In the sign-up process, validate the email (don't trust the user). I get a lot of emails that companies never validated, including for a while, from Wells Fargo.
Unfortunately, the trend is in the opposite direction. People have realized that email validation is a step in the funnel where you lose users. And when you look at it as a funnel conversion optimization problem, you arrive at myopic conclusions that are insecure and have externalities like the one you noticed.
I was getting insurance claim information from a large company in another state for a while. I finally made a big enough stink that they took my email off the account.
And yeah, I'm sure it was the real company and not some phishing emails.
This bugs me as well. American Express kept sending me information about someone else's credit card. It took arguing with their customer service for about 20 minutes to get them to remove my email address from the account.
In the sign-up process, validate the email (don't trust the user). I get a lot of emails that companies never validated, including for a while, from Wells Fargo.