1. Types of Fraud and Cyberattacks

Business Email Compromise and Payment Redirection

Fraudsters may impersonate known individuals or business contacts to request urgent or irregular payments to fraudulent accounts. These emails may appear legitimate, using hacked or look-alike domains that closely resemble genuine company addresses.

How to help protect your organization:

• Raise employee awareness through regular fraud-prevention training and simulated phishing exercises

• Implement a multi-step verification process for payment requests, including at least one verification method outside of email

• Confirm all requests using a verified phone number from official records, rather than contact information shared via a potential phishing email

• Do not reply directly to the initial message or rely solely on email communication

• Question any unusual, urgent, or high-value payment requests, regardless of the requestor’s seniority

Phishing, Smishing, Vishing, and Deepfakes

These techniques, commonly known as “social engineering”, seek to manipulate people into revealing confidential information or performing unauthorized actions.

Phishing (Email Scams)

Phishing involves fraudulent emails that appear to come from legitimate organizations, vendors, or even internal colleagues.

The emails often:

• Contain links that lead to counterfeit login pages or malware downloads

• Include urgent or alarming messages (e.g., “Your account has been suspended” or “Immediate payment required”)

• Use sender addresses that mimic legitimate domains (e.g., citidirect-support@c1ti.com)

How to help identify phishing attempts:

• Hover over hyperlinks before clicking to verify the actual URL

• Look for subtle spelling or grammatical inconsistencies in the sender’s email address or message

• Be wary of unexpected requests to update credentials, reset passwords, or confirm account details via email

If you suspect a phishing email:

• Do not click on any links or open attachments

• Report the email to your IT department and delete it from your inbox

• Notify your Citi representative or organization’s Security Manager if you believe your account credentials may have been compromised

Vishing (Voice Phishing/Telephone Scams)

Vishing occurs when fraudsters impersonate legitimate institutions or Citi staff members over the phone. Their goal is to extract confidential information such as login credentials, security passcodes, or transaction approval codes.

Typical vishing scenarios:

• The caller claims to be your bank’s Fraud Department and urgently requests verification details

• You receive a call about “suspicious transactions” and are asked to disclose token-generated passcodes

• The caller pressures you to act quickly or to avoid telling anyone about the request “for security reasons”

How to help protect yourself:

• Never share your CitiDirect credentials or one-time passwords (OTPs) over the phone

• Always end the call and re-dial using verified Citi contact numbers from official channels

• Train staff to recognize emotional manipulation tactics (urgency, authority, fear)

• Report any suspicious phone activity to your Citi representative or organization’s Security Manager

Smishing (SMS Text Scams)

Smishing involves fraudulent text messages designed to prompt quick action, typically by clicking on malicious links or providing sensitive data.

Examples of smishing messages:

• “Your CitiDirect account has been locked. Click here to verify your information.”

• “Payment alert: $10,000 payment initiated. Cancel now: [malicious link]”

• “You’ve won a reward! Confirm your banking details to claim.”

Prevention tips:

• Do not click on links or reply to messages from unknown numbers

• Be cautious even if the text appears to come from a familiar organization, as caller IDs can be spoofed

• Never provide account details, passwords, or OTPs via text

• Report suspicious messages to your IT team or while carrier’s spam reporting service

Deepfakes

Deepfakes represent a new and rapidly evolving form of fraud, using artificial intelligence (AI) to realistically replicate the appearance, voice, or communication style of trusted individuals.

