PSA: Citibank credit card compromised and swiped for $90k NTD after phishing attack [Advice needed]

A friend was victim to a phishing scam yesterday in which their Citibank credit card was illegally used to make NT$90,000 in fraudulent purchases. This scam highlights the disastrous merger between Citibank and DBS Bank Taiwan. The merger has resulted in many issues, with this scam being one of the most egregious. This news article provides more information. This forum has some discussion among other victims of this scam.

The scam worked as follows: Citibank credit card holders were targeted with a text message stating their scooter license had expired and they needed to pay NT$600 to renew it. The message provided a link to a fake website impersonating the motor vehicles department, which prompted users to enter their credit card information to pay the NT$600 fee. The only difference between the official website was the domain name didn’t have .gov which my friend unfortunately ignored. After entering their information, victims were even sent a one-time password (OTP) and asked to provide this as well. This allowed the criminals to not only steal personal information, but also make fraudulent purchases verified by the OTP.

Apart from reporting the incident to the bank and canceling the affected card, is there anything else that could be done? Would going to the police be helpful?


It shouldn’t be a problem, the bank should reverse the charges. That is the advantage of using a credit card instead of a debit card. I also got scammed recently by clicking on an email from the Post Office. Citibank reversed the charges no questions asked.


Who texts “pay up” messages? :doh:

1 Like

I believe the government does text you in many situations to pay up

1 Like

Something I’ll have to get used to or keep ignoring. Hope your friend gets her 90k back. That’s real money.

I have lived in Taiwan since 1988 and never had any text message or email from any government agency asking me to pay up. Even when I let my scooter license expire no text message was sent. Mail was sent.

Also when banks send a text sms password the first thing they tell you is not to share it with anyone including the bank.


Well, you have to enter the password from the bank to make certain online purchases. I’ve been prompted for the same from PCHome, Shopee etc. and even movie theaters such as Miramar.

The issue here was that the website was a clone with a slightly different domain name so it looked quite legitimate. The sad bit is that Taiwanese websites look like they were designed in 2005 by a ten year old in a basement so anyone can set up a clone in a day.

Personally, I’ve gotten messages reminding me to make payments before. I’m a techie so I wouldn’t fall for these scams, but my friend did. Apparently Citibank customers were targeted because of a chaotic merger with DBS. It’s likely that my friend’s info got leaked.

It’s a credit card. It was the bank’s money.

Report it and they are out of trouble. But shouldn’t really fall for a fake SMS with fake URL scam…


True… but you have to show you took reasonable steps to prevent it…

1 Like

You are not on the hook for unauthorized charge. Report it and the charge gets taken off. This goes for any card with a Visa or MasterCard logo.

TL your ignorance is showing again. You re on the hook and you make a dispute claim, the institution will assess the claim. If it goes in your favour yes the charge will be cancelled. Not all claims are accepted.

1 Like

You are “on the hook” until you dispute it and… “you are STILL on the hook” until the dispute is resolved in your favour…

The problem I see (as a former banker) is that he likely authorised the transaction with an OTP code. If that’s the case then… the bank has some wiggle room to get out of paying.

If the bank manages to do a chargeback in time and recoup the money then happy days… If not…


So the bank doesn’t want to chargeback.

Although they were informed within 15mins of the scam, they are asking to “wait till September 3rd” until the transaction is complete and then they can “start the investigation”.

I’m not even sure what it means but it sounds scammy from the bank (Citibank which is now DBS). Any clues what can be done?

1 Like

What was the purchase actually for?

How was it possible for the scammers to use the one-time password approving a NT$600 transaction to make multiple purchases totaling tens of thousands?

1 Like

So I played around with the scam website, after you enter your card details they lead you to a verification screen where an OTP is required. At this point they’re probably making another expensive purchase on some legitimate website with your card details, and then that purchase triggers an OTP to your phone, which they receive when you enter it on the fake website.

1 Like

But doesn’t the SMS containing the OTP also state the transaction amount? And how could they then do multiple purchases?

I’m not sure if the OTP always contains the amount. They made one purchase of $90k NT.

1 Like

To answer this. I did notice that when I use a website more than once they don’t require an OTP after the first purchase.

However such a large amount does sound really strange to me…

Also from what @DunderMifflin is saying. The bank is doing a “retrieval request” which is the first part of a dispute where they may freeze the funds in transfer and gather more information before making the next move.

Sounds to me that the bank aren’t yet convinced…

1 Like

I don’t think they’re doing a retrieval request, they’re doing the transfer