At my previous job, the bank used GoPhishMe to conduct internal phishing tests on employees. Clicking a dubious link or downloading a shady file led to an informative email about the dangers and tricks used by real cybercriminals.
What are your thoughts on extending this practice to bank customers?
* Zero links on legitimate emails. Any email with a link is automatically a phishing attempt.
* Minimal content in mails. Any personal details other than my email address and first name absent in the notification. All the relevant content in the secure messaging section of my customer access.
* Clear categories of emails, and an easy way to unsubscribe from each.
* Direct-to-support-team phone numbers advertised in the website.
* Periodic reminders about good practices (e.g. a legitimate mail will never ask you to follow a link or click on a button; a one-time code can only be entered in the app and never used in any other way or given to anyone through any channel).