You may receive phishing emails that contain links or malicious attachments that could capture your details or harm your device. These emails seek to trick people into giving out personal details including account management details. They are designed to look legitimate and often contain a corporate logo.

How to protect yourself

It is important you report then disregard emails which:

• Request any customer information - including your password or account details. You should not reply to emails that request such information.
• Advise you to contact a phone number to verify your card or account details. Always call us on 13 24 84 or +61 2 8225 0615 if you’re calling from overseas.
• Instruct you to login or apply for a product via a link in an email.

Phishing is by far the most common scam technique used at the moment. It is the fraudulent practice of sending emails or SMS claiming to be from a reputable source or from us, in order to induce someone to reveal personal or financial information.

How does it work?

Phishing is designed to convince the person receiving the fraudulent email or SMS to click on a link or download an attachment, which is embedded with computer viruses. These viruses – also known as Malware – automatically download to your computer or phone and allow fraudsters to take control, log keystrokes and access personal files, which could then lead to identity theft.

Example

• Messages that convey a sense of urgency or demand immediate action. Example – “Download the attachment now and follow the steps or you will be penalised.”
• Offers or prizes that sound too good to be true. Example – “Click on the link now to claim this limited offer $250 gift voucher.”
• Impersonation of well-known organisations such as Government, Police, or even your own workplace.
• A reputable company or government department asking you to disclose your personal information, such as a credit card PIN and expiry date, Citi Online password or your OTP (One-Time PIN).
• Poor grammar or spelling mistakes.

Important - No reputable company or government department will ever ask you to disclose a password or PIN.

SIM porting fraud is the act in which a fraudster requests for your existing mobile number to be moved (or "ported") to another phone carrier without your consent or knowledge. SIM swapping fraud is the act in which a fraudster requests for a new SIM card to be issued for your existing mobile by approaching your mobile operator without your consent or knowledge.

A fraudster gaining access to your mobile phone by means of SIM porting or SIM swapping can lead to unauthorised access to your digital accounts by intercepting authorisation texts or overriding touch authentication.

Example

The fraudster obtains the victim's personal details via various techniques including mail theft, online compromises (e.g. malware, Trojans), phone and email phishing scams or through the illegal purchase of stolen personal data etc.

The fraudster approaches victim's mobile operator with the victim's identity and requests for issuance of a duplicate SIM card or requests for the mobile number to be ported.

The victim's mobile operator deactivates the original SIM card and issues a replacement SIM or ports the number to the new operator.

The fraudster is now able to carry out financial transactions without the victim's consent or knowledge by intercepting calls or texts, receiving one time passwords or PINs and overriding touch authentication on the swapped or ported SIM.

How to protect yourself

• If your mobile service stops working unexpectedly, check in with your mobile service provider immediately.
• Be vigilant of SMS text messages from your mobile service provider advising you of a swapping or porting request.
• Never disclose your Citi Online password, ATM PIN or telephone PIN to anyone. We will never ask you for these details via any of our communications to you.
• Beware of unsolicited calls, texts or emails asking for personal or financial information even if they appear to be from us or a reputable company.
• Do not open or forward emails that you suspect might be spam and never open any attachments or click into any links.
• Be careful of what personal details you share on social media platforms as fraudsters can use these to anticipate likely answers to security questions.
• Ensure you have up to date anti-virus protection software installed on your mobile devices.

Malware, or malicious software, is an intrusive program that fraudsters try to install on your computer or device. Malware, such as a virus or Trojan, can disrupt or slow down operation, gather personal and financial details, extract funds or perform other fraudulent activities under your name. Malware is usually sent as an attachment to emails claiming to be from a trusted source, or disguised as genuine software.

How to protect yourself

• Install security software, turn on automatic updates and scan your computer regularly.
• Keep your operating system updated.
• Avoid using shared computers or devices as they may have malware that could compromise the security of your online activity.
• Don’t share your screen with anyone you don’t know or for an unsolicited call.

During tax time scams can be on the rise, with scammers attempting to use the end of the financial year to access your personal or account details.

Example

• A scammer pertaining to be from the Australian Taxation Office (ATO) asking you to pay an outstanding tax debt with a warning that you will face legal consequences if you do not pay.
• A scammer contacting you to claim that you are entitled to a tax refund and asking you to provide bank details in order for you to be paid.

How to protect yourself

• Do not respond or click on any links or attachments if you receive an email or SMS claiming to be from the ATO.
• If you receive a phone call from someone pertaining to be from the ATO asking you to pay, hang up and call back using a publicly listed number.

Scammers may use social media to impersonate legitimate businesses or individuals to persuade you to provide your personal information.

Example of a scam via social media

An Instagram account impersonating us asking a customer to share their account details in exchange for cash.

We would never ask you to disclose your personal details online. The message also has spelling and grammatical errors which indicates it is not legitimate.

How to protect yourself

• Review your social media account security settings and avoid making sensitive information public that scammers could use to steal your identity.
• Do not click on any hyperlinks from untrusted sources.
• Beware of chain messages that ask you to forward it to more people before being eligible to claim a reward.
• Be cautious when using dating and romance applications, and never send money to anyone you have not verified or met in person.
• Do not agree to transfer money for someone you don’t know in exchange for a reward. This could be a money laundering scam which may be a criminal offence.