What to Do If Your Bank Account Gets Hacked
Banking

What to Do If Your Bank Account Gets Hacked

By Jessica Ramirez|February 22, 2026|7 min read

What to Do If Your Bank Account Gets Hacked

You open your banking app and something is wrong. There are transactions you don't recognize, your balance is lower than it should be, or you've received a notification about a login from a device you've never used. Your stomach drops. Your bank account has been compromised.

Take a breath. What you do in the next few hours matters more than you think. Acting quickly can be the difference between getting your money back in full and dealing with a drawn-out nightmare. Here's your step-by-step playbook for the first 24 hours and beyond.

Step 1: Contact Your Bank Immediately

This is the single most important thing you can do, and you should do it right now, not after you've finished reading this article. Call the fraud department directly using the number on the back of your debit card or on your bank's official website. Do not use any phone number from a text or email you received, as it could be part of the scam itself.

When you call, ask the bank to:

  • Freeze or lock your account to prevent further unauthorized transactions
  • Flag all suspicious transactions so the bank can begin its investigation
  • Issue a new debit card with a new card number
  • Provide a case number or reference number for your fraud claim

Most major banks have 24/7 fraud hotlines, so don't wait until morning if you discover the breach at night. Every minute your account remains open is another minute a thief can drain it.

Step 2: Change Your Passwords and Secure Your Login

Once you've contacted your bank, immediately change your online banking password. Make it something completely new, not a variation of your old one. If you've been reusing that same password on other sites (no judgment, but stop doing that), change those passwords too.

While you're at it:

  • Enable two-factor authentication (2FA) if you haven't already. Use an authenticator app like Google Authenticator or Authy rather than SMS-based codes, which can be intercepted through SIM-swapping attacks.
  • Review your account's contact information. Hackers sometimes change the email address or phone number on file so that you stop receiving alerts.
  • Check for authorized devices in your banking app's security settings and remove anything you don't recognize.

Step 3: Document Everything

Before your memory fades and before the bank resolves anything, take screenshots and notes. Document:

  • Every unauthorized transaction (date, amount, merchant name)
  • The date and time you discovered the fraud
  • The name of every bank representative you speak with
  • Any case or reference numbers you're given

This paper trail will be critical if you need to escalate your claim or file additional reports later.

Step 4: File a Report with the FTC

Head to IdentityTheft.gov, the Federal Trade Commission's official portal, and file a report. This does two important things: it creates an official government record of the incident, and it generates a personalized recovery plan based on your specific situation.

The FTC report can also serve as supporting documentation if your bank requires proof that you've reported the fraud through official channels.

Step 5: File a Police Report

This might feel like overkill, but a police report strengthens your case significantly. Some banks require one before they'll process larger fraud claims. Even if your local police department can't actively investigate the cybercrime, having the report on file gives you additional legal protection and documentation.

Bring your FTC report, your list of unauthorized transactions, and any correspondence from your bank when you go to file.

Step 6: Place a Fraud Alert on Your Credit Reports

If someone accessed your bank account, they may have enough personal information to open new accounts in your name. Contact one of the three major credit bureaus, Equifax, Experian, or TransUnion, and request a fraud alert. By law, the bureau you contact must notify the other two.

A standard fraud alert lasts one year and requires businesses to verify your identity before opening new credit in your name. If you want stronger protection, consider a credit freeze, which blocks new credit inquiries entirely until you lift it. Freezing your credit is free and has no impact on your credit score.

Know Your Rights: Regulation E Protections

Here's the good news that most people don't know about. Federal Regulation E (the Electronic Fund Transfer Act) limits your liability for unauthorized electronic transactions from your bank account, but the amount you're liable for depends entirely on how fast you act:

  • Report within 2 business days: Your maximum liability is $50.
  • Report between 2 and 60 days: Your liability can increase to $500.
  • Report after 60 days: You could be on the hook for the full amount of unauthorized transactions that occurred after the 60-day window.

This is why speed matters so much. The sooner you notify your bank, the less money you can legally be held responsible for. Many banks go beyond the legal minimum and offer zero-liability policies for unauthorized transactions, but don't assume yours does. Ask explicitly.

Your bank is required to investigate your claim and provisionally credit your account within 10 business days while the investigation is ongoing. If they need more time, they can extend the investigation to 45 days, but they must provide provisional credit in the meantime.

Monitor Your Credit and Accounts Going Forward

The weeks and months after a breach are when you need to stay especially vigilant. Set up the following:

  • Real-time transaction alerts through your banking app so you're notified of every purchase, withdrawal, or transfer
  • Free credit monitoring through AnnualCreditReport.com or a service like Credit Karma
  • Bank account alerts for logins from new devices, password changes, and large transactions

Review your bank statements carefully for at least 90 days after the incident. Fraudsters sometimes make a small test transaction before coming back for a larger one, or they may sell your information to someone else who tries weeks later.

How to Prevent It from Happening Again

Once you've recovered, the goal is to make sure this never happens a second time. Here are the most effective steps you can take:

Use Strong, Unique Passwords

Every financial account should have its own unique, complex password. Use a password manager like Bitwarden, 1Password, or Dashlane to generate and store them. If remembering passwords is what's been stopping you, a password manager eliminates that excuse entirely.

Enable Two-Factor Authentication Everywhere

Turn on 2FA for every account that supports it, especially email, banking, and investment accounts. Your email is particularly important because it's often the gateway to resetting passwords on other accounts.

Learn to Spot Phishing Attempts

Most bank account breaches start with phishing, a fake email, text, or phone call designed to trick you into handing over your credentials. Remember:

  • Your bank will never ask for your full password via email or text
  • Don't click links in unsolicited messages; go directly to your bank's website instead
  • Be suspicious of any communication that creates urgency or fear ("Your account will be closed in 24 hours!")

Avoid Public Wi-Fi for Banking

Never log into your bank account on public Wi-Fi at coffee shops, airports, or hotels without using a VPN. These networks can be easily intercepted. If you must check your balance on the go, use your phone's cellular data instead.

Keep Your Software Updated

Outdated operating systems and apps are one of the easiest ways for hackers to exploit your devices. Turn on automatic updates for your phone, computer, and banking apps.

The Bottom Line

Getting your bank account hacked is scary, but it's recoverable if you act fast. Your single most important action is to call your bank's fraud department within two business days of discovering unauthorized transactions. This preserves your strongest protections under Regulation E and limits your liability to just $50 or less. Everything else, the FTC report, the police report, the credit freeze, builds on that foundation. Take the 30 minutes today to enable 2FA and set up transaction alerts on your accounts. It's the cheapest insurance you'll ever get.

Tags

bank securityfraud protectionidentity theftcybersecurity