Security Best Practices on CitiDirect®
At Citi, security for our clients is our utmost concern. As hackers and others, such as organized criminals, continue to try to get unauthorized access to funds, we would like to highlight some typologies and best practices for you to consider in helping to make sure your organization remains secure.
Types of fraud and cyber-attacks:
Business Email Compromise and Payment Redirection
In this scenario, a fraudster e-mails a company's finance team, impersonating a supplier, creditor, or an executive. The e-mail might appear to be from senior management, requesting a payment be made, or from a supplier, requesting that payments go to a new account. Fraudsters will use a hacked or look-alike email that closely matches a known address to ensure this type of fraud is difficult to detect.
How to help keep your business safe:
- Make sure your employees are aware of this type of fraud.
- Implement an internal two-step payments verification process that includes a non-e-mail check with the requester.
- Phone the requester using a verified phone number to follow up an e-mail request.
- DO NOT reply directly to the initial e-mail.
- DO NOT rely on emails as these can be intercepted.
- Be on guard for payment requests that are unexpected or irregular, whatever the amount involved. If in doubt, don't make the payment.
Phishing, Smishing, and Vishing
Fraudsters use the following techniques, commonly referred to as “Social Engineering”, to obtain information:
Phishing: Emails that lure potential victims to click on malicious links, or open malicious attachments which can serve as the delivery platform for malware such as a Ransomware attack.
Vishing (telephone scams): A form of fraud using social engineering to impersonate trusted officials over the phone or via text message. One example of vishing is criminals impersonating bank staff by phone and requesting the victim’s online banking login details and passcodes to address a fictional ‘security or fraud incident’. The details provided by the victim are used to execute fraudulent payments.
Smishing (SMS text scams): Text messages may claim that your bank suspects there has been fraudulent activity on your account, you may have won a prize or even have issues with the local authorities.
Best practices to help your organization stay safe from social engineering:
- Do not disclose personal information to anyone that you do not know or recognize.
- Try to stay calm; fraudsters intentionally create stressful, or time-sensitive, situations to pressure their victims into making a mistake.
- Never click on links in text messages or e-mails, or open or download attachments, unless you are sure they are safe.
- Be careful about the information you share on social media as this can provide fraudsters with useful information to manipulate you or your employees.
- If something does not feel right, terminate the call, and contact your Citi Representative. Do not use any telephone numbers provided by the suspicious caller.
Malware
Malware can be downloaded under various circumstances, such as when visiting a malicious or vulnerable website, viewing an email message or by clicking on a deceptive pop-up window. Malware is malicious software installed on your computer which has a harmful intent that can, among other things, capture your login passwords and other personal data. Examples of malware include software such as spyware, adware, and viruses. One way to help protect your organization from Malware is to exercise caution before installing programs on your computer or opening email attachments.
Here are some precautions that are important to take:
- Only install applications and software from well-known companies you trust.
- Make sure your computer is cleansed from viruses/spyware and has up-to-date anti-virus and anti-spyware software installed.
- Keep your operating system and browser up to date with the latest security updates and patches.
- Install anti-virus, anti-spyware and malware detection software — You will need to update the software regularly to guard against new risks so set the software to update automatically.
- Use a pop-up blocker — set your browser preferences to block pop-ups (aside from being annoying, these pop-ups can contain inappropriate content or have malicious intentions).
- Log out - Make sure users log out and close the browser window when finished using CitiDirect.
- Keep your PCs, servers, and associated hardware up to date, installing the latest security patches as they become available.
- Ensure devices (PCs, Desktops, Laptops, etc.) used to access CitiDirect are password protected.
Additionally, you should engage your organization’s IT department to assist with the PC best practices and perform related risk assessment along with controls evaluation periodically.
Please contact your Citi Representative immediately if you notice suspicious account activity or experience information security-related events.
CitiDirect® Best Practices
To help maintain a high level of security, please ensure that you regularly review your controls and follow the below best practices:
- Use anti-virus and other detection tools.
- Keep your systems up to date.
- Never share or write down the passcodes.
- When creating the passcodes, use random numbers and unique patterns that you can remember.
- Use mobile token & biometrics authentication if available.
- Enable multiple approval levels (CitiDirect® supports up to nine levels of approval).
- Segregate duties and increase approval levels for sensitive, high risk or high value transactions.
