features to protect your information while you are accessing the CitiManager App from your mobile device:

User ID and Passcode

You sign-in to the CitiManager Mobile® App with the same User ID and Password you use to access your accounts on the CitiManager webpage.

Biometrics – using your face or fingerprint instead of your User ID and Password.

User ID and Password

Account Information

The CitiManager Mobile® App doesn't store personal account information on mobile devices, so your accounts are not exposed if your phone is lost or stolen.

Additional Authentication

When you perform sensitive or high risk online transactions, or if our controls determine that your login attempt may be unauthorized, Citi may send you a one-time-use passcode to verify your identity.

Biometric Login

You have the flexibility to sign-in to your CitiManager Mobile® App using your fingerprint for fast, convenient access. Customers with devices that support facial recognition also have the option of signing in using this feature. Whichever method you choose – password, fingerprint, or facial recognition – your account information is still subject to the 256-bit encryption.

Fraud Protection

If Citi determines that your login credentials have been compromised, your online and mobile access may be automatically blocked, reducing the likelihood of an unauthorized person accessing your information. Citi then sends you a notification with a prompt to reset your password to safely regain access.

Recommendations to Keep Your Account Safe:

Make account check-ins a habit.

Nobody knows your accounts better than you. That's why monitoring your account activity is one of the best ways to help protect yourself against fraud.

If you notice anything unusual, you can raise a transaction dispute online in CitiManager by selecting the transaction and clicking “Dispute.” Additionally, you can also contact service using the number on the back of your card or this link:

Review your account information

Sign on at least once a week and review your account information. If you notice any changes to your account that you didn't make, contact us immediately. It's important to let us know when your email address or phone number has changed. You can view and update the information we have on file for you by signing into your account on CitiManager.

Look over your transactions

Review your card unbilled transactions regularly to make sure these only reflect transactions you have made. If you spot a problem, raise a dispute in CitiManager or contact us immediately.

Set up Account Alerts

Get alerts delivered to your mobile phone so you can stay updated on your account activity. Set up Account Alerts

Spoof Emails – What are they and how to spot them

Several signs can help you determine if an email is legitimate or a spoof. Learn how to recognize and protect yourself from fraudulent emails.

  • What is a spoof email?

    Spoof emails (also known as phishing or hoax emails) appear to be from well-known companies. To bait you, an email may say there's an urgent situation concerning your account, then ask you to click a link back to a spoof website to provide personal information.

    Even if you don't supply any information, just selecting the link may enable thieves to access your computer, record your keystrokes, and capture your passwords.

    Also, beware of spoof web forms that ask you to provide confidential information that a legitimate company would not ask the customer to enter for a particular transaction.

  • What is a spoof website?

    A spoof website is one that mimics a popular company's website to lure you into disclosing confidential information. To make spoof sites seem legitimate, thieves use the names, logos, graphics and even code of the real company's site.

    They can even fake the URL that appears in the address field at the top of your browser window and the padlock that appears in the lower right corner. The links in the spoof emails almost always take you to a spoof website.

  • What is a spoof web form?

    A spoofed web form is one that is injected by malware and rendered by your browser after you sign on to the company's site asking you to provide confidential information. These spoofed web forms seem legitimate since they use the same logos and graphics of the real company's site. Spoofed web forms can be recognized since they ask you to enter extra confidential data that the company's legitimate form won't ask the user to enter for that transaction.

  • How to spot a spoof

    Sense of urgency — Messages claim your account will be closed or temporarily suspended, and warn you'll be charged if you don't respond.

    Spelling errors — There may be obvious spelling or grammar errors, which help spoof emails avoid spam filters.

  • Citi's email security practices

    What we do

    Include your name and the last 6 digits of your Citi Commercial Card

    How to protect yourself

    Go directly there — The best way to get to any site is to type its address (URL) into your browser and then bookmark it.

    Do not provide your User ID, security word, PIN number, password or other personal identifying information in an email or on a website accessed by clicking on a link contained in an email.

    Set up a login cookie — Some sites like let your computer remember your User ID. This way, when you return to the site from an email to sign on, your User ID will be visible in the sign on box. A spoof, or fake, website will not be able to display your User ID. (Never use the Remember Me feature on a public or shared computer.)

  • Report a spoof

    If you suspect that you've received a fraudulent email message from us, please forward it to us at Please send it to us as an attachment. Don't forward it directly or change or retype the subject line, as this makes it more difficult to properly investigate. After forwarding the email, you should delete it from your inbox.

