- Key insight: The standard for strong passwords has shifted away from complex characters and toward longer "passphrases" made of multiple random words, which are easier to remember and harder to crack.
- What's at stake: Banks warn that money sent to a scammer using an "authorized" instant payment, like a wire transfer or Zelle, is often irreversible and may not be recoverable.
- Expert quote: Good cyber hygiene is "just like brushing your teeth," says Zack Brown of First Community Bank, emphasizing the need for regular, foundational security habits.
Overview bullets generated by AI with editorial review
In October, many banks and credit unions observe cybersecurity awareness month — an initiative of the federal government — by ramping up communications to educate consumers and businesses about financial threats.
Some financial institutions tailor these communications thematically week to week. Others stick to one, simple message all month. Many banks issue warnings and announcements in emails and on their websites; others post videos that relay messages about security.
American Banker analyzed how a selection of banks and credit unions tailor their cybersecurity awareness messaging to identify the most common themes of banks' communications and where these messages conflict.
Structured education campaigns
First Federal Community Bank of Bucyrus, based in Bucyrus, Ohio, closely embraces cybersecurity awareness with what it calls a "
This game plan is based around five themes: strong authentication, spotting scams, device and network safety, protecting kids and seniors, and a Halloween special called "Don't Get Tricked."
Each week comes with a one-pager of advice related to that week's theme. During device and networks safety week, the bank provided a guide to its customers advising them, for example, to avoid public Wi-Fi and trust cellular data over "that free café connection."
Institutions frequently reinforce foundational "cyber hygiene" principles such as these throughout the month.
Zack Brown, senior vice president and senior operations officer at First Community Bank, said during a segment on News 4 Utah, an ABC affiliate in Salt Lake City, that having good cyber hygiene is "just like brushing your teeth."
One foundational hygiene practice often cited in October is the use of strong passwords. But the messaging on what makes a password strong can vary.
Passwords are out. Passphrases are in
Within the cybersecurity world, the consensus on what makes for a strong password has changed in recent years as the professional community has come to better understand the negative impacts of stringent password requirements.
Websites have often required users to follow a set of rules when creating a password that nudged users toward using long strings of random characters. Often, these rules have required the user to include at least one upper case letter, one lower case, one number, one symbol and so on.
These long, random strings are hard for criminals to guess, but they are also hard for users to memorize, and on balance,
"Analyses of breached password databases reveal that the benefit of such rules is less significant than initially thought, and the impacts on usability and memorability are severe," reads
As such, many banks and credit unions have abandoned these rules and now suggest customers use passphrases instead. These passwords consist of multiple, random words — something like "correct horse battery staple" — that are easier to memorize than random letters and numbers.
Passphrases also tend to be longer than the previous generation of passwords, a measure that NIST now says is the primary measure of how secure a password is.
Defining institutional boundaries
A core component of banks' cybersecurity communication strategies involves managing customer expectations by clearly stating what the bank or credit union will and will not request.
Banks often use direct, authoritative language in these statements, designed to counter impersonation scams.
Capital One says its agents will "not ask you over the phone to provide your online banking password."
Tri Counties Bank in Chico, California, asserts, "We do not send mobile text or email messages requesting personal information."
First Bank and Trust Company in Lebanon, Virginia, tells customers, "Our bank will never call or text customers and ask for your PIN number, password or any other sensitive security information."
Eastern Bank in Boston, Massachusetts, says, "We will never ask you to send confidential information to us via email, such as your logon ID, password, account numbers, or Social Security number."
Furthermore, financial institutions warn customers about the imposter scams they are looking to undercut.
Wells Fargo reminds customers that imposter scammers may pressure them to act right away, recommending, "Don't be afraid to end communication with the person who contacted you so you can have time to do more research."
Chase advises users, "If a charity reaches out unexpectedly, say you'll call back using the number listed in the CharityWatch or the BBB Wise Giving Alliance."
Analyzing the threat landscape
Financial institutions often help their customers identify the scams and fraud targeting them by clearly describing these schemes.
Institutions that focus on business banking often highlight check fraud as a top threat. Eastern Bank suggests countering check fraud "by implementing dual control systems on both the setup and authentication" of payments and utilizing positive pay.
Large banks stress in their customer education material the high risk associated with immediate digital payments like wire transfers and Zelle.
Wells Fargo advises that if customers send money to a scammer using a wire transfer or digital payment app, they "may not be able to get it back" because these payments are often irreversible.
Chase emphasizes the difficulty of recovery: "It's difficult to recover money that you willingly sent (an 'authorized purchase'), even if you were tricked into doing so."
One popular theme among banks' communications is to enumerate all the different forms of impersonation attacks, which First Federal Community Bank labels
- Phishing (email): Fraudsters send emails designed to trick recipients into revealing sensitive information. Red flags include poor grammar, misspellings and generic greetings.
- Vishing (voice phishing): Scammers call directly, often playing a recording or, in more sophisticated attacks, using live AI voice generation to request personal information.
- Smishing (text phishing): Fraudsters use text messages to entice individuals to reveal information. One text scam reported by First Bank and Trust Company impersonated the institution and asked customers "to confirm or deny a business account transaction."
- Quishing (QR code phishing): Institutions caution customers against scanning QR codes to pay, warning that the codes might be tampered with or lead to fake websites that steal payment information.
