Citibank Loses Bid To Dismiss Lawsuit Alleging Failing To Protect Its Customers From Scams

In January of 2024, New York Attorney General Letitia James filed a lawsuit against Citibank accusing it of neglecting to protect its customers from email phishing and smishing (phishing done through text messages) scams where Citibank customers were lured into providing access to their accounts resulting in scammers being able to wire funds from the accounts to accounts controlled by the scammers.

In the lawsuit, Attorney General James describes a number of specific instances where Citibank’s security was alleged to be woefully inadequate. In one incident a Citibank customer lost $40,000 from her retirement savings account. The scam started with a text message that appeared to come from Citibank instructing her to click a link that took her to a phony Citibank website. After clicking on the infected link in the text message, her password was stolen by the scammer who then changed the password to her account to lock her out of the account, enrolled her account in online wire transfer services and had $40,000 wired to an account controlled by the scammer. The victim had never wired funds previously which should have been a red flag for the bank to inquire further, according to the lawsuit.

Attorney General James describes in the lawsuit a number of specific instances where Citibank’s security was alleged to be woefully inadequate. In one incident a Citibank customer lost $40,000 from her retirement savings account. The scam started with a text message that appeared to come from Citibank instructing her to click a link that took her to a phony Citibank website. After clicking on the infected link in the text message, her password was stolen by the scammer who then changed the password to her account to lock her out of the account, enrolled her account in online wire transfer services and had $40,000 wired to an account controlled by the scammer. The victim had never wired funds previously which should have been a red flag for the bank to inquire further, according to the lawsuit.

Attorney General James also alleges that when customers became aware that they were scammed and reported the scams to Citibank, it coerced their customers into signing affidavits that the bank used to deny any compensation. The lawsuit asserts that Citibank is responsible for reimbursing its customers under the Electronic Fund Transfer Act. Citibank filed a motion to dismiss the lawsuit claiming that the Electronic Fund Transfer Act expressly excludes wire transfers, however U.S. District Court Judge Pual Oetken denied the motion in a 62 page decision, ruling that the Congressional intent of the Electronic Fund Transfer Act was to protect consumers from technologies which they would not understand and would be susceptible to sophisticated frauds as a result and that banks were better positioned to shoulder the risk of those frauds. While the judge dismissed certain counts of the lawsuit, the lawsuit remains essentially intact.

HOW YOU CAN PROTECT YOURSELF FROM THESE SCAMS?

Phony text messages can be particularly problematic if you have signed up to receive text message alerts from your bank. Whenever you receive a text message you can never be sure who is really sending it to you, so you should never call a telephone number indicated in the text message, provide information or click on links in such text messages which may either download ransomware malware on to your phone or keystroke logging malware that can lead to your becoming a victim of identity theft.

Regardless of how official such a text message, phone call or email may appear, you should never provide personal information to anyone in response to a telephone call, email or text message because in none of those situations can you be sure that the person contacting you is legitimate. If you do receive a communication from a bank, government agency or any other person or entity that you think might have a legitimate need for personal information from you, you should call the real entity at a telephone number that you know is legitimate in order to ascertain the truth, but be careful that you do not misdial the telephone number of your bank as some scammers purchase phone numbers similar to those of legitimate banks and credit card companies hoping that they will receive calls from unwary consumers who may have merely misdialed the telephone number of their bank or credit card company.

Banks do not call, text or email their customers asking for personal information. You should always be skeptical of anyone asking for such information. Of course, if you receive a text message that appears to come from a bank at which you do not have an account, you can be confident it is a scam. If the text message provides for you to respond to stop future texts, don’t do it. Sending such a message to a scammer merely alerts them to the fact that yours is an active phone number.