In their relentless quest to steal your assets, identity thieves may have some surprising help: Banks, brokerages, and retirement-account managers.

Crooks commonly rely on their victims to open a door to their finances by sending “phishing” emails. They look like the ones sent by the folks who hold or manage your money—but they’re bogus. The messages ask you to click a link, which usually takes you to an account login screen on an imposter website that also looks like your real financial institution’s. If, as requested, you supply your user ID and password, the bad guys get them. This is called “credential phishing.”

A basic tenet for protecting yourself from identity theft: Never click links in emails.

But while financial institutions also warn customers not to click links in emails, every day many nevertheless send customers emails containing links to their own account login pages along with encouragement to click them.

That mixed-messaging “very well could train consumers to click the links in phishing emails,” says Gary Davis, chief security evangelist at McAfee, a maker of security software used by consumers and most banks and other financial institutions.

Eva Velasquez concurs. She’s president of the Identity Theft Resource Center, a nonprofit that helps identity fraud victims respond to an attack. When financial institutions send emails with links to their account login page, “it could build this level of comfort for people to click links. ‘Oh, it’s coming from my bank and is safe.’ And most times it is safe. But phishing emails are so hard to spot,” she says.

Rising Threat

Phishing is on the rise: 71 percent of all hacking attacks start with a phishing email. “It is the technique of choice for the cybercriminal, because it’s easy to dupe a consumer to click on a malicious link,” says Davis. Email is also the preferred delivery vehicle. And emails pretending to be from financial institutions were second in relative traffic volume among the top 20 types of imposters for credential phishing in 2017, according to Proofpoint, a cybersecurity firm. 

At the same time, phishing emails are getting more sophisticated. “Attackers are getting better at creating phony emails that look legitimate,” says the Chase Bank website.

To counter the increasing threat, internet service providers, web browsers, email clients, and security software work to identify and trash phishing emails before they reach your inbox. But Davis says even the technology is having a tougher time detecting the fakes.

“A whole lot of phishing emails get caught. But to suggest that’s foolproof? I wouldn’t go that far,” says Davis. “There are still emails getting through. It’s a perpetual cat-and-mouse chase. We build better traps, and they develop better ways to avoid detection.”

Unfortunately, phishing is a numbers game, with an unending number of hooks cast into your email box; even if most of the attempts get stopped, some small percent will sooner or later get through. All it takes is for you to click just one to set off a chain reaction of trouble.

Become a Smarter Consumer Get free, expert advice delivered to your inbox every Wednesday when you sign up for the Weekly Checklist newsletter.

Broken Promises

It’s bad enough when financial institutions don’t practice what they preach, but it only compounds the confusion when they promise one thing and do the opposite. For example, Merrill Lynch recently posted this online alert: “Recently, some Merrill Lynch clients have reported receiving emails that appear to be from Merrill Lynch but which have, in fact, been sent by imposters… How can you tell the difference? Fraudulent emails typically include website links, and/or request you to provide personal information. Merrill Lynch has not and will not initiate a request for sensitive information via email.”

But when we reviewed a legitimate email sent by Merrill Edge, it did contain website links and invitations to click to “view statements.” When the link is clicked, it takes you to an account login page where Merrill requests sensitive information, in the form of your user ID and password.

Thus, Merrill’s own legitimate email is similar to the emails it warns could be bogus.

Merrill’s email itself doesn’t use high-pressure scare tactics about a “problem” that requires you to immediately confirm your identity by providing your Social Security number, account number, and login credentials—the way many phishing emails try to prod you to fast action. But in the clever, ever-evolving world of phishing, it won’t be long before identity thieves mimic Merrill’s low-key approach.

Merrill Lynch did not respond to our request for comment.

Common Practice

Velasquez and Davis say financial institutions commonly send emails with login links. To learn who’s doing it, we collected emails sent by various financial institutions. Among them, we found 10 of the companies were guilty of sending emails with links that led to pages that requested login information from their customers. Those 10 include some of the biggest names in money: Bank of America, Capital One, Chase, E-Trade, Merrill Edge, PenFed Credit Union, SunTrust, TIAA, USAA Bank, and Vanguard Investments.

We asked all 10 to explain. Three responded via email.

Denials, No Apologies

“Vanguard’s email communication with clients follows industry best practices,” said Carolyn Wegemann, a spokeswoman for the largest mutual fund company in the U.S.

Wegemann said two other safeguards protect customers from phishing. Vanguard requires investors to use two?factor authentication, a six-digit code sent to the customer’s phone, which the investor—as well as any phisher—needs to get into his or her account.

That’s one of the best defenses. Unfortunately, it can be defeated. As we reported last summer, one investor lost hundreds of thousands of dollars after identity thieves lured him to a bogus login page and captured his credentials. They used those to log in to the victim’s account, which triggered the sending of an authentication code to the investor’s phone, which the crooks tricked him into revealing.

Vanguard’s second defense is voice verification. With that, a phisher can’t access the account without the real customer’s voice. Unfortunately, that’s optional.

TIAA denied sending the emails with login links that our staffers in fact received. “TIAA will never ask for personal information through an unsolicited email,” said a company spokesperson who did not want to be identified in our article. Maybe he doesn’t consider login information “personal information”?

TIAA also said it employs numerous security safeguards to protect customer accounts, including 24/7 monitoring, regular updates of anti-malware, and “reasonably up-to-date security patches…and firewall protection.” It also offers two-factor authentication, including SMS text codes and voice verification—but they’re optional.

If all that fails TIAA says its “Customer Protection Policy” promises to reinstate a client’s account in full if there’s a loss due to unauthorized activity. But reimbursement is contingent on a loss that TIAA determines is “through no fault of the client” and not “attributable to client negligence.” The policy also requires investors to follow specified security practices. As we also reported last summer, TIAA lays out 68 such mandates, the second-most among 15 major investment firms we assessed.

Your mutual fund and investment brokerage assets are especially vulnerable because they don’t enjoy the same regulatory protections against fraud losses that your bank deposits and debit and credit cards do.

That’s all the more reason why financial institutions should not confuse customers—and lead them to violate their obligations under any voluntary fraud protection—by telling them one thing in words (Don’t click on links!) but doing the opposite in deeds (sending emails that encourage them to click on links).

SunTrust denied that it sends unsolicited emails with login links, but it confirmed that it does send those to customers who sign up for, and thus solicit, email notifications. The bank also acknowledged that phishing is an industry-wide concern, and “We urge…everyone to be wary of any suspicious messages, links, and requests for personal information,” said Mike McCoy, a spokesman.

Protect Yourself

  • Never click links in emails or text messages that you receive from financial institutions.

  • Ignore the email link. Instead open up a new browser window and type in the web address of the institution that you already know and trust is legitimate. Or bookmark the known legitimate site in your web browser’s toolbar and click that link.

  • Better yet, access accounts primarily through your financial institutions’ secure mobile apps (which should use your smartphone’s unique device identifiers and fingerprint ID or facial recognition for added authentication) and communicate using the institution’s secure messaging system (instead of unencrypted email).

  • Ratchet up the settings on your internet browser and email account to filter out phishing emails. But since this technology is never 100 percent effective, remain vigilant.

  • Use a password manager that will automatically fill in login credentials on legitimate websites—but won’t fill in the username and password fields on spoofed sites accessed through a phishing email.

  • Enable voice verification or other biometric authentication, such as a fingerprint or scan of the unique patterns of your eye, for all of your financial accounts, if available.