“Based on our sharing of your data without consent, will you recommend us?”

Bank Spam is the Best Kind of Spam!

Bad Privacy Blog by Claudiu Popa
3 min readMar 17, 2021


It’s always perplexing when legitimate, unsolicited emails appear to intentionally masquerade as phishing expeditions. It’s even more confusing when banks, the very organizations that claim to understand security intimately, demonstrate precisely what not to do.

This pearl recently landed in my inbox.

Given BMO’s track record with phishing and since there is a veritable pandemic of phishing out there, this is a good opportunity to demonstrate how not to ask for feedback:

1. Relationship: make sure they’re actually your customers. I personally have no dealings with this banking institution.
2. Sharing: don’t give our contact information to a random company and ask us to trust them, because you do
3. Irritation: Avoid breaching privacy with embedded email trackers
4. Outreach: It’s never a good idea for banks to send unsolicited emails unless it’s an urgent alert to go into a branch
5. Blind links: best practices suggest not including hyperlinks with your emails, but why let that stop you from collecting more data?
6. Website Surveillance: when including links to ‘privacy policies’, perhaps avoiding website bugs, trackers and beacons would be a good idea?
7. Confidence: when confirming an Unsubscribe, avoid using flaky expressions such as “You have been successfully removed and should not receive further invitations”.
8. Yeah, no: when sending emails out of the blue with information no one asked for, don’t include the phrase “for more information”. It could be a trigger for some.
9. Curiosity: when naming a department “Customer Experience”, what does that actually mean?
10. Yelling: on a personal note, when you address me, don’t say it in ALL CAPS. It’s a little startling, not to mention inappropriate.

With thanks to BMO Financial Group for the opportunity to provide this feedback. I hope it has been helpful.

And remember:

Fair enough.


As if to reward me for the free exposure, the Bank of Montreal waited a few days after confirming that I had unsubscribed from all their unsolicited emails, to target me with this new “opportunity”:

Bank of Montreal (BMO) uses privacy-invasive email trackers, web bugs and hidden hyperlinks under the guise of compliance with Canada’s Anti-Spam Law (CASL)
BMO loves to show appreciation for the Canada’s Anti-Spam Legislation (CASL)

Both the personalized message and the new unsubscribe confirmation were replete with web bugs, trackers and hidden hyperlinks, the hallmarks of email security.
Cybercriminals everywhere are secretly appreciating the Bank’s efforts to further erode privacy awareness and de-sensitize email recipients about the importance of email best practices.

Bank of Montreal (BMO) uses privacy-invasive email trackers, web bugs and hidden hyperlinks under the guise of compliance with Canada’s Anti-Spam Law (CASL)
Oh rest assured, I won’t, but something tells me that you will, BMO.



Bad Privacy Blog by Claudiu Popa

Fīat jūstitia, ruat cælum. Personal musings on data protection fails, snafus & oddities, written & edited by Claudiu Popa; author, educator, booknerd.