How two banks, in the same week, asked me to send my most sensitive documents over the one channel they spend a fortune warning me never to trust — and what happened when I asked for something safer.
Two banks. Same week. Both wanted proof of residency and proof of income. Both, without a flicker of self-awareness, asked me to email it to them.
These are institutions that freeze your card if you buy a coffee in the wrong postcode. That make you authorise a €30 transfer with a fingerprint, a one-time code, and a passive-aggressive push notification. That bury you in literature about phishing, about never sharing details, about how they will never ask you to send sensitive information by email.
And then they ask me to send sensitive information by email.
What’s actually in those documents
Stop and think about what a “proof of residency and proof of income” bundle contains. A utility bill or bank statement with my full name and home address. Payslips or tax documents with my employer, my salary, my national insurance or tax reference number. Often an account number or two thrown in for good measure. Frequently a signature.
That is not paperwork. That is a starter kit for identity theft, assembled and gift-wrapped, sent over the one channel specifically designed in 1971 without a single thought for confidentiality.
Email was never secure and never pretended to be
Here’s the part the average compliance officer seems to have missed. Email is not a sealed envelope. It’s a postcard that may or may not be carried in an armoured van for part of the journey.
Yes, most providers now negotiate TLS between mail servers, so the message is usually encrypted in transit. But “usually” is carrying a lot of weight there — if the receiving server doesn’t support it, plenty of systems silently fall back to plaintext rather than fail. And in-transit encryption does nothing about the rest of the lifecycle:
- The attachment sits decrypted at rest in my Sent folder, indefinitely.
- It sits decrypted in their inbox, indefinitely, on infrastructure I will never see and cannot vouch for.
- It passes through, and is logged by, however many intermediate systems, spam filters, and archiving appliances sit between us.
- It is exactly one compromised mailbox — mine or theirs — away from being copied wholesale. And email accounts are the single most phished, most credential-stuffed, most reused-password target on the internet.
End-to-end encryption — the thing that would actually fix this — is something neither a high-street bank nor a normal customer has set up. So it isn’t happening. The document is travelling in the clear at both ends of its life, which is most of its life.
The bit that should genuinely worry them
Forget the technical exposure for a second. The worse damage is behavioural.
Banks have spent two decades and untold marketing budgets trying to train customers on one rule: we will never ask you to send personal information by email, so if someone does, it’s a scam. It’s printed on statements. It’s in the app. It’s read out by the hold music.
Then the real bank emails you and asks for personal information by email.
Every time a legitimate institution does this, it sands down the one instinct that protects people. It teaches customers that yes, actually, banks do fire off unsolicited requests for sensitive documents over email, and the right response is to comply quickly. That is the precise reflex every phishing campaign on earth is trying to manufacture — and the banks are manufacturing it for free, on the bank’s own letterhead, making the next fraudulent request indistinguishable from a real one.
You cannot run a customer-education programme that says “this never happens” while operating a back office that does it twice a week.
It isn’t even hard to do properly
The maddening part is that the fix is mature, cheap, and already sitting in most of these organisations:
- A secure upload portal — a link to an authenticated page on the bank’s own domain where you drop the file. Standard for a decade.
- In-app document upload. The app I authenticate into with biometrics every single day. The file never touches email at all.
- Secure messaging inside online banking, where the document stays within their walls end to end.
- Failing all of that, bring it to a branch — remember those?
This is not a budget problem or a technology problem. It’s an institutional shrug. Email is the path of least resistance for whichever team is chasing the document, so email wins, and the security function that would object either wasn’t asked or was overruled by “the customer just needs to send it.”
So I asked. Reader, it went well.
I didn’t email anything. I asked both banks for a secure alternative, and the responses were instructive.
The first bank actually had a portal — and sent me a link to it. The link was broken. Dead. A 404 where my sensitive documents were supposed to go. This is, in a grim way, the most honest outcome of the lot: the secure capability exists on paper, someone built it, someone is presumably reporting it up the chain as “customers can upload securely” — and it doesn’t work. A broken secure channel is arguably worse than an honest lack of one, because it lets everyone tick the box while the real-world fallback quietly becomes “oh, just email it then.” Security that 404s isn’t security. It’s a screenshot for an audit.
And here’s the kicker. This same bank has a perfectly good secure app — the one I log into with my face, the encrypted channel I’m already trusted to move money through. It just doesn’t support document upload. So the most secure pipe they own, the one I’m holding in my hand, can’t accept the very thing they’re asking me for. The secure channel exists and the broken channel exists, and the only one missing is the join between them. So the document gets routed to email — the least secure option on the menu — not because the secure one is unavailable, but because nobody finished building the on-ramp to it.
The second bank is still thinking about it. But it did offer an alternative while I wait: the post. Send the documents by mail.
And — how, exactly, is that more secure?
Post is a sealed postcard’s more confident cousin, and not much else. Standard mail has no encryption because it has no anything — it’s a physical object handled by a chain of strangers, dropped through a letterbox that, in plenty of buildings, is a communal tray anyone can reach into. There’s no tracking unless you pay for it, no proof of delivery, no audit trail, and no way to know it arrived until it doesn’t. It can be lost, misdelivered, or simply lifted — mail theft is a real and growing route into exactly this kind of identity fraud. And in my case the documents would be crossing a border to get there, which adds days of exposure, more hands, and more depots.
So the menu I’ve been offered is: an insecure digital channel (email), a secure digital channel that doesn’t load (the dead portal), or a Victorian analogue channel with no security model at all (the post). The only option deliberately designed with confidentiality in mind is the one that’s broken.
Security theatre, meet security tragedy
We’ve all rolled our eyes at security theatre — the elaborate, visible rituals that make you feel protected while achieving very little. Forced 90-day password rotation. The transaction you have to approve from three different directions.
This is the inverse, and it’s worse. It’s a real, serious risk handled with total informality, behind a façade of an institution that talks about security constantly. The performance is all front-of-house. Out the back, your tax documents are going out as a Gmail attachment — or, when someone finally builds the proper channel, sitting behind a link that 404s while the bank suggests you pop them in the post instead.
Everything secure about the bank stopped exactly where I needed it most.
If your bank asks you to email proof of income, don’t. Ask for the secure portal — and then check it actually loads, because apparently that’s on you now too. And if the fallback they offer is the post, ask them, as I did, how a chain of strangers and an unlocked letterbox is the more secure option. Make them sit with the question. Somewhere in that organisation is a secure channel that works. They just haven’t been asked often enough to go and find it.
No comments:
Post a Comment