Will my bank actually call me about my account?

Real banks rarely call customers about account issues, and when they do, they will not ask you to verify your password, PIN, security questions, or transfer authorization codes. Any caller asking you to verify those details is either a fraudster or, in rare miscalibrated cases, a third party your bank should not have hired. Hang up and call your bank back using the number on your card.

What about emails from my bank?

Banks do send email. They do not send email asking you to log in via a link in the email. If you receive a bank email asking you to verify your account, click here to update information, or take urgent action, treat it as suspicious by default. Open a new browser tab and navigate to the bank's site directly to check whether anything is actually wrong with your account.

Why do banks have this policy?

Because the alternative makes phishing impossible to defend against. If banks routinely contacted customers via unsolicited emails or calls asking for credentials, customers would have no way to distinguish legitimate bank communications from phishing. The 'we will never ask' policy is the bank protecting itself and its customers from a category of attack that has no other defense.

What should I do if I think my account really has a problem?

Stop responding to the call or email. Open a new browser tab or pick up the phone. Use the contact information on the back of your card or on the official bank website. If there is a real account issue, you will see it when you log in directly. If there is no real issue, the original contact was phishing.

How does an email paywall help with bank phishing?

By making mass-volume bank phishing campaigns uneconomic. A campaign sending 100,000 fake bank emails depends on free reach to be profitable. A small cover charge for unknown senders collapses that math. The paywall does not catch a targeted attacker willing to pay the cover charge, but it eliminates the cheap, mass version of bank phishing that produces most of the volume.

Why Your Bank Will Never Call About Your Account

Real banks do not call to ask for verification. Here is why, what calls and emails are actually phishing, and how to verify any banking communication.

Your bank will never call you to verify your account. Your bank will never email you a link to log in. Your bank will not contact you out of the blue and ask for your PIN, security questions, or authorization codes. Any communication that does any of those things is phishing, regardless of how authentic it sounds or how convincing the bank logo looks.

This rule is the one piece of bank security advice that is uniformly true, uniformly under-followed, and the cause of most consumer banking fraud losses. This post is the long version of why the rule exists, what real bank communications look like, and how to verify any unexpected contact.

The Rule

The rule, stated plainly: any unsolicited contact (call, text, email, push notification) that asks you to verify, confirm, authorize, log in, or share information is phishing by default. Treat it as phishing. Do not respond. Do not click. Do not provide information. Open a separate channel (a new browser tab to the bank’s site, or a phone call to the number on your card) to check directly whether anything legitimate is happening with your account.

The rule applies to:

Phone calls from “your bank’s fraud department.”
Texts saying “we noticed unusual activity, click here to verify.”
Emails saying “your account has been temporarily locked.”
Push notifications appearing to come from your bank’s app but linking to a verification site.
Voicemails asking you to call back to a number you have not seen before.
Any communication that creates urgency around an account issue you did not initiate.

The rule does not apply to:

Your scheduled communications you initiated. If you logged into the bank, did something, and got an automated confirmation email, that is normal.
Routine statements and notifications that do not ask you to take action via a link.
Verifications you initiated. If you called the bank and they ask security questions to confirm your identity, that is appropriate. The rule is about unsolicited contact.

Why Banks Have This Policy

The policy is not an arbitrary corporate rule. It exists because the alternative makes phishing impossible to defend against.

If banks routinely contacted customers asking for credentials in unsolicited communications, every phishing email or call would be indistinguishable from legitimate bank contact. The bank could not realistically train customers to recognize phishing if the bank itself sends similar-looking messages. The “we will never ask” policy is the bank protecting itself and its customers from a category of attack that has no defense if the policy is not maintained.

Banks invest heavily in this policy. The customer service scripts at major banks are explicit: agents will not ask for full passwords, PINs, or authorization codes during outbound contact. The bank’s own systems treat outbound credential requests as a violation of internal protocol. When a real bank does call (which is rare and almost always in response to a customer-initiated dispute), the agent identifies themselves and asks the customer to call back through the official channel to verify the agent’s identity before discussing any sensitive information.

The “we will never call” rule is not exaggeration. It is operational reality at every regulated financial institution.

What Real Bank Communications Look Like

Three categories of communication that are legitimate and do not trigger the rule.

Statement notifications. Your monthly statement is ready. Your year-end tax document is available. These contain no urgency, no verification request, and no call to action beyond “log in to view.” You can ignore them and check your statements when you log in normally. They will still be there.

Confirmations of actions you took. You logged in. You initiated a transfer. You added a payee. You changed your password. The bank confirms via email that the action happened. These are responses to actions you initiated. If you did not initiate the action, the email is informing you that something happened on your account that should not have, and the response is to log in directly and investigate, not to click any link in the email.

Routine fraud alerts. Some banks send “we declined a transaction at [merchant] for [amount]; respond YES to approve or NO to decline.” These are typically text-message-based and rarely include credentials, links, or follow-up calls. Verify by logging into the bank app directly, not by responding to the text.

