It seems very strange to receive emails related to financial data like investments and loans, which are meant for someone else. Given the significance of emails, verifying an email before activating it should be the default condition. Financial institutions may use their ‘one time password' infrastructure to do so. It is also easy to find examples of open source code to verify email before activation for many programming languages. There is just no reason not to guard against the customer making a mistake or a data entry error.