Only tangentially related, but the practices of many banks have supported and enabled phishing attacks (5-10 years ago: crazy password policies, prevention of password managers), randomly special email addresses, random phone number verification sources.