It’s always perplexing when legitimate, unsolicited emails appear to intentionally masquerade as phishing expeditions. It’s even more confusing when banks, the very organizations that claim to understand security intimately, demonstrate precisely what not to do.

This pearl recently landed in my inbox.

1 9sXgQVg54PyWhmooJcNoCA

Given BMO’s track record with phishing and since there is a veritable pandemic of phishing out there, this is a good opportunity to demonstrate how not to ask for feedback:

1. Relationship: make sure they’re actually your customers. I personally have no dealings with this banking institution.
2. Sharing: don’t give our contact information to a random company and ask us to trust them, because you do
3. Irritation: Avoid breaching privacy with embedded email trackers
4. Outreach: It’s never a good idea for banks to send unsolicited emails unless it’s an urgent alert to go into a branch
5. Blind links: best practices suggest not including hyperlinks with your emails, but why let that stop you from collecting more data?
6. Website Surveillance: when including links to ‘privacy policies’, perhaps avoiding website bugs, trackers and beacons would be a good idea?
7. Confidence: when confirming an Unsubscribe, avoid using flaky expressions such as “You have been successfully removed and should not receive further invitations”.
8. Yeah, no: when sending emails out of the blue with information no one asked for, don’t include the phrase “for more information”. It could be a trigger for some.
9. Curiosity: when naming a department “Customer Experience”, what does that actually mean?
10. Yelling: on a personal note, when you address me, don’t say it in ALL CAPS. It’s a little startling, not to mention inappropriate.

With thanks to BMO Financial Group for the opportunity to provide this feedback. I hope it has been helpful.

And remember:

1 ba AozTQoGcEabswFB nZA
“Based on our sharing of your data without consent, will you recommend us?”


As if to reward me for the free exposure, the Bank of Montreal waited a few days after confirming that I had unsubscribed from all their unsolicited emails, to target me with this new “opportunity”:

1 RsqZbqeN65SN458VdY39JQ
BMO loves to show appreciation for the Canada’s Anti-Spam Legislation (CASL)

Both the personalized message and the new unsubscribe confirmation were replete with web bugs, trackers and hidden hyperlinks, the hallmarks of email security. 
Cybercriminals everywhere are secretly appreciating the Bank’s efforts to further erode privacy awareness and de-sensitize email recipients about the importance of email best practices.

1 Kx7L2v8PFwnN4 sUhchlkw
Oh rest assured, I won’t, but something tells me that you will, BMO.