When Apple shipped a set of security patches for iPhones, iPads and Macs on August 17, it notified users with its customary, generic language: “This update provides important security updates and is recommended for all users,” the update prompt on an iPhone read.

But users who clicked through Apple’s update-advisory page to see descriptions of individual fixes got a more alarming cybersecurity story.

“Processing maliciously crafted web content may lead to arbitrary code execution,” a description of iOS 15.6.1 and iPadOS 15.6.1 states. “Apple is aware of a report that this issue may have been actively exploited.”

Translation: Visiting the wrong web site can put malware on your device, and it looks like attackers are already using this vulnerability.

The consensus among security experts was not to panic, but to patch “as soon as possible,” per an advisory from the government’s Cybersecurity & Infrastructure Security Agency.

But then Bank of America got into the act, sending an unprecedented email to customers saying, “We noticed the iOS software version you’re using on your mobile device and/or the Safari browser on your computer may need to be updated.”

It’s unclear how BofA decided that in my case, as my Safari history shows I last visited its site in June and I don’t have its app installed on my iPad. Bank publicists did not answer questions sent via email.

Two security experts said this Apple episode showed we need more clarity about patches requiring imminent attention.

“Organizations can do a better job of clarifying to the public which updates should be prioritized today and which ones should be prioritized within the next week or so,” said Rachel Tobac, CEO of SocialProof Security, in a Twitter direct message.

Tobac added that if the vulnerabilities patched by Apple were being used by nation-state attackers, “folks in the public eye, journalists, activists, government officials, etc.” face a higher risk than everyday people.