Imagine my surprise the other day when I noticed that $1000 had been transferred from my bank account to some nonprofit, without any knowledge or approval on my part. It turned out that an acquaintance, with no access to my banking credentials, had done this. They wanted to make a charitable donation, using a direct bank transfer rather than a credit card, to save the charity the 3% fee charged by Visa/Mastercard. I had written them a check some months back, and they accidently entered the routing number and account number from that check of mine, instead of their own account information.
Was this some unique, gross security lapse by the bank? Or can anyone drain money from your bank account from anywhere, simply knowing your routing and account numbers? After all, these numbers appear on every check you write.
In the old days, someone armed with those two numbers could print fake checks for your account and forge your signature. Sadly, the same principle holds true now in the age of electronic transfers.
The ACH network, which powers most bank-to-bank transfers, bill payments, and direct debits, was historically designed on the assumption that initiating a pull was authorization enough. Someone with your numbers can:
- Set up a fake “bill pay” or utility payment pulling from your account
- Add your account as a payment method on PayPal, Venmo, Amazon, or similar platforms
- Set up recurring ACH debits through many merchant processors
Ouch. It seems there is really nothing you can do to prevent this, other than closing your existing account if you are worried, and opening a new account with different numbers.
The main mitigation method is to set your account to notify you every time there is an electronic transfer, and notify the bank immediately (call, and follow up in writing or bank’s message system). Start documenting all aspects of this dispute process, in case of litigation. Or at a minimum, look through every month’s statement soon after it appears, to check for shady transfers. Close or restrict the account if appropriate.
As I understand it, if you notify the bank within 60 days of when they sent the monthly statement, your max liability is $500. Beyond 60 days, you are toast – the money is just gone.
There is a slightly murky provision for limiting liability to $50 if you notify the bank within two days of you learning of the fraud (as long as that is within the 60-day window noted above). The application of this 2-day rule is clear if you are getting real-time notifications of transfers. But, say, if you slit open a printed statement the day after receiving it in the snail mail, perhaps three days after it was sent, notice a fraud and call the bank immediately, it is less clear whether you get dinged $50 or $500. If you are a good customer, I’m guessing the bank would make it $50.
All this is powerful motivation for using credit cards or Venmo/Zelle instead of paper checks. Bad guys can’t withdraw from your Venmo or Zelle unless they have your login information. With a credit card, you generally don’t get charged anything for a fraudulent transaction on your credit card (assuming you report it in reasonable time) – – plus you can usually get 2% or more cash back.