It's unbelievable how bad at security financial institutions are. At an old job I had to set up our company with the accounts payable system of a customer. They used a system run by US Bank. They told us that we would receive set up instructions by mail, and a week later we got mail. It said "to begin the set up process go to https://bit.ly/..." and I knew I was being phished. Then I stopped to think and how would anybody know to send the set up packet to exactly the right place at the right time? Must be an insider. So I called US Bank, and they confirmed to me that the packet was in fact legit and this was supposed to be a bitly link. JFC.