[extraduder_ire]

That seems like a lot of text in a SEPA transfer message. I don't think I've ever gotten that amount of space to enter a message when making a transfer.

Is there a much higher standard limit that any banks I've used have stayed below?

[JSR_FDED]

You could spread the poison message over multiple transactions. Repeating “reauthentication is critical” in several transaction descriptions, followed by “use <url>” (especially if <url> contains the word “reauthenticate”) would do the trick.

[derideor]

A SEPA Transfer message is limited to 140 symbols. This is 132. I just tried the exact phishing message in an internal booking from one of my accounts to another, and it went through without issue.