Zit Seng's Blog

A Singaporean's technology and lifestyle blog

Erroneous Emails From Citibank

I read an article on Yahoo Finance yesterday about how Standard Chartered was making a robbery victim responsible for fraudulent charges. Whatever their legal rights were, it seems very morally wrong of what the bank did. I suspect it may simply be a case of the bank mishandling the incident, poor customer management, and terrible communication processes.

I thought about the couple of banks that I have accounts with. Citibank stood out as one that for the most part I’ve been quite pleased with. Their call centre was, shall we say, a model example for all banks in Singapore to follow. Fifteen years ago, there’s never any difficulty speaking with a human and they don’t redirect you around.

Things seem to have deteriorated over the years. They were still good, just not as good as before. Nowadays, however, I’m beginning to wonder if their customer service should even be considered good or not.

Two weekends ago, I received an email purportedly from Citibank concerning the cancellation of my inbound fund transfer setup. Yeah, phishing email was the first thought that came to my mind. But as I was going through other email, I thought this email from Citibank was unusual. There were no links to click, and it does not ask me to do anything. It’s also a simple plaintext email with no attachments, not even graphics. Isn’t it rather unusual for a phishing email to, apparently, not do anything?

I looked at the email headers. I know how to read them. Ah huh, I thought, I spotted a suspicious line about who delivered the email to Google (my email is hosted on Google Apps). The server was mx0a-00123c01.pphosted.com. That doesn’t sound anything at all like Citibank. But wait, Google’s server says SPF validation is passed. SPF is the Sender Policy Framework, a mechanism designed to foil email spoofing. Nevermind what Google says, I verified the SPF entry by hand, and confirmed that server was indeed an approved server for sending emails with Citibank’s domain name.

Email headers are easily spoofed. If you know how to check them, you can easily spot obvious fakes. This one looks legitimate. I still cannot be 100% sure, but there’s a very good chance the email did really come from Citibank.

I needed to call Citibank. I instinctively pressed the keys on their IVR sending me to their credit card people. The inbound fund transfer problem was supposed to be about my bank account. They credit card people actually had to transfer my call, but because apparently no bank officer was available, they arranged for someone to return my call.

No one called back. After 24 hours, I called again. This time I was careful to make sure I pressed the right keys to speak to the bank people. Shockingly, the lady was unfamiliar with this inbound fund transfer facility. I had to explain what it meant. No, she insisted that to transfer funds, one had to go to the debiting bank to initiate the transfer to the crediting bank. This is a nice little service, the inbound fund transfer, of Citibank, but unfortunately their customer support officer was unfamiliar. To cut a long story short, she will arrange for someone to call me back.

Again, no one called back. Another 24 hours later, I called. I was given a strange explanation. I was busy at that time to probe deeper, but the gist of it was that some backend department in Citibank was doing some change, so they had to “delete” and “setup” again my inbound fund transfer.

Uh, really? Your backend has something to do, you should do it quietly without impacting the customer. In particular, the email message I received says “per your instruction”. It makes me think that my account security might have been compromised for the bank to say they were acting according to my instruction.

Here’s the text of the cancellation email:

Dear Customer,

Please be informed that we have cancelled your Inbound Funds Transfer setup per your instruction.

Thank you.

Yours sincerely,
Citibank Online and CitiBusiness Online
Citibank Singapore Limited
Co. Reg. No. 200309485K

For customers who hold a Citibank banking account
————————————————-
If you have any queries or account related instructions, please login to citibank.com.sg to send us a SECURE message via My Home Inbox. This is for your protection. Please note that we will not act on / respond to such instructions/queries sent via ordinary email as that is not a secure mode of communication.

For customers who hold a CitiBusiness account
———————————————
Please contact your dedicated CitiBusiness Relationship Manager or our 24-Hour Corporate CitiPhone Banking at (65) 6238 8833 for any enquiries.

This is an automated mailbox and no response will be given for mails sent to this e-mail address.

A day or two later, I received further emails about them receiving my inbound fund transfer setup:

Dear Customer,

We acknowledge that we have received your Inbound Funds Transfer application. Subject to the processing time of the bank/finance company (nominated in your application), your Inbound Funds Transfer instruction will be effected within 30 days from the date hereof and we will be sending you a confirmation of the same.

Thank you.

Yours sincerely,
Citibank Online and CitiBusiness Online
Citibank Singapore Limited
Co. Reg. No. 200309485K

For customers who hold a Citibank banking account
————————————————-
If you have any queries or account related instructions, please login to citibank.com.sg to send us a SECURE message via My Home Inbox. This is for your protection. Please note that we will not act on / respond to such instructions /queries sent via ordinary email as that is not a secure mode of communication.

For customers who hold a CitiBusiness account
———————————————
Please contact your dedicated CitiBusiness Relationship Manager or our 24-Hour Corporate CitiPhone Banking at (65) 6238 8833 for any enquiries.

This is an automated mailbox and no response will be given for mails sent to this e-mail address.

Finally, the approval of my inbound fund transfer:

Dear Customer,

This is to inform that your application to setup an Inbound Funds Transfer from another bank has been approved.

If you hold a Citibank banking account, please login to citibank.com.sg using your card number and PIN to confirm the setup. You can proceed to make your Inbound Funds Transfer with immediate effect.

If you hold a CitiBusiness account, please login to citibusiness.com.sg using your card number and PIN to to confirm the setup. You can proceed to make your Inbound Funds Transfer with immediate effect.

Thank You.

Yours sincerely,
Citibank Online and CitiBusiness Online
Citibank Singapore Limited
Co. Reg. No. 200309485K

For customers who hold a Citibank banking account
————————————————-
If you have any queries or account related instructions, please login to citibank.com.sg to send us a SECURE message via My Home Inbox. This is for your protection. Please note that we will not act on / respond to such instructions/queries sent via ordinary email as that is not a secure mode of communication.

For customers who hold a CitiBusiness account
———————————————
Please contact your dedicated CitiBusiness Relationship Manager or our 24-Hour Corporate CitiPhone Banking at (65) 6238 8833 for any enquiries.

This is an automated mailbox and no response will be given for mails sent to this e-mail address.

Really. It does make you a little worried, doesn’t it?

So what now, is Citibank training customers to simply ignore such important messages as these? If there had been a mistake, I’d imagine they had better be a whole lot more proactive about explaining the situation to their customers.

I’ve contacted Citibank again, yesterday, and am waiting for a response from them.

Update: This sequence of events (IFT cancellation, application, and approval) repeated two more times over another few weeks or so. That’s three sequences, totalling 9 emails!

Leave a Reply

Your email address will not be published. Required fields are marked *

View Comment Policy