1 March 2008
I changed my banking passwords today, something I do about every three months. After doing so, I received emails from each bank informing me that my passwords had been changed – and advising me that I ought to get in touch with them if I had not done the changing. Hereâ€™s the email I got from RBC:
What they get right
They get a couple things right. First, sending an email to me when my password is changed is a great idea. If someone else had changed my password, I would learn about it quickly. (What would happen, though, if that person changed the email address on file at the same time? No problem: when an email address change is made, a notification is sent to the old email address.)
Second, they assure me in the email that â€œRBC will never ask you to provide, confirm or verify confidential information like your online banking ID, password, account numbers, balances or PIN through regular email.â€ Thatâ€™s super. If I ever get an email asking me to confirm confidential information, Iâ€™ll know itâ€™s fake.
What they get wrong
I do have one minor complaint. It would be better if my bank refrained from including phone numbers and clickable links in the email. I could imagine a scenario where a phisher sends an email identical to this one, except that the links and phone numbers direct the user to a phishing source. Once the user is on the phisherâ€™s website or is talking to a phisher, he might forget all about the promise in the email to never ask about confidential information.
On the other hand, if banking customers get used to the idea that legitimate banks never send emails with links or phone numbers inside them, phishers would have trouble indeed getting people to contact them.
Edited to Add (2 Mar 2008): Note that my bank included my name in the email, something many banks do. So if you ever receive an email from what is ostensibly your bank that lacks your full name (“Dear Customer” or the like), be wary.