Fraudsters may use deepfakes to:

• Impersonate executives, requesting urgent payments

• Conduct video calls appearing to show a trusted colleague, pressuring for sensitive data

• Send pre-recorded voice messages that mimic known staff members

How to help identify a potential deepfake:

• Look for unnatural speech patterns, blinking, or facial movements that appear out of sync with the voice

• The person’s tone, phrasing, or level of urgency feel inconsistent with how they normally communicate

• Backgrounds or lighting look distorted, artificial, or change subtly throughout the interaction

How to help protect your organization:

• Always verify unusual requests through a secondary channel (e.g., direct phone call, internal chat, or in-person confirmation)

• Establish clear protocols for verifying requests received via video or voice communications, as deepfakes can be difficult to identify

• Use approved meeting platforms and require secure login for internal video conferences

• Encourage staff to treat urgent financial instructions with skepticism, even if the request appears to come from senior leadership

• Educate employees on emerging threats, such as AI voice cloning (i.e., using AI to generate a copy of a person’s voice)

If a deepfake or impersonation attempt is suspected:

• Stop the transaction immediately

• Notify your internal security or compliance team

• Contact your Citi representative or organization’s Security Manager to report the incident

Malware

Malware, short for malicious software, refers to any program or file intentionally designed to harm a computer, network, or user. It can steal data, damage systems, or gain unauthorized access to accounts.

Ways malware can be introduced:

• Opening infected email attachments or clicking links in phishing messages

• Downloading software, plug-ins, or mobile apps from unverified sources

• Visiting comprised or spoofed websites that can silently install code on your device without your knowledge or consent

How to help protect your devices and network:

• Install applications only from reputable, trusted sources

• Regularly scan your computer for viruses and spyware using up-to-date security software

• Keep your operating system, browser, and software fully updated

• Use pop-up blockers and do not click unknown links

• Ensure all PCs, laptops, and hardware are updated with the latest security patches

• Engage your organization’s IT team to conduct periodic risk assessments and control evaluations

If you suspect any malware activity:

• Immediately disconnect the affected device from the network

• Notify your organization’s IT or security department immediately

• Contact your Citi representative or organization’s Security Manager to report the event

2. CitiDirect Security

To help maintain a high level of protection, it’s important to regularly review your system controls and user access.

General best practices:

• Never share or record your CitiDirect passwords

• Create strong passwords using random combinations of both numbers and letters

• Use Mobile Token and biometric authentication whenever possible

• Enable multiple approval levels (CitiDirect supports up to nine)

• Segregate duties and apply additional approvals (e.g., maker/checker) for high-value and high-risk transactions

• Use payment templates to ensure payments are made only to verified or pre-approved beneficiaries

• Validate any counterparty or beneficiary updates through a secondary channel

• Review exception items daily and monitor for irregular activity

• Use the CitiDirect mobile app to securely approve payments and monitor balances on the go

For guidance on implementing these controls, log in to CitiDirect and visit the Support Center or contact your organization’s Security Manager.

For CitiDirect mobile app users:

• Keep your device software, operating system, and CitiDirect mobile app up to date

• Protect your device with a strong password, PIN, or biometric login

• When using biometric login for desktop, verify that the codes displayed on your mobile device and CitiDirect computer screen match before proceeding with authentication

For user management:

• Promptly delete user accounts for employees who leave or transfer roles

• Revoke or reassign physical tokens as needed

• Use CitiDirect’s scheduling features to automatically expire user credentials on specific dates

• Ensure former users’ credentials are fully removed to prevent unauthorized access

For entitlement reviews:

• Conduct regular entitlement reviews to verify that system access is appropriate and up to date

• Disable access for users on extended leave until their return

• Security Managers can enable or disable users via the Enable checkbox located in their user profile settings

• For more guidance, review the Security management section on this website or log in to CitiDirect and visit the Support Center to find dedicated content for Security Managers

These materials are provided for educational and illustrative purposes only and not as a solicitation by Citi for any particular product or service. Citi reminds you that Citi's clients are responsible for their organizations’ cybersecurity and all matters relating thereto, and these materials and information contained herein should not be viewed as any intention or commitment from Citi to replace your organization's cybersecurity-related responsibilities. Furthermore, although the information contained herein is believed to be reliable, the following does not constitute legal advice and Citi makes no representation or warranty as to the accuracy or completeness of any information contained herein or otherwise provided by it.