Press enter or click to view image in full size

My Bank Trained Me to Fall for Phishing — And Doesn’t See the Problem

--

How Tyl by NatWest outsourced my security to a company I’d never heard of

I run a small business. Like millions of others in the UK, I use a payment service provided by my bank. And one morning, my bank — without telling me — taught me to do the one thing every fraud prevention campaign in the country says I should never do: click a password reset link in an email from a sender I didn’t recognise.

Let me explain.

The email I nearly deleted

I’m a Tyl by NatWest customer. Tyl is NatWest’s own card payment service, marketed directly to small businesses and sole traders. When I signed up, I dealt with Tyl. My contract was with Tyl. My app said Tyl on it.

So when I received a password reset email from a company called ‘Phos’ — a name I had never heard of, from a domain I didn’t recognise — I did exactly what every piece of security guidance tells you to do. I didn’t click the link. I picked up the phone. The helpdesk confirmed it was legitimate. Phos (now part of Ingenico) it turns out, is the third-party company that powers Tyl’s Tap to Pay ‘Software Point of Sale technology’. They’ve been partners since June 2023. For nearly three years, every single Tyl merchant who resets their password has received an email from an unknown company, from an unknown domain, with no prior warning whatsoever.

I had assumed someone was trying to phish me. That is, after all, exactly what these emails looked like. An unknown sender. A generic message. A big, clickable “Reset Password” button. It had all the hallmarks of the scam emails NatWest themselves warn customers about on their own fraud prevention pages.

It turned out the emails were legitimate and Phos was handling the password reset process — under its own brand and its own email domain. At no point had Tyl or NatWest told me this would happen. No onboarding email. No in-app notification. No mention in the terms I could find. Just surprise emails from a stranger asking me to click a link.

Or, to put it the way I described it in my original notification the sentiment came across as: “You don’t know me but honestly you can trust me — please click the Reset Password link below.”

Why this matters beyond my inbox

This is not a story about one email. It is about a systemic failure in how banks communicate with customers when they outsource services.

Banks in the UK spend millions every year running anti-phishing campaigns. NatWest’s own website tells customers to be suspicious of unexpected emails, to check the sender’s domain, and never to click links from sources they don’t trust. Every one of those principles was violated by Tyl’s own process.

By sending customer-facing authentication emails from an unfamiliar third-party domain, Tyl is actively training its merchants to lower their guard — to normalise clicking links from unknown senders because, well, last time it turned out to be fine. That is the exact behaviour pattern that phishing attacks exploit.

This is not hypothetical. It is the reality for every Tyl merchant using SoftPOS right now.

This is not hypothetical — it has already been exploited, repeatedly

You might think I am overreacting. A password reset email from an unfamiliar sender — how dangerous can it be?

The answer, based on documented incidents over the past three years, is catastrophically dangerous.

• In September 2023, MGM Resorts was brought to its knees by a cyber attack that caused over $100 million in losses. Hotel bookings went down. Slot machines stopped working. Millions of customers’ personal data was compromised. The attack started with a single social engineering call requesting a password reset. The core vulnerability? MGM’s authentication was handled by a third-party provider called Okta, and the relationship between the customer-facing brand and the invisible third party handling security was not clearly communicated — even internally. The gap between who the customer sees and who actually controls the authentication was exactly what the attackers exploited.

That is precisely the gap that exists between Tyl and Phos.

It is not an isolated case.

• In August 2022, Twilio — a major communications platform — was breached after attackers sent messages impersonating its IT department, including links to fake password reset pages from unfamiliar sender addresses. Employees who had not been told what legitimate reset communications should look like clicked through and entered their credentials. The breach compromised over 130 downstream organisations, including the encrypted messaging app Signal.
• In January 2023, Mailchimp was hit when attackers directed staff to a phishing page mimicking a third-party authentication provider. Because Mailchimp had not told users which third-party domains were involved in its login processes, nobody could tell the fake from the real thing. 133 customer accounts were compromised.
• In October 2023, Okta itself — one of the world’s largest identity management providers — was breached. Attackers accessed its customer support system and stole session tokens for clients including Cloudflare, 1Password, and BeyondTrust. The lesson was stark: third-party identity providers are themselves high-value targets, and customers who do not know which third parties handle their authentication cannot assess whether a communication is legitimate.
• And in January 2026 — just weeks before I raised my complaint with Tyl — an Instagram bug allowed attackers to trigger mass automated password reset emails to users, creating the perfect conditions for account takeovers. Users could not tell the genuine reset emails from the fakes. Meta acknowledged the incident publicly.

In every single case, the root cause is the same: users received security-critical communications from a sender they did not recognise, because nobody had told them what to expect.

The numbers are getting worse, not better

The broader data confirms this is an accelerating crisis, not a fading one.

