New York lawsuit: Scammers wiped out Citibank customers, but they got the blame

For most of the victims, the financial nightmare began with the same mistake: a click on a text message that appeared to be from Citibank asking to verify some information.  

It was a fake. And just like that, authorities said, the sender likely swiped their personal information, then used it to log in to their account and wipe them out. Then came a second shock: Citibank said it wasn't responsible for recovering the stolen funds. 

The thefts, detailed in New York's recently filed federal lawsuit against Citibank, expose weaknesses in consumer protection laws that have become more essential as banks continue to migrate their services online and cases of identity fraud surge across the country.

While the government limits losses from stolen credit cards, debit cards and check books, it’s less clear what anti-fraud protections — if any — are available for certain fund transfers from bank accounts that can hold the bulk of a family’s cash reserves. These accounts appear to be an increasingly popular target for identity thieves: The Federal Trade Commission said imposter scams involving bank transfers surged from 2020 to 2023 with losses jumping 575% to $385 million. In New York, reports of similar scams rose 44% in that same period. 

Over the past several weeks, New York Attorney General Letitia James, who filed the lawsuit in the U.S. District Court for New York’s Southern District in January, and lawyers for Citibank, a subsidiary of the New York-based financial giant Citigroup Inc., have argued in court filings over which laws applied to fraudulent account transfers. Citibank has asked Judge J. Paul Oetken to dismiss the case.

James said Citibank violated a 46-year-old federal consumer protection law called the Electronic Fund Transfer Act, which is typically used in cases of stolen ATM and debit cards and caps a fraud victim’s losses at $50.  

She added the bank failed to provide its customers with a reasonable level of security from identity thieves and allowed fraudulent wire transfers to proceed even after those customers spotted the scam and asked the bank to halt the withdrawals.

“Citi’s illegal and deceptive practices have cost New Yorkers millions,” James wrote in the complaint.

In a separate filing, Citibank said the Electronic Fund Transfer Act doesn’t govern the kind of transfers described in the lawsuit. Instead, the banking industry applies a different standard outlined in the Uniform Commercial Code, a set of laws governing commercial transactions in the U.S. The UCC, Citibank said, releases banks from responsibility for customer losses from wire transfers that were conducted with a “commercially reasonable” level of security.

By bringing the lawsuit, Citigroup said James is trying to upend the industry’s traditional understanding of banking law and reinterpret it in ways that Congress never intended.

“The proper forum for pursuing the goals (the New York Attorney General) seeks to achieve in this litigation is in Congress, not a courtroom,” lawyers for Citibank wrote in an April 2 court filing.

The disagreement over which legal standard to apply has heaped an extra layer of frustration and anxiety onto victims of ID theft, as well as the many bank account holders who fend off similar scams.

“What I used to see more of were cases involving stolen debit cards,” said Brian Bromberg, a consumer law attorney who represents ID theft victims from Long Island. “Now it’s a window popping up on someone’s computer screen that says, ‘Hey, money is being stolen from your account. Call immediately.’ " The pop-up is invariably from a scammer attempting to get control of their computer and then their bank account, he said.

“If you go after the banks” to recover the customer’s losses, Bromberg said, “they’ll claim that it’s not covered by the EFTA, and therefore they have no obligation, and therefore you’re out of luck.”  

Cecilio Porras, a Chicago commercial litigation attorney who specializes in banking law, pointed out that the Uniform Commercial Code does provide protections for ID theft victims, but it's generally a weaker standard than the laws governing credit cards and debit cards. And it likely requires victims to take their bank to court to prove it should repay what was stolen.

"You’re ultimately going to have to show that the bank — and the bank is never going to agree — that they acted in a commercially unreasonable manner," Porras said. "That can only really be parsed out in a lawsuit."

Citibank declined to comment. The bank said in court filings it has implemented "robust countermeasures" to combat attempts to hack into clients' accounts, "but no system will catch every scam every time." 

$50,000 gone in 30 minutes  

  The attorney general's lawsuit recounts the experiences of 10 New Yorkers, including multiple accounts from Long Island residents, who were targeted in a series of phishing scams over the past few years.

One of them, a woman the attorney general’s office identified as “Consumer E,” offered a story that tracks with many of the others.  

According to the lawsuit, the woman said she received a text message from what appeared to be Citibank. She clicked on the link. The next day, the woman discovered that someone had accessed her bank account, enrolled in its online wire transfer service and withdrew $50,000. The whole operation took less than 30 minutes. 

The attorney general's office said the woman called Citibank’s customer service department, which informed her the stolen funds had “already left your account.”  She filed an affidavit with her local bank branch, stating the transfer was unauthorized. She filed a police report at her local precinct.

Nearly a month later, according to the lawsuit, the woman received a letter from Citibank saying the bank would not return what was stolen.

“You did not take adequate steps to safeguard your account,” the letter said.

The victims in the lawsuit reported losses that ranged from $7,750 to $102,000. Most of them lost tens of thousands of dollars after clicking on a fake text message.

Some were repaid several months later after the attorney general's office became involved. Others have yet to see their money returned.

What protections exist?

The outcome of the lawsuit will likely hinge on the court’s interpretation of what happens when banks send money from one place to another.

The attorney general's office sees bank fund transfers as a series of intermediate transactions that must take place when two parties exchange money electronically. At least some of those transactions, it said, should receive the consumer protections available in the Electronic Fund Transfer Act — particularly the first step in the process when customers instruct their bank to transfer money. The law limits losses from unauthorized transfers to $50 if the account holder notifies the bank within two business days.

Citibank takes a different view. It said bank transfers cannot be deconstructed into separate parts, given that they’re interrelated and essential for moving the money. The bank’s lawyers also said in court documents the Electronic Fund Transfer Act was written to exclude transfers that involve bank-to-bank wires.

Citibank said the Uniform Commercial Code should govern these transfers. And UCC absolves banks from responsibility if they employ reasonable security procedures when trying to verify their customer’s identity.

The attorney general’s “theory is as imaginative as it is incorrect,” Citibank wrote. “The court should reject it.”

James’ office has until May 17 to respond to Citibank’s motion to dismiss.