Why do banks send emails with links to surveys?

Forums › Off topic › Why do banks send emails with links to surveys?

1 | 2

tardtasticx

3075 posts

Uber Geek

#3370321 4-May-2025 09:11

One of the common misconceptions is that banks will never send you a link in an email, and that if they do they’re bad.
That’s simply not the case, it’d be nice if it was as simple as that but we know there’s plenty of valid reasons a bank would send you a link to something.

Typically it’d be ‘bank x won’t send you links to login’ for example. There’s no reason for them to do that and that’s what scammers like to do.
A link to a survey, link to updated T&Cs, a new product etc, all valid and shouldn’t require a login at the other side.

Part of looking at an email and determining the risk is reviewing the context.
Do I have a relationship with this bank. Did I do anything to generate a survey like this? Is the branding correct? Is it asking me to do something that warrants further investigation?
from there you should decide if clicking a link or whatever action the email is asking is risky, and if it should be ignored.

Behodar

10504 posts

Uber Geek

Trusted

Lifetime subscriber

#3370322 4-May-2025 09:21

tardtasticx:

One of the common misconceptions is that banks will never send you a link in an email, and that if they do they’re bad.
That’s simply not the case, it’d be nice if it was as simple as that but we know there’s plenty of valid reasons a bank would send you a link to something.

Typically it’d be ‘bank x won’t send you links to login’ for example. There’s no reason for them to do that and that’s what scammers like to do.
A link to a survey, link to updated T&Cs, a new product etc, all valid and shouldn’t require a login at the other side.

You're quite right, and after looking through my old emails, my earlier claim that I'd never seen that sort of thing from Westpac ended up being erroneous. But when it's something that requires logging in (such as a recent one to get a tax certificate), there's no link: it just says "log in to Westpac One".

tweake

2391 posts

Uber Geek

#3370345 4-May-2025 13:04

tardtasticx:

One of the common misconceptions is that banks will never send you a link in an email, and that if they do they’re bad.
That’s simply not the case, it’d be nice if it was as simple as that but we know there’s plenty of valid reasons a bank would send you a link to something.

Typically it’d be ‘bank x won’t send you links to login’ for example. There’s no reason for them to do that and that’s what scammers like to do.
A link to a survey, link to updated T&Cs, a new product etc, all valid and shouldn’t require a login at the other side.

Part of looking at an email and determining the risk is reviewing the context.
Do I have a relationship with this bank. Did I do anything to generate a survey like this? Is the branding correct? Is it asking me to do something that warrants further investigation?
from there you should decide if clicking a link or whatever action the email is asking is risky, and if it should be ignored.

the catch here is there is typically zero reason for banks to send links other than its more convenient for their customers. instead of a link all they need to say is "log into your account to check".

scammer 101 is to have an email looking like its from your bank with an email link.

2ndly if you fall victim to a scam because you clicked on a link, the bank blames you for clicking on a link, but they expect you to click on their links even tho most people can't tell the difference between a real one or not. so its simply bad form and hypocritical by banks to send links in their emails.

mattwnz

20147 posts

Uber Geek

#3370373 4-May-2025 15:23

tardtasticx:

One of the common misconceptions is that banks will never send you a link in an email, and that if they do they’re bad.
That’s simply not the case, it’d be nice if it was as simple as that but we know there’s plenty of valid reasons a bank would send you a link to something.

Typically it’d be ‘bank x won’t send you links to login’ for example. There’s no reason for them to do that and that’s what scammers like to do.
A link to a survey, link to updated T&Cs, a new product etc, all valid and shouldn’t require a login at the other side.

Part of looking at an email and determining the risk is reviewing the context.
Do I have a relationship with this bank. Did I do anything to generate a survey like this? Is the branding correct? Is it asking me to do something that warrants further investigation?
from there you should decide if clicking a link or whatever action the email is asking is risky, and if it should be ignored.

If they sent an email that says to log into online banking to read this message, and not send any link, which is what some banks do, I would agree with that. However any link in an email could be to a compromised site and everyone can fall victim to a scam email, which is exactly what the message in the email says. Especially with AI where content can now be very convincing.

ANglEAUT

2320 posts

Uber Geek

Trusted

Lifetime subscriber

#3370380 4-May-2025 16:42

KiwiSurfer:

Agree, at my $DAY_JOB we use O365 which rewrites all URLs to something.safelinks.outlook.com/something/encodedURL which makes it a pain copying URLs from within O365 apps as it will paste as a massively long URL instead of the proper URL itself. Drives me mad.

💯

While it is true that on a PC you can hover over the link & O365 will show the original URL, how can you 'hover over' on a mobile device?
Because those links contain the O365 user ID, I believe this is a form of security related data leakage. That user ID can be either totally unrelated to this email chain or from a sender 3-5 email ago that is no longer a part of the conversation.
The URL decoder from emn178 and others comes in very handy in these situations to decode the full link.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

jnimmo

1097 posts

Uber Geek

#3370418 4-May-2025 21:34

In my opinion I prefer links in emails - it's more convenient, and arguably safer than having someone accidentally hit a typo squat or malicious paid link in search engine results to log into banking just to complete a survey. I would love to see banks investing in phishing resistant authentication methods though; but at the end of the day there's a lot of good tech/people working in the phishing/loss prevention space.

Please don't report it as spam/phishing unless you suspect it is, mail delivery issues don't really help anyone.

mattwnz

20147 posts

Uber Geek

#3370423 4-May-2025 22:07

jnimmo:

In my opinion I prefer links in emails - it's more convenient, and arguably safer than having someone accidentally hit a typo squat or malicious paid link in search engine results to log into banking just to complete a survey. I would love to see banks investing in phishing resistant authentication methods though; but at the end of the day there's a lot of good tech/people working in the phishing/loss prevention space.

Please don't report it as spam/phishing unless you suspect it is, mail delivery issues don't really help anyone.

if you use something like Bitwarden, it is impossible to log into anything but your banking website.

GoodSync

GoodSync. Easily back up and sync your files with GoodSync. Simple and secure file backup and synchronisation software will ensure that your files are never lost (affiliate link).

Handsomedan

7285 posts

Uber Geek

ID Verified

Trusted

Subscriber

#3370436 5-May-2025 08:38

Believe me - there's plenty of similar discussions within banks - we question why links are sent unsolicited and everyone nods sagely, then sends another raft of links in emails.

It's a counter-productive circle of doom.

Handsome Dan Has Spoken.
Handsome Dan needs to stop adding three dots to every sentence...

Handsome Dan does not currently have a side hustle as the mascot for Yale

*Gladly accepting donations...

1 | 2