Citibank Impersonation Scams
Scammers impersonate Citibank with fake SMS fraud alerts and spoofed customer service calls to steal one-time codes and login credentials. The real Citibank will never ask you to share a one-time passcode or move money to a 'safe account'.
Last reviewed: 1 June 2026
Citibank's international presence means its name is impersonated across many countries, often through text messages claiming a card has been locked or a large transaction requires confirmation. Because Citi sends genuine SMS alerts for some account activity, a fake version can look and feel very familiar.
The scam typically pushes victims to call a number in the text or click a link, where they are asked to 'verify' by reading out a one-time passcode — the exact code needed for the scammer to complete a takeover of the account or an unauthorized transaction elsewhere.
Citibank is the victim of this impersonation. Genuine Citi security processes never require you to disclose a one-time code to anyone, including someone claiming to represent the bank.
How scammers impersonate it
- Sending SMS messages styled as Citibank alerts about a locked card or suspicious transaction
- Including a phone number in the text that connects to a scammer posing as Citibank support
- Spoofing Citibank's real customer service number on caller ID
- Creating phishing pages that mimic Citibank's online or mobile banking login
- Asking victims to read out a one-time passcode to 'unlock' or 'verify' their account
What the real organisation never does
- Ask you to read out a one-time passcode or verification code over the phone
- Ask you to move money to a different account to protect it
- Include a customer service number inside an SMS fraud alert for you to call
- Ask for your full online banking password or card PIN
- Threaten to permanently close your account within minutes unless you act
Common red flags
- Text about a locked card or large transaction with a phone number or link to act on
- Any request to read out a one-time passcode
- Any instruction to move or transfer money
- A login link that does not go to the official Citibank domain
- Caller pressures you not to hang up and call back independently
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Text: 'Citibank Alert: Your card has been temporarily locked due to suspicious activity. Call [phone number] or verify at [fake link] to restore access.'
Call: 'This is Citibank security — we've detected an unauthorized login. Please read us the verification code we just sent to confirm it's really you.'
How to verify
- Hang up and call the number on the back of your card or on citibank.com
- Log in only through the official Citi Mobile app or by typing the address directly into your browser
- Never read a one-time passcode to anyone, including someone claiming to be from Citibank
- Check your account activity directly in the app rather than trusting an unsolicited text or call
What to do if you're targeted
- Do not click links, call the number in the text, or share any codes
- Contact Citibank directly through the number on your card or statement
- Report the scam to the FTC at reportfraud.ftc.gov and to your national fraud reporting service
Frequently asked questions
Citibank does send me real text alerts sometimes — how do I tell a fake one apart?
Genuine Citibank alerts do not ask you to read out a one-time passcode or call a number included in the text itself. If in doubt, ignore the text entirely and contact Citibank using the number on your card or the official app.
I read out a one-time code to a caller claiming to be Citibank — what should I do?
Contact Citibank immediately using the number on your card, change your online banking password, and review recent account activity for unauthorized transactions. Report the incident to the bank's fraud department right away.