Find A PhysicianHome  |  Library  |  myDownstate  |  Newsroom  |  A-Z Guide  |  E-mail  |  Contact Us  |  Directions

SUNY Downstate Medical Center

Information Services and Technology

Fraudulent Emails


These guidelines may be applied accordingly to any email. In general, simply substitute any reference to Citibank with the name of your financial or other business institution.

What is a fraudulent e-mail?

A fraudulent (a.k.a. spoofing, imposter, or phishing e-mail) is one that has been forged so it looks like a legitimate e-mail from a particular organization (such as Bank of America, Chase, Citibank, eBay, or PayPal). It's goal? Usually to trick you into providing sensitive personal information that can be used for identity theft.

It's often hard to detect a fraudulent e-mail. That's because the e-mail address of the sender often seems genuine (such as, as do the design and graphics. But there are telltale signs to be aware of. For example, fraudulent e-mails often try to extract personal information from you in one of two ways:

By luring you into providing it on the spot (e.g., by replying to the e-mail)
By including links to a site that tries to get you to disclose personal data.

How can I be sure that I'm dealing with Citibank  and not an imposter?

You can tell that you're dealing with Citibank because:

  • Citibank will never send you an e-mail asking for your passwords, credit card numbers, or other sensitive information.
  • If we request information from you, we'll always direct you back to a Citibank site using links. These are for your convenience — you can also reach our site using your bookmarks or any of our published URLs.
  • If you're required to enter personal information to perform a transaction, it's always done on a site secured with SSL technology — you can tell because there'll be a padlock icon at the bottom of your screen. Most important, if you click on the padlock, a security certificate will pop up. In it, there's a section that says "Issued to:" If it's really a Citibank site, then the URL will end in ""
  • If you use a link in an e-mail you receive from us, you can make sure that you are on a Citibank page by comparing the address of the site in the Address/Location area of your web browser to those in the table below.
  • While we may provide more user-friendly URLs that are easy to remember — such as or — they always direct you to pages located at the URLs in the table below. 
Citibank Online or My Citi
Citibank Credit Cards
Citibank Mortgage or,
Citibank Student Loans
CitiBusiness Online
Smith Barney Access


How can I recognize a fraudulent e-mail?

To tell if an e-mail is really from Citibank, you need to view the site that the URL is taking you to. Here's how to do so with Text-based e-mails:

Text-based e-mails. Text-based e-mails also tend to contain very long URLs that you click on to get to a site. However, the URL may not represent the true destination. Here's how to verify that you're really at a Citibank site:

Paste the URL into your browser.

When you arrive at the site, doubleclick on the padlock icon and make sure that it's "Issued to" a URL that ends in

HTML-based e-mail. In HTML e-mails (with graphics), to view the destination URL position your cursor over the link or button; the URL should appear in your e-mail program's status bar at the bottom of the window.

However, spoof URLs are intentionally long, so only the first part is usually visible in the status bar. It might look genuine, but it's not a guarantee of where you'll end up. Therefore, you need to view the entire URL and go there to make sure it's really a Citibank site. To do this:

  1. Position your mouse over the link and right click.
  2. Select Copy.
  3. Paste the URL into Notepad (or any text editor).
  4. When you arrive at the site, doubleclick on the padlock icon and make sure that it's "Issued to" a URL that ends in

How can I protect myself?

We want your online experience to be enjoyable and worry-free. That's why Citibank Online uses 128-bit secure sockets layer (SSL) encryption and other security procedures. We also want to make you aware of several simple security tips to keep in mind:

  • Act quickly if you suspect fraud. If you believe someone is trying to commit fraud by pretending to be Citibank or another Citigroup business, please contact us immediately at 1-800-374-9700.
  • Use a strong password. Choose passwords that are difficult for others to guess and use a different password for each of your online accounts. Use both letters and numbers and a combination of lower case and capital letters if the passwords or PINS are case sensitive.
  • Change your Citibank Online Password often. You can do this quickly and easily by signing on and going to the Account Servicing area.
  • Leave suspicious sites. If you suspect that a website is not what it purports to be, leave the site immediately. Do not follow any of the instructions it presents.
  • Be alert for scam e-mails. These may appear to come from a trusted business or friend, but actually are designed to trick you into downloading a virus or jumping to a fraudulent website and disclosing sensitive information.
  • Don't reply to any e-mail that requests your personal information. Be very suspicious of any e-mail from a business or person that asks for your password, Social Security number, or other highly sensitive information--or one that sends you personal information and asks you to update or confirm it.
  • Open e-mails only when you know the sender. Be especially careful about opening an e-mail with an attachment. Even a friend may accidentally send an e-mail with a virus.
  • Be careful before clicking on a link contained in an e-mail or other message. The link may not be trustworthy.
  • Do not send sensitive personal or financial information unless it is encrypted on a secure website. Regular e-mails are not encrypted and are more like sending a post card. Look for the padlock symbol on the bottom bar of the browser to ensure that the site is running in secure mode BEFORE you enter sensitive information.
  • Do business only with companies you know and trust.
  • Be aware! Phony "look alike" websites are designed to trick consumers and collect their personal information. Make sure that websites on which you transact business post privacy and security statements, and review them carefully.
  • Make sure your home computer has the most current anti-virus software. Anti-virus software needs frequent updates to guard against new viruses. Make sure you download the anti-virus updates as soon as you are notified that a download is available.
  • Install a personal firewall to help prevent unauthorized access to your home computer. This is especially important if you connect to the internet via a cable modem or a digital subscriber line (DSL) modem.
  • Monitor your transactions. Review your order confirmations, credit card, and bank statements as soon as you receive them to make sure you're being charged only for transactions you made. Immediately report any irregularities in your Citibank accounts by calling 1-800-374-9700.