Protect Yourself from Fraud

It's when someone obtains essential information about you—such as your social security number, date of birth, and mother's maiden name—and uses it to open a credit card, bank accounts, loans and even mortgages in your name.

Make your User ID and Password as secure as possible

A good password is paramount to your security. Avoid using a password or a variation of a password that you already use on another website. Also, avoid using any variation of your name, or names of family members or pets, as these can sometimes be found on social media. Focus on length and complexity. Adding a "1" or a "!exclamation mark" to the end, or substituting "$" for "S" are combinations that are easily hacked — increase complexity to better protect yourself.

Don't send sensitive information via email

Never e—mail your password, account number, social security number or other sensitive information to anyone.

Never leave your computer unattended

Complete your banking tasks and end your web sessions by always signing off.

Be careful how much personal information you post online

When visiting social networks, remember that sharing information like your birth date, phone number, email address, location and photos can put your identity at risk.

Never write down PINspins and passwords

Memorize them instead. Writing your PIN on your debit card enables anyone in possession of it to access your account — do not write it down anywhere, especially not on your card. For your security, you should change your ATM PIN periodically.

Identity thieves can strike even if you've been very careful with your personal information. Some hints of identity theft may include:

•  Failing to receive bills or other mail.

•  Receiving cards or billing statements on accounts for which you did not apply.

•  Receiving calls from debt collectors or companies about merchandise or services you didn't buy.

•  Noticing a sudden drop in your FICO score.

If you think you may be a victim, you can obtain a copy of your credit report from each of the three major credit reporting agencies (Experian: 1-888-397-37421 8 8 8 3 9 7 3 7 4 2; TransUnion: 1-800-916-88001 800 9 1 6 8 8 0 0; Equifax: 1-800-685-11111 800 6 8 5 1 1 1 1). If it's accurate and includes only those activities you've authorized, chances are no one has attempted to open accounts in your name. You will not be liable for transactions made with Citi consumer credit or debit cards relating to accounts opened in your name without your authorization.

Credit Monitoring

Credit monitoring services track activity on your credit reports at one, two, or all three of the major credit reporting agencies. If you identify activity that might result from identity theft or a mistake, you can take steps to resolve the problem before it grows.

Fraud Alert

A fraud alert puts a red flag on your credit report which requires businesses to take additional steps, such as contacting you by phone, before opening a new account.

Security Freeze (also known as Credit Freeze)

A security, or credit, freeze allows you to restrict access to your credit report, making it difficult for others to open accounts using your identity. Fees vary based on where you live but commonly range from $5dollars -to $15dollars per bureau. The cost to lift a freeze varies by state.

More information about identity theft can be found on the FTC Website.

If your identity is ever stolen, use the free services offered by our Citi^® Identity Theft Solutions specialists to help reestablish your credit.

Spoof emails (also known as phishing or hoax emails) appear to be from well-known companies. To bait you, an email may say there's an urgent situation concerning your account, then ask you to click a link back to a spoof website to provide personal information.

Even if you don't supply any information, just selecting the link may enable thieves to access your computer, record your keystrokes, and capture your passwords.

Also, beware of spoof web forms that ask you to provide confidential information that a legitimate company would not ask the customer to enter for a particular transaction.

A spoof website is one that mimics a popular company's website to lure you into disclosing confidential information. To make spoof sites seem legitimate, thieves use the names, logos, graphics and even code of the real company's site.

They can even fake the URL that appears in the address field at the top of your browser window and the padlock that appears in the lower right corner. The links in the spoof emails almost always take you to a spoof website.

A spoofed web form is one that is injected by malware and rendered by your browser after you sign on to the company's site asking you to provide confidential information. These spoofed web forms seems legitimate since they use the same logos and graphics of the real company's site. Spoofed web forms can be recognized since they ask you to enter extra confidential data that the company's legitimate form won't ask the user to enter for that transaction.

Sense of urgency — Messages claim your account will be closed or temporarily suspended, and warn you'll be charged if you don't respond.

Spelling errors — There may be obvious spelling errors, which help spoof emails avoid spam filters.

Below is a sampling of fraudulent emails that have been reported to Citi:

Your Citibank Account is Under Review

×

CITI BANK New York

×

Alert: Deactivation On Your Citi Bank Account In Process

×

Suspicious Account Activity Reference cYy3MOp 207.188.72.146

×

What we do

Include either the last 4 digits on your ATM/Debit or Credit Card or the last 4 digits of your specified bank account number:

Send you emails with links to features such as online tours and information or promotions about Citi products. These links are only for convenience and you can always type in our URL directly.

Go directly there — The best way to get to any site is to type its address (URL) into your browser and then bookmark it.

Do not provide your User ID, security word, PIN number, password or other personal identifying information in an email.

Set up a login cookie — Some sites like Citibank.com let your computer remember your User ID. This way, when you return to the site from an email to sign on, your User ID will be visible in the sign on box. A spoof, or fake, website will not be able to display your User ID. (Never use the Remember Me feature on a public or shared computer.)

If you suspect that you've received a fraudulent email message, please forward it to us. Don't change or retype the subject line, as this makes it more difficult to properly investigate. After forwarding the email, you should delete it from your inbox.

•  Forward suspicious emails to: spoof@citi.com

•  You may also want to forward it to the Federal Trade Commission at: spam@uce.govspam@U C E.gov

•  Or contact them at: www.consumer.gov/idtheftwww.consumer.gov/id theft, 1-877-IDTHEFT1 8 7 7 id theft

Email us immediately at spoof@citi.com if you have responded to an email with personal information and believe it to be fraudulent.

