My Bank Keeps on Undermining Anti-Phishing Education

As I was writing my first post some weeks ago, I got an email from my bank in my inbox: The big Wero Win Weeks are starting! Take part now and secure your chance every week to win 7 prizes of €1,000 each. With Wero, you can send money from account to account in under 10 seconds. It’s easy, fast, and secure. And the best part: If you register once for the prize draw now, you will automatically participate in the draw until September 2nd. With a chance to win every week! Join now! Win €1,000 seven times every week!

Some background information for my non-German readers:

What is a Sparkasse?

The bank in question is my local Sparkasse. Sparkassen are regional savings banks that exclusively serve people in their region. They are generally owned and sponsored by their serving municipalities. Each Sparkasse is an independent institution, but they are all connected through an umbrella organisation, which coordinates their activities, ensures interoperability and gives it an overarching corporate design.

Their areas are focused on SMEs and private customers, and in general, they have a strong local economic impact and are serving a lot of people. All institutes combined, the Sparkassen financial group is the largest financial service provider in Europe.

The email in question was promoting Wero. And I do not mean the Māori challenge, which is part of the welcoming ceremony. Wero is a new European digital payment system launched by the European Payment Initiative (EPI). It was created to replace several local payment systems, which were only used in the respective countries.

Imagine it more or less like a rival to PayPal, just decentralised among all banks. Initially it focused on P2P payments (which is promoted in this mail), but sometime they plan to support online and in-store payments.

They are still in an early adaptation phase.

This email address wasn’t on a spam list yet, so I was quite confused. I mean, the indicators are clear: As there is nothing like free lunch, this must be spam. But on the other side:

I went to my bank’s website and checked whether the prize draw really exists and if they use the same domain. And they do.

So I started to get angry: How can a trusted institution like a bank send such a spam-looking mail?

Then I went to the website, and it just got worse…

Send money. Win money. With the Wero-Win Weeks# Fill out the one-time participation form. Send money with Wero in the Sparkasse app. Automatically be entered into the prize draw with every amount you send.* Promotion period: 18.03. to 02.09.2025 Participate now

Anyone who sends money with Wero has the chance to win one of seven weekly cash prizes worth €1,000 – every week brings a new chance!

Send money: Send money at least once a week with Wero to friends or family.

By the way, in order to participate in the prize draw, you must agree to the “analysis of data from payment transactions.”

By agreeing to the analysis of payment data, you participate in the prize draw. Increase your chances: Every successful payment earns you a spot in that week’s prize draw.

Important: A maximum of seven payments per week will be counted. You only have a chance to win in the weeks when you send money with Wero.

Each week, seven €1,000 cash prizes are awarded.

Haven’t activated Wero in the Sparkasse app yet? You can catch up easily.

How to activate Wero in the Sparkasse app. ☑ I accept the terms and conditions and privacy policy. ☑ I would like to receive email updates and news about the prize draw.

I am aware that Sparkasse employees are excluded from participating. ☑

I can revoke this consent at any time.

Wero is the new payment solution for sending money within seconds – directly from phone to phone. Secure and fast Send and receive money in under 10 seconds.

Transparent Keep track of incoming and outgoing transactions on your account in real time.

Simple and always available From account to account, directly in the Sparkasse app – even on weekends.

No IBAN required Forget account numbers – to use Wero, all you need is the recipient’s phone number or email address.

You can find more information about Wero at sparkasse.de

How do I activate Wero in the Sparkasse app?# Open the Sparkasse app on your smartphone or tablet, or download it now: [Google Play] [App Store]

Activate Wero in the “Send Money” section or via your profile settings:

Activate Wero in the Sparkasse app

How do I send money with Wero?# FAQ | Terms & Conditions | Privacy | Prize Draw

Legitimacy | Imprint

© 2025 S-Payment GmbH

The design language is quite straightforward, but it directly rings a lot of alarm bells inside me.

Some things you may immediately notice:

And this made me really angry. How are we supposed to educate users about how spam and malicious websites look like when real entities promote their crap like this?

When a trusted institution, like a bank, uses similar practices, it completely undermines everything we try to teach users, especially since we are talking about the largest financial service provider in Europe [^1]!

As a result, users may begin to question every suspicious email they receive, thinking, “This looks like spam, but it might actually be legitimate…”

I didn’t dig deeper than that, as white hat hacking is criminalised in Germany.

Our current laws do not distinguish between malicious and ethical hacking. It was also criticised for forcing the creation of a federal bundID account (https://www.heise.de/news/Zwang-zu-BundID-Streit-ueber-Auszahlung-der-Energiepreispauschale-fuer-Studenten-7518235.html)

and its technical issues when it started (https://www.heise.de/news/Energiepreispauschale-Holpriger-Start-der-Einmalzahlung-fuer-Studenten-7549625.html).

[^5] https://www.heise.de/en/news/OLG-ruling-S-pushTAN-procedure-not-sufficient-for-strong-authentication-10477555.html is the article and https://openjur.de/u/2528019.html is the original ruling

[^6] Az.: 2 O 312/22, https://www.anwalt.de/rechtstipps/phishing-sparkasse-muss-schaden-in-hoehe-von-ca-42-000-euro-ersetzen-232489.html; and Az.: 15 O 267/22, https://bruellmann.de/online-banking-sparkasse-muss-phishing-opfer-schadenersatz-leisten

I’ll admit, I’m stretching the argument here; additionally, I really want to point out that I am no legal expert, so there’s no way I’d bet my neck on it.

But from the bank’s perspective, it is a point worth considering. While cybersecurity is finally taken seriously on the technical side of things, it still seems to be a blind spot on the usabile security side.

This email and website seem rushed, as so many good practices were ignored.

It will have a lasting effect on undermining phishing education in general, not just for this specific bank. This issue is especially prominent now, as courts are more frequently finding banks liable for insufficient measures against phishing.

And on that point, we haven’t even touched the exposure of personal financial transactions for the sake of the prize draft.

How should a single person proceed in this matter?

The issue is systemic, and the bank will likely not change its policy based on a single piece of feedback.

So I guess the only thing left to say is: Please do not undermine security education?

Maybe even take a look at it as well?