    Contact us immediately using the number on the back of your card or by using a number at the following link: if you have responded to an email with personal information and believe it to be fraudulent.

Smishing – What is it?

Before you respond to any text message, learn how to distinguish a genuine text from a "SMiShing" message that may have been sent by a scam artist.

  • What is SMiShing?

    Named for SMS (Short Message Service), the technology used for cell phone text messaging, SMiShing messages appear to be from a legitimate company and typically contain a link that takes you to a spoof website or asks you to call a phone number. Even if you don't enter any information, selecting the link can lead to other problems, such as installing key logging software or dangerous viruses on your phone.

    Key logging: This is another method used to capture your personal information. Here's how it works. You click on a link to a website or open an attachment that secretly installs software on your computer. Once installed, it records everything you type, including any User IDs, Passwords and account or personal information. Thieves know how to retrieve this information, or even set it up to automatically have it sent back to them! This is a very real risk when using public or shared computers such as those in internet cafés.

    You should also watch out for SMS (plain text) and MMS (multimedia) message headers that start with the number 19. If you respond to them, you'll be charged a premium rate that can leave you saddled with a huge cell phone bill. Some mobile service providers in conjunction with anti-virus companies offer phone based anti-virus software designed to protect your phone.

  • How to spot SMiShing

    Requests to renew your bank service — The message may say your banking web service has expired, and to renew it you need to select an enclosed link and visit your bank's website where you can update your account information.

    Impending charge notices — The text usually states something to the effect that you will be charged a certain amount per day if you don't call to cancel.

  • How to protect yourself from SMiShing

    Avoid selecting links in unsolicited text messages — Instead, go directly to the company's website and fill out information there.

    Don't respond to unknown numbers — If you miss a call on your mobile device or receive a text message from an unknown number, it's safer to ignore the call or delete the message. If you're suspicious about a Citi phone number received via text message, you can always call the number on the back of your card instead.

    Set up blocking features — Check with your wireless phone company to see if they offer the option to block certain types of text messages.

    Get on the Do Not Call List — Register your wireless number with your relevant national Do Not Call List.

    Install software with discretion — Only install software from reputable companies or from providers you trust.

  • Report SMiShing

    If you suspect that you've received a fraudulent text message, please forward it to us. After forwarding the text message, you should delete it from your device.

  • Forward suspicious texts to:

Vishing – What is it?

  • What is Vishing?

    If you use Voice over Internet Protocol (VoIP)—such as Vonage® or Skype—be on guard for calls that play a recording claiming your credit card or bank account has had unusual activity, and give you a phone number to call. This is called Vishing and is a type of Internet phone scam. When contacting Citi always use a trusted number, like the one on the back of your card. But remember, this threat is not dependent upon using VoIP. Any phone service can be used for this.

Visit to get additional security tips

Social Engineering – What is it?

Social Engineering is when fraudsters contact you impersonating someone else with the intention of obtaining your personal and/or card information. The fraudsters seek to gather your security details, card or payment details or verification codes in order to complete fraudulent transactions.

Fraudsters may even impersonate Citi, law enforcement or other institutions, often acting with a sense of urgency to create panic and catch you off guard.

Please note that Citi Commercial Cards will only send you a One-Time Passcode (OTP) to:

  • Support your log-in to CitiManager®.
  • Authenticate the online purchase you are attempting.
  • Verify if you have called our Customer Service Centre.
  • Authenticate high-risk activities in CitiManager such as; credit balance refund, contact information update, card replacement, downloading statements older than 3 months and viewing your card PIN.

Citi will never send you an OTP unexpectedly and then contact you to ask you to read it back to us for authentication. OTPs are only used by Citi when you have initiated one of the actions mentioned above.

What you can do to protect yourself against Social Engineering:

  • Always independently verify emails and telephone numbers before engaging in any dialogue, and never click on any links or open attachments contained within unsolicited emails.
  • Citi will never contact you, requesting that you disclose your OTP. Always treat any requests with suspicion.
  • Ensure your devices have up to date operating systems and anti-virus software.
  • Never give your card PIN to anyone. It should only be known by you and you should only use it when you are initiating a transaction.

If you believe that you may have disclosed your personal or card details to a fraudster, please contact us immediately using the number on the back of your card.