Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why is my bank sending me secure messages as attachments?


Recently, two different banks have sent me emails telling me that they want
to send me a message in a secure manner. In both cases, the bank’s email
invites me to open an attached file in order to receive my secure message. I
checked externally; the messages seem to have come from the banks. Why can’t
they just send me the message or send an encrypted file?

As for the files, I was asked to open, they were both large but different
HTML files. I did open one of them and a few days later, my periodic
Malwarebytes scan found a Trojan. I can’t say whether if it came from all this,
but I haven’t I had a problem before or since. I looked in all the HTML files
(four in all) in a sandbox. One had over 30 internal scripts and another had a
section that appeared to be machine language code, etc. What would you do with
such invitations? I now ask that such messages be sent by U.S. Postal Service
over land mail.

In this excerpt from
Answercast #82
, I look at the possibility that attachments from your bank
only look like they are coming from your bank!


Bank sending messages as attachments

Well, this certainly smells suspicious. This sounds not like something from your bank, but something from someone who’s trying to make you think it’s from your bank.

In other words, this is just a phishing attempt.

Banks don’t send attachments … period. If they do, they’re doing it wrong and I’d switch to a different bank. Seriously! They don’t get security.

No sensitive information through email

What banks should be doing (and I know that my bank does this; my brokerage house does this, even PayPal does this) is they don’t send sensitive information in email … period.

What they do instead is send an email that says, “Hey, you need to go log into the website to read a message we have for you.”

That way, you log into the website (the website is of course https, so it is both encrypted and secure and confirmed to be the site that you think it is) and there in their messaging options will be the message that they’re trying to send to you.

Attachments can contain malware

Attachments are just wrong. As you’ve seen, an attachment will probably be full of a bunch of HTML, a bunch of scripting and who knows what else, perhaps with the intent to infect your machine with some form of malware.

So, ultimately, this was nothing more than phishing. Banks should not be sending you attachments at all simply because attachments can so easily be faked by spammers.

(Transcript lightly edited for readability.)

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

6 comments on “Why is my bank sending me secure messages as attachments?”

  1. Is it a phishing email? A quick checklist:

    Do I have an account with that bank? If not, it smells phishy.
    Does the mail use my name or account number? If not, it smells phishy.

    Either of those two are enough to make me hit the spam button. And you’re right, Leo. Banks almost never send attachments – the only time I’ve had this happen is when I asked them to send me some paperwork that had been posted to me but hadn’t arrived. I knew it was coming, the email used my name and account number, and quoted my request to them, so I knew it was safe to open.

  2. Just for completeness, I have seen at least one major bank in South Africa send out account statements as an attachment that requires their proprietary viewing software to view. This is a bad enough practice on its own, but even more alarming when you realize that to view the attachment you only need the (freely downloadable) viewing software, you don’t actually need to enter a password of any kind, so the supposed “encryption” is really nothing more than a proprietary document format, so they may as well have put the details in the body of the message in terms of security.

    But anecdotes aside, especially within a North American context, any email attachments “from” a bank is a strong phishing indicator.

  3. One needs to be aware that web addresses are not always what they seem to be. Here are two examples:


    {URLs slightly edited}

    The first would appear to be a legitimate address for while the second would appear to be that of

    In reality, the first address takes you to and the second points to .

  4. What I love about my bank … When they send out information, at the top is an “Anti-Phish” number, so that you know, it is from the bank. Plus, there is never a “link”, to go to the bank’s website. The information will simply tell you what is going on and if, you want further information, to simply log-on at the bank website.

    Plus, I have not received a paper statement, in years! Another safety factor, for me and my husband. No one can access my mailbox, to find out personal information. I simply, receive a monthly reminder, that my eStatement is available. Again, no “link”, just basic information.

  5. Just assume any email from an official sounding entity (bank, shipping company, government agency, etc) that contains links or attachments is phishing. I just forward them to abuse@(correct address) and then delete them.

  6. In my personal and volunteer life, I deal with 3 different banks. I agree with Leo. If I get an email (and I think only 1 has my email address), it is only a reminder to log in and get a message from their secure website.

    The other one that catches a lot of people, at least in Canada, but I assume they are also doing this in the US is the email that comes from the tax man. This one always surprises me that people fall for the supposed refund of $384.78. Where on the tax form does it ask for your email address? It doesn’t. So how would the Canada Revenue Agency get your email address?.

    If it doesn’t come in the government envelope through Canada Post, it’s not from the government.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.