- Leverage the CitiDirect® payment template functionality to help ensure you are only paying known or pre-approved beneficiaries.
- Validate instructions for any counterparty updates.
- Implement robust controls around the beneficiary bank account details changes. Such attempts, if successful, would result in your money ending up in the wrong hands.
- Monitor and review exception items daily.
- Use the CitiDirect® mobile app to approve payments and monitor your intraday balances when travelling.
For assistance with implementing the above best practices, please utilize the Client Service Academy training or contact your Citi service representative.
Physical Token Users (SafeWord card or VASCO token)
Never share your physical token
Physical tokens should never be shared. Sharing a physical token increases the risk of fraud. Because you have agreed to keep your physical token secure, any transaction that utilizes that token will be attributable to you.
Keep your PIN secret
Similarly, it is very important to keep your PIN secret. Your PIN is your first line of defense against someone using your physical token to input or authorize a transaction in your name. Treat your PIN the same as you would your own Banking card PIN and do not store the PIN in a visible location such as the sleeve of the card. Never write down the PIN.
The PIN on your physical token can be changed and Citi recommends that users change PINs periodically.
Note: Please ensure that you remember the new PIN that you enter in Step 4 below as this PIN will be known only to you. If you forget your new PIN Citi cannot reset it; the physical token will be unusable and you will need to contact Citi to have a new token issued to you.
To change your SafeWord card PIN:
(Press [Clr]
at any time in the process to cancel)
- Press
[ON]
to turn your SafeWord card on. - At the
ENTR PIN
prompt, type your existing PIN. - At the
HOST?
prompt, press[Pin]
to indicate that you want to change your PIN. - At the
NEW PIN
prompt, type your new four-digit PIN on the keypad. After you type the fourth digit, your new PIN will be stored in the SafeWord card. - At the
AGAIN
prompt, retype your new PIN. - The SafeWord card will display
SUCCESS
to indicate that you have successfully changed your PIN.
To change your VASCO token PIN:
- Turn on your VASCO token by pressing
[F2]
for 2 seconds - At the
SELECT
prompt, press[8]
to change the PIN - At the
______ PIN
prompt, enter your existing six-digit PIN, then press[F2]
- At the
New PIN 1
prompt, enter you new six-digit PIN, then press[F2]
- At the
PIN CONF 2
prompt, retype your new PIN and press[F2]
- The VASCO token will display
NEW PIN CONF
to indicate the you have successfully changed your PIN. Press[F2]
IMPORTANT: Citi will not on an unsolicited basis request users to provide their electronic banking credentials such as PINs, passwords or any other such security information.
CitiDirect Mobile App Users
Keep your device secure
Make sure to keep your operating system and CitiDirect mobile app up-to-date. Ensure that your device is protected with a strong password/PIN/pattern and enable biometrics where available.
Biometric login
Where available, enable biometrics on the CitiDirect Mobile App. When you log in with biometrics to CitiDirect on your computer, you will see a code on the computer screen and on your device. Ensure these codes match before you authenticate.
User Management
Delete former employees' user accounts
Ensure that when employees leave or transfer to other roles their user accounts are deleted from the system and that their credentials are revoked. It is important that physical tokens are not reassigned to new users. Also note that users' access can be scheduled automatically to expire on a future date to ensure credentials are not used inappropriately.
Entitlement reviews
Perform regular user entitlement reviews on the system to ensure access is appropriate and current. Ensure the CitiDirect user has received their credentials prior to enabling* on the system. Users who are “out of office” for extended periods (e.g. vacations, extended leave, etc.) should be disabled* until they return to the office.
* Security Managers can enable or disable a user by checking or unchecking the “Enable” check box on the user's profile. Refer to the Security Manager Guide for more information.
This information and materials linked herein are provided for educational and illustrative purposes only and not as a solicitation by Citi for any particular product or service. Citi reminds you that Citi's clients are responsible for their organizations' cybersecurity and all matters relating thereto. This information and materials linked herein should not be viewed as any intention or commitment from Citi to replace your organization's cybersecurity-related responsibilities. Furthermore, although the information contained herein is believed to be reliable, the information does not constitute legal advice and Citi makes no representation or warranty as to the accuracy or completeness of any information contained herein or otherwise provided by it.