Helping people with computers... one answer at a time.

A bank sending messages as attachments doesn't understand security. This sounds like phishing.

Recently, two different banks have sent me emails telling me that they want to send me a message in a secure manner. In both cases, the bank's email invites me to open an attached file in order to receive my secure message. I checked externally; the messages seem to have come from the banks. Why can't they just send me the message or send an encrypted file?

As for the files, I was asked to open, they were both large but different HTML files. I did open one of them and a few days later, my periodic Malwarebytes scan found a Trojan. I can't say whether if it came from all this, but I haven't I had a problem before or since. I looked in all the HTML files (four in all) in a sandbox. One had over 30 internal scripts and another had a section that appeared to be machine language code, etc. What would you do with such invitations? I now ask that such messages be sent by U.S. Postal Service over land mail.

In this excerpt from Answercast #82, I look at the possibility that attachments from your bank only look like they are coming from your bank!

Bank sending messages as attachments

Well, this certainly smells suspicious. This sounds not like something from your bank, but something from someone who's trying to make you think it's from your bank.

In other words, this is just a phishing attempt.

Banks don't send attachments ... period. If they do, they're doing it wrong and I'd switch to a different bank. Seriously! They don't get security.

No sensitive information through email

What banks should be doing (and I know that my bank does this; my brokerage house does this, even PayPal does this) is they don't send sensitive information in email ... period.

What they do instead is send an email that says, "Hey, you need to go log into the website to read a message we have for you."

That way, you log into the website (the website is of course https, so it is both encrypted and secure and confirmed to be the site that you think it is) and there in their messaging options will be the message that they're trying to send to you.

Attachments can contain malware

Attachments are just wrong. As you've seen, an attachment will probably be full of a bunch of HTML, a bunch of scripting and who knows what else, perhaps with the intent to infect your machine with some form of malware.

So, ultimately, this was nothing more than phishing. Banks should not be sending you attachments at all simply because attachments can so easily be faked by spammers.

(Transcript lightly edited for readability.)

Article C6184 - December 27, 2012 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Johnn Smith
December 29, 2012 4:33 AM

Is it a phishing email? A quick checklist:

Do I have an account with that bank? If not, it smells phishy.
Does the mail use my name or account number? If not, it smells phishy.

Either of those two are enough to make me hit the spam button. And you're right, Leo. Banks almost never send attachments - the only time I've had this happen is when I asked them to send me some paperwork that had been posted to me but hadn't arrived. I knew it was coming, the email used my name and account number, and quoted my request to them, so I knew it was safe to open.

James Heinrich
December 29, 2012 7:24 AM

Just for completeness, I have seen at least one major bank in South Africa send out account statements as an attachment that requires their proprietary viewing software to view. This is a bad enough practice on its own, but even more alarming when you realize that to view the attachment you only need the (freely downloadable) viewing software, you don't actually need to enter a password of any kind, so the supposed "encryption" is really nothing more than a proprietary document format, so they may as well have put the details in the body of the message in terms of security.

But anecdotes aside, especially within a North American context, any email attachments "from" a bank is a strong phishing indicator.

December 29, 2012 2:56 PM

One needs to be aware that web addresses are not always what they seem to be. Here are two examples:


{URLs slightly edited}

The first would appear to be a legitimate address for while the second would appear to be that of

In reality, the first address takes you to and the second points to .

December 30, 2012 3:01 AM

What I love about my bank ... When they send out information, at the top is an "Anti-Phish" number, so that you know, it is from the bank. Plus, there is never a "link", to go to the bank's website. The information will simply tell you what is going on and if, you want further information, to simply log-on at the bank website.

Plus, I have not received a paper statement, in years! Another safety factor, for me and my husband. No one can access my mailbox, to find out personal information. I simply, receive a monthly reminder, that my eStatement is available. Again, no "link", just basic information.

December 30, 2012 8:01 AM

Just assume any email from an official sounding entity (bank, shipping company, government agency, etc) that contains links or attachments is phishing. I just forward them to abuse@(correct address) and then delete them.

December 31, 2012 12:00 PM

In my personal and volunteer life, I deal with 3 different banks. I agree with Leo. If I get an email (and I think only 1 has my email address), it is only a reminder to log in and get a message from their secure website.

The other one that catches a lot of people, at least in Canada, but I assume they are also doing this in the US is the email that comes from the tax man. This one always surprises me that people fall for the supposed refund of $384.78. Where on the tax form does it ask for your email address? It doesn't. So how would the Canada Revenue Agency get your email address?.

If it doesn't come in the government envelope through Canada Post, it's not from the government.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.