Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Citibank Phishing Baits Customers with Fake Suspension Alerts

Citibank Phishing Baits Customers with Fake Suspension Alerts

An ongoing large-scale phishing campaign is targeting customers of Citibank, requesting recipients to disclose sensitive personal details to lift alleged account holds.

The campaign uses emails that feature CitiBank logos, sender addresses that look genuine at first glance, and content that is free of typos.

The CitiBank customers targeted in these attacks are informed that their account has been put on hold due to a suspicious transaction or a login attempt from someone else.

Also Read: How Being Data Protection Trained Can Help With Job Retention

Because of this, the attackers claim they should take urgent action to verify their accounts to avoid permanent suspension.

Sample of the Citibank phishing email
Sample of the Citibank phishing email (Bitdefender)

If the embedded button is clicked, the victims are taken to a website that looks deceptively like a real Citibank portal, where they are requested to sign in to their online account.

Of course, any user ID and password pairs entered on this website go directly to the threat actors, who may then use the stolen credentials to compromise banking accounts and empty balances.

Fake website used for stealing credentials
Fake website used for stealing credentials (Bitdefender)

Bitdefender has been tracking this campaign and shared the associated report with BleepingComputer before publication, and reports the following statistical findings:

  • 81% of the phishing emails in this campaign target American users
  • 7% of the emails reached UK targets, and another 4% ended up in South Korean inboxes
  • 40% of these emails were sent from U.S. IP addresses, and 13% from Mexico

A parallel, less convincing effort

Apart from the tactic of creating urgency to cause the recipients to miss obvious signs of fraud and jump into action, phishing actors are also using lures promising enormous winnings.

Also Read: Top 25 Data Protection Statistics That You Must Be Informed

More specifically, Bitdefender has identified another large-volume phishing campaign whose distribution culminated between February 11 and 15, 2022, presenting the recipients with a chance to claim financial compensation from the United Nations.

The trick employed in this case is to recognize the recipient as a scam victim, one of the 150 who was deemed eligible for a compensation of $5,000,000 through Citibank.

Second campaign phishing email
Second campaign phishing email (Bitdefender)

In other cases, the threat actors are doubling the amount to $10,500,000 and attempt to include more details in the email to convince the victim of its validity.

A more outrageous iteration of the same email
A more outrageous iteration of the same email (Bitdefender)

However, in both cases, the fraud should be pretty obvious, as this is neither how compensations work nor at the level they would be awarded in reality.

For the category of people who believe in these emails, the scammers request them to fill out their full name, address, age, phone number, and a scanned copy of their national ID card.

In this campaign, the details stolen by the victims cannot be directly used for fraudulent transactions but can be instead sold to other criminals on cybercrime markets.

Don’t fall for it

Banks rarely ever inform users of important developments on their account via SMS or email, so whenever you receive a message making bold claims, call your bank and ask to speak to an agent.

Do not call phone numbers provided in the email but, instead, visit the bank’s official website and source it from the contact page details.

Finally, never click on buttons embedded in the email body and always double-check the URL you are on when preparing to enter login credentials.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us