My bank keeps on undermining anti-phishing education

Original Article ↗ Hacker News Discussion ↗

Liability, incentives, and “gross negligence”

  • Some argue banks sending phishing-like emails/SMS should be legally liable for gross negligence; others counter that it’s hard to assign liability when there’s no concrete, provable victim.
  • Multiple stories show banks refusing to reimburse scam losses (Zelle, card charges), explicitly saying “fraud protection doesn’t cover scams,” reinforcing the view that banks externalize most risk to customers.
  • Commenters doubt insurers or regulators meaningfully constrain banks; until incidents become expensive (fines, lawsuits, lost customers), there’s little incentive to change.

Marketing, outsourcing, and confusing domains

  • Many banks and governments outsource campaigns, KYC, and “secure email” to third parties on unrelated domains, often with tracking links and Let’s Encrypt certs — indistinguishable from phishing.
  • This is frequently driven by separate marketing IT, SaaS vendors, and slow core IT, rather than a coherent security/UX strategy (Conway’s Law).
  • Some see deliberate use of separate campaign domains to protect main-domain deliverability metrics, worsening user trust.

Terrible UX and “security theater”

  • Numerous examples of hostile banking UX: extremely short or numeric-only passwords, click-only virtual keypads, blocked password managers, SMS 2FA regressions, arbitrary app permissions, and client-side hashing.
  • Justifications like “keylogger defense” or old mainframe limits are viewed as partially or totally bogus, or at best outdated.
  • Voice biometrics and other “modern” methods are mocked as trivially replayable.

Calls, texts, and broken authentication flows

  • Banks commonly call from unknown numbers, refuse to identify themselves before asking for personal data, or ask customers to read back 2FA codes — directly mirroring scam scripts.
  • Some better patterns exist (asking customers to call the number on the card or verify the call in-app), but are inconsistently implemented, even within a single institution.
  • Fragmented fraud systems and outsourced call centers lead to contradictory advice and even internal teams misidentifying each other as scammers.

Training vs behavior: mixed messages

  • Corporate “don’t click links in emails” training collides with real bank/HR/vendor emails that demand exactly that behavior, often via mangled tracking URLs.
  • Many commenters conclude that as long as normal workflows rely on unsolicited emails with links and credential entry, phishing education alone cannot succeed; the system design itself is flawed.