Insecure Email Wall of Shame: Banking Edition

Welcome to the insecure email hall of fame.  What we're about to show you is a real email.  From this week.  Sent from a bank to a client.

We're in a world where email accounts get hacked all the time (e.g. credential stuffing), and there's no telling whether the sender or receiver have laptops, tablets, and phones sitting around unlocked.  And we'll bet anything communicated on this email chain remains in the Sent Items folder of the sender for decades, and possibly in the Inbox of the receiver for decades.  Did we mention there was an unrelated party on cc?

This is not where you want your sensitive personal information hanging out for all-time, while present and future attacks repeatedly attempt to access our email accounts.

Insecure Email Wall of Shame Nominee

Without further ado, I give you our newest nominee for the insecure email wall of shame:

Before we move further into what's wrong with this email, let me just reiterate that this is a real email from a real financial institution, this week.  Not a phishing scam.  Not an email from the 1990s.  A real, current email from a financial institution.

Wall of Shame Nomination Factors

Here are the top reasons why we are nominating this message for our Insecure Email Wall of Shame:

  1. This Invites Phishing Attacks:  when a bank "trains" their clients to expect that they may be asked for sensitive personal information via email, they set the expectation that this is normal and acceptable.  So what happens when a phishing attacker posing as the bank, does the same?  It feels normal at that point.  Nothing suspicious at that point.  If the bank routinely asks for personal information via email, then it won't seem unusual at all when a phishing attacker posing as the bank, does the same.
  2. Multiple Parties:  we can't show this part of the email because it would reveal the parties involved, but this message was sent to two unrelated parties -- not spouses, not dependents, not guardians.  Two seperate individuals who simply happen to be involved (on a very part-time basis) in a particular charitable effort.  Want to bet what the odds are that there ends up being a reply-all from one or more parties, that includes personal information?  If you bet that one of the parties responded to the bank with their drivers license scan, and that the bank person then replied all -- pulling the other party back into the email chain with the drivers license still attached -- then you bet correctly.
  3. Bank Account Signover:  Here's the scariest part.  And again, this is real.  This insecure email was to facilitate the transition of signing authority on a bank account.  A real bank account.  With funds in it.

If you work for a financial institution, please don't follow any of the insecure email practices observed in this wall of shame nomination.

What to do Instead

We've talked about secure email before.  If you must exchange some confidential or personal information with someone that you primarily communicate with via email, make it an authenticated email like the one that we demonstrated in this video about sending medical information.  Or place a file on an authenticated share, like a Google Drive folder that only you and the recipient can access (with permissions locked down to only the two of you).  It's not that hard, and it's for the safety of all involved.

Thanks for reading.  Have any other insecure email examples that you'd like us to consider for the Wall of Shame?  Drop us a line.