New York State's attorney general sued Citi on Tuesday, accusing the company of failing to stop scammers from stealing an unspecified amount of money from customer accounts and saying the bank must pay fraud victims compensate for any losses.
The lawsuit, filed in federal court, exposed several ways Citi customers were fooled into releasing sensitive information that allowed hackers to access their accounts and steal millions of dollars. In what is known as phishing fraud, some of the cases involved Citi customers receiving text messages or emails that purported to be from Citi but were actually from criminals.
New York Attorney General Letitia James said Citi should have been suspicious when large transfers were requested from customer accounts that had had no such activity for decades — and had their passwords changed only minutes before.
In one case, when a customer called her local Citi branch concerned about a phishing message she had clicked, she was told by the bank, “Don't worry about it; it happens all the time.” Three days later, more than $40,000 was withdrawn from her account, the lawsuit said. Citi later denied her request for a refund, saying it was her fault for clicking on the scammer's message.
The lawsuit holds Citi responsible under the Electronic Fund Transfer Act of 1978.
“There is no excuse for Citi's failure to protect millions of dollars and prevent them from being stolen from customers' accounts,” said Ms. James, who, like attorneys general before her, is seeking a higher function.
A Citi spokeswoman, Danielle Romero-Apsilos, said the bank was not obligated to refund customers who were victims of fraud. “Citi closely monitors all laws and regulations regarding wire transfers and works extremely hard to prevent threats from impacting our customers and to help them recover losses where possible,” she said in a statement.