ACH Fraud , Fraud Management & Cybercrime
New York AG Sues Citibank for Poor Phishing Protections
State Attorney Alleges Lack of Layered Security to Stop Fraudulent Wire TranfersThe New York attorney general sued the third-largest bank in the United States over its alleged failure to protect consumers from scammers and its refusal to make victims whole after online thieves have plundered their life savings.
Manhattan-based Citibank, state prosecutors charged in federal court, "has overpromised and underdelivered on security." In a complaint that could easily lead to millions in civil penalties and restitution, New York attorneys accuse Citi of sidestepping consumer protection law meant to incentivize banks into providing more robust security by limiting consumer losses caused by fraudulent wire transfers.
"If a bank cannot secure its customers' accounts, they are failing in their most basic duty," said Attorney General Letitia James.
In an emailed statement, Citi said that "banks are not required to make clients whole when those clients follow criminals' instructions and banks can see no indication the clients are being deceived." A spokesperson said the bank has nonetheless responded to a surge in wire transfer fraud "with leading security protocols, intuitive fraud prevention tools, clear insights about the latest scams, and driving client awareness and education." The bank reported revenue of $78.5 billion in 2023 and net income of $9.2 billion.
A cornerstone of the lawsuit is the Electronic Fund Transfer Act, a 1978 law that New York prosecutors say caps individual liability for unauthorized electronic wire transfers - including wire transfers initiated by scammers. Placing liability for unauthorized wire transfers onto banks is meant to incentivize financial institutions into establishing guardrails, they say.
Measures that prosecutors say banks should have in place include heightened verification procedures for wire transfers tied to unusual activity, such as an account password change.
State attorneys also fault Citi for not automatically deploying "its most robust security procedures" after spotting other red flags, such as a transfer from an account that had just been upgraded to send wires, or after activity, such as consolidating funds across multiple accounts before transferring money.
"When scammers use intra-bank transfers to empty accounts and consolidate funds into a single bank account that is then used to send to Citi a large fraudulent Payment Order, Citi's internal procedures does not flag this account activity as suspicious in any way," the complaint alleges.
When consumers do receive email or mobile phone text requests for verification, attempts to block a fraudulent wire transfer don't always work, the prosecutors allege. Consumers often see digital messages about large sums of money as a fraud attempt and rather than use the phone number in the alert, they call the main Citi customer service number or rush to a local branch.
"Citi itself encourages such precautions," the complaint says.
Attempts to head off scammers aren't always successful. According to the complaint, one victim lost $15,000 while on hold for 20 minutes after she became suspicious when a phone caller, putatively from Citi but actually a scammer, demanded the number of her new debit card. During the time she was waiting for the fraud department to pick up her call after a front-line customer care representative transferred it, the scammer stole her money.
The complaint also recounts the experience of a recently retired victim who clicked on an apparent phishing link but didn't provide any information to the website. Her local branch told her, "Don't worry about it, it happens all the time," according to the complaint. Three days later, scammers drained $40,000 from her account after changing her online password and enrolling the account in online wire transfer services.
In another case, a scammer obtained personal information from a victim identified as "Consumer B" by stating that Citi needed the information so the bank could credit her paycheck. Two days later, the bank called with an automated prompt asking her to confirm a $22,000 wire transfer - which she attempted to deny. While she was on hold, the scammer contacted Citi to approve the transfer. The bank rejected the first attempt since the scammer had used a phone number not associated with the account but it approved the second attempt, since the scammer had changed the supposed phone line to a matching number.
"Despite Consumer B having pressed the denial on the phone, the scammer's prior authentication failure, and the scammer contacting Citi from a phone number that was not associated with Consumer B - Citi accepted the fraudulent payment order," the complaint says.
State prosecutors say that victims who seek recourse from the bank are typically told to fill out an affidavit, which gives Citi cause to treat the claim under the Uniform Commercial Code rather than the Electronic Fund Transfer Act. Under the UCC, banks are not required to reimburse payments for unauthorized wire transfers so long as the transfers are subject to reasonable security procedures, prosecutors say.
But even there, Citi falls short, they charge. Citi should deploy a layered security approach, they say, that accounts for "usage patterns, the frequency of high-dollar transactions, and whether transactions or other recent online behaviors are anomalous."
The lawsuit asks Citi to provide a list of consumers who lost money in fraudulent wire transfers over the past six years, provide restitution and damages for those consumers and pay a civil penalty of $5,000 for each time a jury determines Citi violated a New York law prohibiting deceptive commercial acts of practices. Citi, prosecutors say, misled consumers about their rights and about its security procedures.