UK Finance reported that £629 million was stolen by fraudsters in the first half of 2025 — a 3% increase on 2024 — across more than 2 million incidents, a 17% rise. Check Point reported a 160% increase in compromised credentials in 2025 compared to the previous year. Kaspersky found that over one million online banking accounts were compromised by infostealers in 2025, with a 59% increase in detections globally.

Most alarmingly, a Hoxhunt analysis published in early 2026 found that AI-generated phishing attacks surged 14-fold between November and December 2025 alone, rising from 4% to 56% of all reported phishing emails. Financial service impersonations were among the most common themes. These AI-crafted emails are harder to spot because they closely mimic legitimate communications — making it even more critical that customers know in advance which sender domain to expect.

Even the NCSC — the UK Government’s own cyber security authority — has announced a policy objective to move the UK beyond passwords entirely, explicitly because password reset processes are so vulnerable to exploitation. Until that transition happens, the NCSC’s own guidance tells consumers: “If you’re not sure an email is genuine, don’t click any links in it.”

Tyl’s password reset email from [email protected] triggers every single red flag the NCSC lists:

• an unrecognised sender
• a request to click a link
• and no prior context.

A customer following government advice would — correctly — refuse to click.

The conditioning problem

There is one more dimension to this that goes beyond the immediate risk.

A Tyl customer who eventually discovers — as I did, only after phoning the helpdesk — that the Phos email is legitimate has now been trained to trust password reset emails from unfamiliar domains in connection with their financial accounts. That is the opposite of what every piece of security guidance recommends.

If that same customer later receives a genuine phishing email from a different unfamiliar domain — perhaps one that mimics phos.pro or uses a similar format — they are now more likely to click, because their experience with Tyl taught them that unfamiliar domains can be safe.

This conditioning effect is well-documented in behavioural security research and is precisely why the NCSC, NIST, and OWASP all recommend that organisations clearly communicate expected sender information in advance.

A Tyl customer who has learned to trust emails from unknown senders is not safer. They are more vulnerable than ever — and Tyl created that vulnerability.

What happened when I complained

I raised this with Tyl. Their response was to log my complaint as “Tap to Pay not working” — which was not my complaint at all — and closed it under reference C-029680. The actual concern I had raised, about unrecognised third-party emails and the security risk they create, was never addressed.

On 4 March, I emailed Tyl requesting the name of a senior complaint handler to escalate to, and asked whether Tyl considers itself subject to the FCA’s Consumer Duty. I cited the FCA’s dispute resolution rules and gave them the opportunity to address the issue properly before I reported it to the regulator. I received no reply.

The Ombudsman’s response — and why I’ve challenged it

The FOS investigator acknowledged that it “would have been good practice for NatWest to make clearer the password reset emails would come from a third-party provider.” In other words, they agreed the communication fell short.

But then, remarkably, the investigator concluded that this failing did not warrant any action — because I had not suffered a financial loss.

I have challenged this for three reasons.

• First, financial loss is not the test. The FOS routinely considers whether a firm’s conduct was fair and reasonable, regardless of whether the customer lost money.
• Second, the investigator’s own finding — that good practice was not followed — is precisely the kind of shortfall the FOS exists to address.
• And third, the FCA’s Consumer Duty, introduced under PRIN 2A, requires firms to deliver good customer outcomes. Sending authentication emails from a domain your customer has never heard of, without any prior disclosure, is not a good outcome by any reasonable measure.

To be clear: I am not seeking personal compensation. I never have been. This complaint is about the principle. It is about the fact that a major UK bank’s payment subsidiary is, right now, conditioning its merchants to behave in ways that make them more vulnerable to fraud — and when this was pointed out, the response was to reclassify the complaint and close it.

The bigger question

The FCA’s Consumer Duty was supposed to change the way financial services firms treat their customers. It was supposed to move the industry from a culture of “we didn’t technically break the rules” to one of “we actively delivered good outcomes.”

If a bank can outsource a critical customer-facing function to an unknown third party, send authentication emails from an unrecognised domain, provide zero disclosure regarding the name of their 3rd party agency who will send me the password reset link, and then face no consequences when a customer raises the alarm — what exactly has the Consumer Duty changed?

I have asked the Financial Ombudsman to escalate my case to an independent Ombudsman for a final decision. I have also reported the matter to the FCA. I will update this article when I hear back.

Have you experienced something similar?

I suspect I am not the only person who has received an email from a company they have never heard of, only to discover it was connected to their bank or payment provider. If that has happened to you, I would genuinely like to hear about it — either in the comments below or connect with me on LinkedIn.

The more examples that surface, the harder it becomes to dismiss this as a one-off.

This article was originally published on LinkedIn. Grant Price is Founder & CEO of Yohows.com.

Cybersecurity, Banking, Consumer Rights, Fintech, Phishing