
The New York state attorney general sued Citi on Tuesday, accusing it of failing to stop fraudsters from stealing an unspecified amount of money from customers’ accounts, and saying the bank should reimburse fraud victims for any losses.
The lawsuit, filed in federal court, exposed a variety of ways Citi clients had been tricked into revealing confidential information that allowed hackers to gain access to their accounts and steal millions of dollars. In what are known as phishing scams, some of the cases involved Citi customers receiving text messages or emails that purported to be from Citi but were actually from criminals.
New York Attorney General Letitia James said Citi should have been suspicious when large transfers were requested from accounts of clients who had not engaged in such activity for decades, and who only minutes earlier had changed their passwords.
In one case, when a customer called his local Citi branch concerned about a phishing message he had clicked on, the bank told him, “Don’t worry, it happens all the time.” Three days later, more than $40,000 was transferred from his account, according to the lawsuit. Citi later denied his refund request, saying it was his fault for clicking on the scammer’s message.
The lawsuit holds Citi liable under the Electronic Funds Transfer Act of 1978.
“There is no excuse for Citi not to protect and prevent millions of dollars from being stolen from customer accounts,” said Ms. James, who, like attorneys general before her, has sought higher office.
A Citi spokeswoman, Danielle Romero-Apsilos, said the bank was not required to refund customers who were victims of fraud. “Citi closely follows all laws and regulations related to wire transfers and works extremely hard to prevent threats from impacting our clients and help them recover losses where possible,” she said in a statement.