New York State’s attorney general sued Citi on Tuesday, accusing it of failing to stop scammers from stealing an unspecified amount of money from customer accounts, and saying the bank should reimburse fraud victims for any losses.
The lawsuit, filed in federal court, laid out a variety of ways in which Citi clients had been fooled into disclosing sensitive information that let hackers gain access to their accounts and steal millions of dollars. In what are known as phishing scams, some of the cases involved Citi’s customers receiving text messages or emails that purported to be from Citi but were really from criminals.
The New York attorney general, Letitia James, said that Citi should have been suspicious when large transfers were requested from customer accounts that had not had such activities for decades — and that only minutes before had their passwords changed.
In one instance, when a customer called her local Citi branch with worries about a phishing message that she had clicked on, she was told by the bank, “Don’t worry about it — it happens all the time.” Three days later, more than $40,000 was transferred out of her account, the lawsuit said. Citi later denied her request to be reimbursed, saying it was her fault for clicking on the scammer’s message.
The lawsuit holds Citi responsible under the 1978 Electronic Fund Transfer Act.
“There is no excuse for Citi’s failure to protect and prevent millions of dollars from being stolen from customers’ accounts,” said Ms. James, who, similar to attorneys general before her, has angled for higher office.
A Citi spokeswoman, Danielle Romero-Apsilos, said the bank was not required to reimburse customers who were victims of fraud. “Citi closely follows all laws and regulations related to wire transfers and works extremely hard to prevent threats from affecting our clients and to assist them in recovering losses when possible,” she said in a statement.