What real bank communications never include: requests for full passwords, requests for one-time verification codes (which are sometimes delivered to you, but the bank receives them from the system, not from you reading them aloud), urgent threats of account suspension, links you must click to “secure your account,” or calls from agents asking you to “verify your identity” by reciting confidential information.

The Specific Phone Patterns

Phone-based bank phishing has a few common shapes worth recognizing.

The fraud verification call. “Hi, this is the fraud department at [your bank]. We noticed a suspicious charge for $487 at [merchant]. Did you make this purchase?” If you say no, the caller asks you to verify your account by reading back a one-time code that is about to text you. The code is the actual MFA code for the attacker’s login attempt. The caller is using your verification of “no I did not make that charge” as the social engineering wedge to get you to read aloud the code that authorizes their access.

The bank security agent call. “I’m calling from [bank]‘s security team. There’s been an attempt to access your account. To stop it, I need you to confirm your account details and we’ll lock the account.” The agent works through your information one piece at a time, building rapport, until they have enough to bypass account security questions or enable a transfer.

The internal bank investigator call. “Hi, I’m calling from [bank]. We’re investigating a potential fraud ring and we need your help to catch them. We need you to move funds to a quarantine account so the criminals don’t get them. Don’t tell anyone, this is a confidential investigation.” The “quarantine account” is the attacker’s. The instruction to keep it confidential prevents the victim from confirming the request with anyone who might recognize it as fraud.

The defense for all three is the same: hang up. Call the bank back using the number on the back of your debit or credit card. If there is a real fraud issue, the bank will tell you when you call directly. If there is no real issue, the original call was the fraud.

The Specific Email Patterns

Email-based bank phishing has shifted with the times but the core shapes remain.

The fake account lock. “Your account has been temporarily restricted due to unusual activity. Verify your account within 24 hours to avoid permanent suspension.” The link goes to a phishing site that mimics the real bank login. The user enters credentials, which are captured.

The fake document. “Your year-end tax document is ready. Click to download.” The link goes to a malware site or a credential harvesting page. Real bank documents are accessed by logging in directly, not by clicking email links.

The fake transfer confirmation. “Your wire transfer of $5,432 has been initiated. If you did not authorize this, click here to cancel.” The “cancel” link goes to a credential harvesting page. The fake transfer never existed; the email is designed to make you click the link in panic.

The defense: open a new browser tab, navigate to the bank’s site directly, and check. If the issue is real, you will see it when you log in. If the issue is not real, the email was phishing.

The Mobile and Push Notification Patterns

Mobile attacks are an increasing share of consumer banking fraud. Common patterns:

Smishing (SMS phishing). Texts appearing to come from the bank with a link to verify or take action. Banks rarely send actionable links via SMS. Treat as phishing by default.

Push notification phishing. Some banking apps display push notifications. Attackers have crafted lookalike notifications that route to phishing sites. Verify by opening the actual bank app, not by tapping the notification preview.

App impersonation. Fraudulent apps in app stores that mimic real bank apps. Download bank apps only from the bank’s official site or directly from a search verified against the bank’s domain.

How Email Paywalls Help

Bank phishing depends on reaching inboxes cheaply at scale. A campaign sending fake bank emails to 100,000 recipients works if even a small fraction click the link. The economics depend on the marginal cost of one more recipient being approximately zero.

A small cover charge for unknown senders changes that math. The 100,000-email campaign now costs $4,000 in cover charges. The conversion math has to support that. For most bank phishing, it does not.

The cover charge does not catch a targeted attacker who has selected a specific high-value individual and is willing to pay four cents to reach them. When that happens, the email arrives marked PAID, which is itself a useful signal: your real bank would not be paying a cover charge to reach you. A paid email claiming to be from your bank is a visible red flag at the inbox layer. The mass version of bank phishing is gone; the few targeted survivors come with a payment trail and a label.

We covered the structural-filtering layer in why we don’t use AI to fight AI phishing and the broader phishing defense stack in how to defend your inbox from phishing in 2026.

The Practical Defense

For consumer banking specifically, the realistic defense:

Internalize the rule. Banks do not call or email asking you to verify credentials. Any communication that does is phishing.
Verify through the official channel. Always navigate to the bank directly, never through a link in a message.
Hardware-key MFA on the bank account. YubiKey or equivalent for the most important financial accounts. App-based MFA is acceptable for less critical accounts.
Watch for the urgency cue. Any unsolicited contact creating time pressure is suspect by default.
Use a structural inbox filter. Reduces the volume of mass bank phishing reaching your inbox in the first place, which makes the few targeted attempts that do arrive easier to evaluate.

Rythm handles the inbox filtering layer for $1.65 per month. The cover charge collapses mass phishing economics, including bank phishing. Combined with the rule of “verify through official channels only,” consumer banking fraud becomes substantially harder to land.

The rule is simple, well-known, and routinely violated under pressure. The reason it gets violated is that the attacks are designed to defeat the rule by manufacturing urgency. The defense is the rule plus the structural reduction in volume that makes the urgency-cue attacks rarer.

Why Your Bank Will Never Call You About Your Account