Hi everyone! I work for a regional bank and we're in the process of adding a security center/section to our marketing emails. The purpose is to inform customers that we won't ask for sensitive information via email, as well as to point them to a page with FAQs about how to determine when an email is/isn't a phishing email.

I've looked at examples of security centers from several banks and most have one thing in common - they include the customer's email address. For example, "This email is intended for person@esp.com."

I'm being asked internally to investigate why the customer's email address would be included when it's not a financial institution regulatory requirement. Someone expressed concern that the customer will see this and think, "Well, duh, this is the address where I received the email!"

It could be helpful for people who have multiple accounts set up in their email client to see which address it was meant for, but that's probably a small percentage.

I've scoured the web and can't find any solid reasoning, but perhaps I'm just using the wrong search terms.

I'd love to hear the community's thoughts on this. Do you include something like this in your security center and/or permission reminder text? Do you consider it necessary or a best practice? What purpose does it serve?

Thank you for your input!