You check your bank account and something is wrong. There is a charge you do not recognize, a transfer you never authorized, or a notification about a login from an unfamiliar device. A compromised bank account is one of the most stressful financial emergencies you can face, but the actions you take in the first 48 hours make an enormous difference. Federal law limits your liability to just $50 if you report unauthorized transactions within two business days. Here is exactly what to do, step by step.
1. Contact Your Bank's Fraud Team Immediately
Your first call should be to the emergency fraud number on the back of your debit or credit card. Most major banks operate 24/7 fraud hotlines specifically for this purpose. Do not wait until business hours — call as soon as you suspect something is wrong.
When you call, ask the bank to:
- Freeze or lock the compromised account to prevent further unauthorized transactions
- Cancel and reissue your debit card, credit card, or both
- Flag all recent suspicious transactions for investigation
- Open a formal fraud dispute and provide you with a case number
Write down the date, time, and name of every representative you speak with. You may need this documentation later.
Your Legal Protections Under Federal Law
Under the Electronic Fund Transfer Act (EFTA), if you report unauthorized debit card transactions within two business days, your maximum liability is $50. If you report between two and 60 days, your liability increases to $500. After 60 days, you could be responsible for the full amount. For credit cards, the Fair Credit Billing Act caps your liability at $50 regardless of timing, and many banks offer zero-liability policies. Banks are legally required to investigate your claim and provisionally credit your account while the investigation is pending. Speed matters — report immediately.
2. Verify the Compromise
Before assuming the worst, take a few minutes to verify that the suspicious activity is actually unauthorized. Cross-check recent charges against your receipts, subscription renewals, and any purchases made by authorized users on the account (such as a spouse or family member on a joint account).
Common causes of charges that look fraudulent but are not:
- Merchant names that appear differently on bank statements than the store name (for example, a restaurant charge appearing under a parent company name)
- Recurring subscription renewals you forgot about
- Pending authorizations or holds from gas stations and hotels that appear as unusual amounts
- Purchases by an authorized user on a shared account
If after reviewing you confirm the charges are unauthorized, proceed with the remaining steps immediately.
3. Check the Full Extent of the Breach
A compromise rarely affects just one account. Once you have secured the initial account, check for broader damage:
- Other accounts at the same institution: If an attacker gained access to your online banking portal, they may have access to savings accounts, lines of credit, or investment accounts linked to the same login
- Accounts with similar credentials: If you reused the same password or email combination on other financial accounts, those accounts are also at risk
- Linked payment services: Check Venmo, Zelle, PayPal, Apple Pay, and any other services connected to the compromised account
- Automatic bill payments: Review any recurring payments or direct debits tied to the compromised account, as you will need to update these with new account details
4. Change All Passwords and Security Questions
Change your online banking password immediately, then change the password on every other account where you used the same or similar credentials. Follow these rules when setting new passwords:
- Use a unique password for every account — never reuse passwords across financial institutions
- Make passwords at least 15 characters long, using a mix of letters, numbers, and symbols, or use a passphrase of random words
- Use a password manager like 1Password or Bitwarden to generate and store strong unique passwords
- Update your security questions as well — if an attacker has your personal information, they may be able to answer common security questions like your mother's maiden name or the street you grew up on
5. Enable Multi-Factor Authentication on All Financial Accounts
If your bank account did not have multi-factor authentication (MFA) enabled, this is the time to fix that. MFA requires a second form of verification — typically a code from an authenticator app — in addition to your password. Enable MFA on every financial account that supports it, including banking, credit cards, investment accounts, and payment services. Prefer an authenticator app (like Google Authenticator or Authy) over SMS codes, since SMS can be intercepted through SIM-swapping attacks.
6. Freeze Your Credit at All Three Bureaus
If an attacker has your banking information, they may also have enough personal data to open new accounts in your name. Freeze your credit at all three major bureaus to prevent this:
- Equifax: equifax.com/personal/credit-report-services/credit-freeze
- Experian: experian.com/freeze
- TransUnion: transunion.com/credit-freeze
A credit freeze is free and blocks anyone from opening new credit accounts in your name until you lift it. You can temporarily thaw the freeze whenever you need to apply for legitimate credit.
7. Place a Fraud Alert on Your Credit Report
In addition to freezing your credit, place a 90-day fraud alert on your credit report. You only need to contact one bureau — Experian is the simplest starting point — and they are legally required to notify the other two. A fraud alert tells creditors to take extra steps to verify your identity before approving new accounts. You can renew it every 90 days or request an extended seven-year alert if you file an FTC identity theft report.
Do Not Stop at Freezing One Bureau
A credit freeze must be placed separately at each of the three major bureaus — Equifax, Experian, and TransUnion. Freezing at only one bureau leaves the other two open for attackers to exploit. Also consider freezing your reports at lesser-known bureaus like Innovis and NCTUE (National Consumer Telecom and Utilities Exchange) for more complete protection. A fraud alert only needs to be placed at one bureau, which will share it with the others, but a freeze does not work this way.
8. Scan Your Devices for Malware
Your bank account may have been compromised through malware on your computer or phone — keyloggers, banking trojans, or infostealer malware that captures login credentials. Run a full malware scan using reputable antivirus software before logging in to any financial account. If malware is detected, clean your device first, then change all passwords — otherwise the malware will simply capture the new credentials.
9. File Official Reports
Filing official reports creates a legal paper trail that protects you and supports your fraud claims:
- FTC report: File at identitytheft.gov. The FTC will generate an Identity Theft Report and a personalized recovery plan
- Local police report: File a report with your local police department. While police may not actively investigate, having a police report number is often required by banks and creditors to resolve fraud disputes
Keep copies of all reports, case numbers, and correspondence. You may need them for months as the investigation and recovery process continues.
10. Monitor Your Accounts Closely for Months
Recovery from a bank account compromise is not a one-day event. Stolen financial information can be sold, resold, and exploited months or even years after the initial breach. Build these habits into your routine going forward:
- Set up transaction alerts: Configure your bank to send push notifications or emails for every transaction, regardless of amount
- Review statements monthly: Do not rely solely on alerts. Review your full bank and credit card statements at least once a month to catch anything that slipped through
- Check your credit reports regularly: You are entitled to free weekly credit reports at AnnualCreditReport.com. Pull them periodically to check for new accounts or inquiries you do not recognize
- Watch for secondary attacks: After a financial compromise, you may receive phishing emails or phone calls from scammers posing as your bank. Never click links in unsolicited messages and always call your bank directly using the number on the back of your card
Reduce Your Exposure to Future Attacks
Bank account compromises often start with personal information that is freely available online. Attackers use your name, address, phone number, and email — scraped from data broker and people-search websites — to answer security questions, craft convincing phishing emails, or socially engineer their way past bank verification procedures. The more personal data that is publicly accessible, the easier it is for criminals to target you.
PrivacyOn removes your personal information from over 100 data broker sites, cutting off the supply of data that attackers use to compromise financial accounts. By reducing publicly available information tied to your identity, PrivacyOn makes it significantly harder for criminals to impersonate you or piece together enough details to bypass account protections. Combined with continuous monitoring, PrivacyOn ensures your data stays removed as brokers attempt to re-list it. Plans start at $8.33/month.