Named for SMS (Short Message Service), the technology used for cell phone text messaging, SMiShing messages appear to be from a legitimate company and typically contain a link that takes you to a spoof website or asks you to call a phone number. Even if you don't enter any information, selecting the link can lead to other problems, such as installing key logging software or dangerous viruses on your phone.

Key logging: This is another method used to capture your personal information. Here's how it works. You click on a link to a website or open an attachment that secretly installs software on your computer. Once installed, it records everything you type, including any User IDs, Passwords and account or personal information. Thieves know how to retrieve this information, or even set it up to automatically have it sent back to them! This is a very real risk when using public or shared computers such as those in internet cafés.

You should also watch out for SMS (plain text) and MMS (multimedia) message headers that start with the number 19. If you respond to them, you'll be charged a premium rate that can leave you saddled with a huge cell phone bill. Some mobile service providers in conjunction with anti-virus companies offer phone based anti-virus software designed to protect your phone.

Requests to renew your bank service — The message may say your banking web service has expired, and to renew it you need to select an enclosed link and visit your bank's website where you can update your account information.

Impending charge notices — The text usually states something to the effect that you will be charged a certain amount per day if you don't call to cancel.

Avoid selecting links in unsolicited text messages — Instead, go directly to the company's website and fill out information there.

Don't respond to unknown numbers — If you miss a call on your mobile device or receive a text message from an unknown number, it's safer to ignore the call or delete the message. If you're suspicious about a banking phone number received via text message, you can always call the toll-free number on the back of your credit or debit card instead.

Set up blocking features — Check with your wireless phone company to see if they offer the option to block certain types of text messages.

Get on the Do Not Call List — Register your wireless number with the national Do Not Call List. Either sign up online at www.donotcall.gov or call 1-888-382-12221 8 8 8 3 8 2 1 2 2 2.

Install software with discretion — Only install software from reputable companies or from providers you trust.

If you suspect that you've received a fraudulent text message, please forward it to us. After forwarding the text message, you should delete it from your device.

•  Forward suspicious texts to: spoof@citi.com

•  You may also want to forward it to the Federal Trade Commission at: spam@uce.govspam@U C E.gov

•  Or contact them at: www.consumer.gov/idtheftwww.consumer.gov/id theft, 1-877-IDTHEFT1 8 7 7 id theft

Email us immediately at spoof@citi.com if you have responded to an email with personal information and believe it to be fraudulent.

If you use Voice over Internet Protocol (VoIP)—such as Vonage^® or Skype™—be on guard for calls that play a recording claiming your credit card or bank account has had unusual activity, and give you a phone number to call. This is called Vishing and is a type of Internet phone scam. When contacting Citi always use a trusted number, like the one on the back of your card. But remember, this threat is not dependent upon using VoIP. Any phone service can be used for this.

A financial scam usually occurs when you are selling merchandise or chatting online. However, other variations of the scam include:

•  Receiving overpayment for an item you placed for sale on the Internet

•  Receiving notice that you have won a foreign lottery or sweepstakes

•  Promise of receiving a percentage of money for transferring funds to your own bank account for safekeeping, usually from outside the USA

•  Notice of receiving an inheritance from a recently deceased, distant relative, and you did not know this person or of his/her death

•  Receiving unsolicited emails, faxes or letters requesting an immediate response

•  Being asked to cash a check/money order or to allow transfer of funds to your account, and then offered to keep a percentage of the funds

Regardless of how this is presented to you, all scams involve you being contacted by individuals who state that they will forward a check to you. After the check is deposited, you may be contacted and possibly told an elaborate story, which leads to a request that you wire transfer back all or some of the money. After you withdraw or wire the money from your account, the item you deposited is returned to the bank because it is counterfeit. At that point, the full amount of the check will be deducted from your account.

Additional financial scams can occur when you are on your computer or someone calls you directly. Here are some variations:

•  You click on a pop-up message that says your computer has a virus and you need to pay to fix it and they request your card number for payment

•  You receive a phone call and you are told that you owe back taxes and can pay them by purchasing gift cards from online merchants and you must send the gift cards to them

•  You receive a phone call and you are told a relative has been put in jail and you can get them out by sending them gift cards or bit coins

To avoid becoming a victim of fraud, stop and ask yourself: Why would someone send me money to which I am not entitled? Why would I wire funds to someone I met over the Internet?

As always, you are responsible for any transactions you initiate, including with your debit or credit card, or deposits into your account. Only you can determine if the transactions and/or merchants are truly reasonable and legitimate. Please be careful of any arrangements for funds to be sent to you, especially when you do not really know the other party. If a check or money order is counterfeit or is returned unpaid for any reason, you are fully responsible for any loss that may be incurred. In most cases, the bank can subsequently charge your account(s) to recover the funds. If there are insufficient funds, you are responsible for covering the repayment to the bank. This may result in collection or litigation activities. Please refer to the Citibank Client Manual for more information.

Federal law requires banks to make deposited funds available to you, usually within 1 to 5 business days. The fact you can withdraw cash from your account shortly after depositing a check or money order does not necessarily mean the item you deposited will be paid by the maker's bank. Counterfeit checks and money orders can sometimes take weeks to be discovered and returned to your bank unpaid.

Citi continuously monitors your account for suspicious activity, but cannot always determine if a personal check, a cashier's check or money order, including the maker's endorsement, is valid or counterfeit. Today's technology helps the fraudster produce counterfeit items that look legitimate. That is why you need to 'know' who is giving you the items and that the transaction is reasonable.