Banks spend more on IT security than any other industry. However, a hefty security budget may not be enough to prevent customers from falling for scams.

According to a Kaspersky Lab report, 63% of bank IT executives believe customers could be the weakest link in security. The study also found that more than 40% of respondents believe customers are careless with their online behavior and 38% expressed difficulty in balancing customer convenience with the need to prevent fraud.

But as an industry, we must shore up our defenses at a time when our customers have become a growing target of phishing attacks — the Trojan-horse practice of sending innocent-looking emails that appear like they are coming from the bank but they are actually coming from criminals and contain malicious software. In the same Kaspersky Lab survey, 46% of financial services executives say that their top security concern is phishing attacks directed against their own customers.

There is good reason for these concerns. Once consumers open an attachment or click on a hyperlink, malware goes to work with the goal of stealing money, revealing secrets or otherwise causing significant damage. A ransomware virus, which phishing emails can contain, has already been bringing businesses, banks and hospitals to a halt throughout the world. In fact, ransomware is on track to set a 12-month record for computer infections. At a peak in May 2017, Symantec, a leader in antivirus software, reports blocking more than 100,000 attacks per hour.

Cybercriminals target bank customers for the same reason bank robbers target banks — that is where the money is. IT professionals are in the unique position of protecting both bank infrastructure and customers who are the target of phishing attacks.

As it stands today, banks that identify phishing attacks send warnings to their customers nationwide to educate them on the risk. But how far must banks go to protect customers from themselves? The answer is not obvious and the approaches will vary from bank to bank. However, it may involve rethinking how the bank sends marketing messages.

The phishing problem stems, in part, from how financial service firms are very prolific users of email marketing. The typical bank or insurance firm sends out 12.2 emails per month compared to an average of 5.5 in other industries. Most of these emails include links to credit card applications, new account solicitations or other product offers. Therefore, consumers are conditioned to seeing and responding to these offers; however, the conditioning also makes them more likely to click on spoof emails.

As threats continue to increase, some financial institutions are considering eliminating all hyperlinks in their emails to reduce the risk. But it’s not an easy decision — bankers have to decide whether the trust and security produced from such a move outweighs the economic disadvantages, such as damaging reputations and impairing relationships.

For many banks, eliminating all email links would be a tough policy to swallow. The effectiveness of email marketing could plummet 85% if hyperlinks are dropped, as that is how much the industry depends on links for snagging prospects. On the other hand, marketers will undoubtedly develop new consumer response options, one of which may be as simple as hitting “reply” to indicate interest in a bank product or service.

Whether or not banks drop hyperlinks from emails, institutions are also engaging in other approaches to reduce the risk of phishing, such as aggressive cyber educational campaigns, launching two-step online authentication procedures, boosting website content or holding periodic seminars.

Deciding how far to go to protect customers is a thorny issue and unique to each institution. But it’s an issue that more banks should address soon in whatever manner they deem suitable for their risk thresholds — before the next phishing attack.