Unless you’ve got some magic solution for phishing that the rest of the banking industry doesn’t have, this is a dangerous precedent to set with your customers
We don’t think trying to influence user behaviour is a very effective way of trying to prevent attacks such as phishing. Despite your best efforts, users will either ignore your advice or be tricked by complex scams. The burden of security should sit with us, and you should be able to click on any link you want without being defrauded.
We have mitigated the risk of phishing by removing passwords entirely.
The link via SMS is a temporary solution while we move email provider. Even so, I would like to present a counter argument to the “links are bad” statement. If, instead, we sent a 6 digit code then this could be phished - the user would believe they were logging into Monzo so would happily enter the code into the phishing site/app which would in turn send it to Monzo to log in. With a link, we can control where the code goes and we can channel lock it such that it is useless to anything but the instance of the app that requested it.
As with everything we do, we will continue to evaluate and iterate and be completely transparent - I intend to publish annual statistics on a range of things from levels of fraud to numbers of account takeovers.