How to Protect Your Finances When Your Bank or Debt Collector Uses Insecure Email

If you’ve been contacted by a debt collector, a mortgage administrator, or even your own bank via email, you might assume the message is secure. Recent reporting suggests that’s not always a safe assumption. A June 2026 article in NL Times highlighted that many financial administrators handling sensitive cases—especially those involving people in debt or financial difficulty—are using email systems with weak security. That puts vulnerable individuals at greater risk of phishing, identity theft, and fraud.

The problem isn’t that email itself is always dangerous. It’s that when financial firms fail to encrypt their messages or use verification measures, anyone who intercepts them can read account numbers, payment arrangements, or personal identifying details. And people dealing with money trouble are often in a hurry to respond—a perfect opening for scammers.

What happened

According to the NL Times report, researchers found that several financial administrators in the Netherlands—companies that manage debt repayment plans, process garnishments, or handle loan collections—were sending emails without basic protections like TLS encryption or digital signatures. In some cases, the emails contained full financial statements or copies of IDs. The investigation did not name every firm involved, but it pointed to a broader pattern: institutions that handle financially stressed customers often cut corners on security.

No global law requires all financial emails to be encrypted, though regulations like GDPR in Europe and various data breach notification laws in the U.S. do hold companies responsible for protecting personal data. The gap is that many firms choose the cheapest email setup and hope for the best.

Why it matters for people with money trouble

When you are behind on payments or in a debt restructuring program, you may already feel pressured. An email that looks official—with the right logo, correct account number, and a request to “click here to confirm payment details”—can be easy to trust. But if a fraudster has intercepted earlier emails, they can copy the style exactly.

Worse, if an administrator uses an email system that doesn’t require the recipient to log into a secure portal, a scammer only needs to guess your email address to send fake instructions. Once you reply with your bank account or Social Security number, the damage can take months to undo.

People in financial distress also tend to have fewer resources to deal with identity theft. They may not have the time or money to freeze credit reports or hire a lawyer.

How to check if your financial administrator uses secure email

You can often spot insecure email by looking for a few telltale signs:

  • The email is plain text with no link to a secure portal. Legitimate firms usually direct you to log into their website rather than attach sensitive documents.
  • No encryption indicator in your email client. Most major providers (Gmail, Outlook, ProtonMail) show a small lock icon when the connection is encrypted. If it’s missing or says “not encrypted,” the email traveled in the clear.
  • The sender’s email domain is generic, like @gmail.com or @outlook.com, instead of @companyname.com. Real financial administrators use their own domain.
  • They request sensitive info via reply such as asking you to “email your bank account number to confirm.” No legitimate institution does that.

If you’re unsure, call the company using a number from their official website—not the one in the email. Ask them directly: “Do you use encrypted email for communications about my account?”

What you can do to protect yourself

You don’t have to accept insecure email. Here are practical steps:

  1. Request a secure portal. Many administrators have an online account system. Ask them to send all messages there instead of email. You can say, “I’m concerned about email security. Please put all correspondence on my secure portal.”
  2. Use two-factor authentication on any account you access online. That way even if someone steals your password, they need the second code.
  3. Set up email alerts for your bank accounts and credit cards. If a scammer tries to change payment info, you’ll know quickly.
  4. Do not click links in unsolicited emails about debts or payments. Open a browser, go to the company’s site directly, and log in.
  5. Consider a separate email address for financial correspondence. Use a provider that supports encryption (ProtonMail, Tutanota) and give that address only to institutions.
  6. Monitor your credit reports. In the U.S., you can get free weekly reports from AnnualCreditReport.com. In many other countries, you have a right to one free report per year.

What to do if you suspect a breach

If you think your data has been exposed because of an insecure email from a financial administrator, act fast:

  • Change passwords for any accounts mentioned in the emails.
  • Enable 2FA everywhere possible.
  • Contact the company and demand to know what security measures were in place when the email was sent. Ask if they will cover any fraud losses resulting from their lax security.
  • File a complaint with your country’s data protection authority (like the FTC in the U.S., the ICO in the UK, or the Autoriteit Persoonsgegevens in the Netherlands). They may investigate and pressure the company to improve.
  • Consider placing a fraud alert or credit freeze on your credit files.

The bottom line

You should not have to choose between paying a debt and protecting your identity. Financial administrators have a responsibility to secure their communications, especially when dealing with people in vulnerable situations. Until stronger rules are enforced, it falls on each of us to be cautious.

If a company refuses to use secure channels, that is a red flag. A legitimate institution will work with you to find a safe way to communicate. If they won’t, you may want to question whether they are the right firm to handle your finances.

Sources: NL Times, “Financial administrators’ poor email security put many people with money trouble at risk,” June 8, 2026. Additional guidance adapted from consumer protection best practices from the FTC and European Data Protection Board.