What Can Scammers Do With Your Bank Account Number?

The Real Risks of a Stolen Bank Account Number

With your bank account number, thieves can commit ACH fraud to withdraw your money, create fraudulent checks, make unauthorized purchases on sites like Amazon, and even set up "Buy Now, Pay Later" services like Affirm or Afterpay.

If they also have your Social Security number, routing number, or address, they can go further by stealing your identity.

1. Commit ACH fraud and withdraw your money

ACH transfers use a financial network called the Automated Clearing House to transfer money from one bank account to another. While convenient, ACH sets up scammers nicely for fraud. Transfers take one to three days to process, which means you (and your bank) may not realize you’re the victim of a scam until funds are already gone.

ACH fraud can start in a variety of ways. Scammers might steal your debit card and hack into your online account. Or, if they already have your account number from a phishing scam or data leak, they can find your bank’s routing number by using a simple Google search and present any other personally identifiable information (PII) that they have to impersonate you.

From there, they can:

• Run an ACH kiting scheme. Scammers move your money into other accounts at various banks, withdrawing all the funds before each transfer is complete.
• Use ghost funding to get cash. Some banks grant users provisional funds while an ACH transfer is underway. Scammers take advantage of this allowance, transferring your money to their accounts and using it to buy crypto. When the ACH processes and returns a non-sufficient fund (NSF) notification, your money is gone forever.

2. Use your bank details to make fraudulent purchases

Amazon, for example, lets you assign checking accounts as a payment option [*]. To complete the setup process, fraudsters need to know your driver’s license number and home address, but they may already have that information on hand.

With your bank details, scammers could also:

• Reload store-specific cards. Big box stores, like Walmart, allow you to reload store-specific cards via ACH transfers [*].
• Connect your account to a “Buy now, pay later” (BNPL) service. Scammers can link your checking account to Affirm or Afterpay to make big purchases like furniture, electronics, and jewelry.
• Set up subscription bill payments, like rent, utilities, and other subscriptions.

3. Launder money through your bank account

Drop accounts, or mule accounts, are checking or savings accounts that scammers can create under your name. They either sell these accounts on the Dark Web or make you an accidental money mule, depositing stolen funds into an account that you didn’t even know you had [*].

A group of four criminals in New Jersey used victims’ sensitive information to produce fake IDs and open drop accounts to transfer money to themselves and cash counterfeit checks [*]. It took two years for authorities to catch on to the scam.

4. Create and use fraudulent checks

If scammers have enough pieces of information about you, they can trick your bank into sending them paper checks and promptly empty your account.

If that doesn’t work, fraudsters can create fake checks by:

• Stealing checks out of your mailbox. They use editing tools to erase the name of the payee and replace it with their own.
• Creating counterfeit checks with your account number on them.

From there, they convince victims to deposit fake checks and return some of the money. When the check bounces, the victim’s account is charged the full amount.

Mobile apps like Telegram are teeming with illicit groups that organize check washing. Last year, a cybersecurity group found over 30 channels dedicated to carrying out check fraud [*].

If you discover unauthorized checks in your name, contact your bank or credit union immediately. Each state has different rules for reporting check fraud; but in general, you have up to 30 days from your last account statement to notify your bank [*].

Remotely created checks are governed by a separate set of rules. If you discover an unauthorized remotely created check in your name, submit an adjustment request to the Federal Reserve within 90 days. Include a written statement along with copies of the front and back of the check. The Federal Reserve must review your submission within five business days.

5. Steal your identity

Scammers cannot steal your identity with your bank account number alone. However, it only takes a few additional details to set the identity theft process into motion. And identity thieves are experts in prising your personal information. To get it, they can:

• Steal your wallet or purse.
• Snatch sensitive documents from your mailbox.
• Impersonate family and friends on social media.
• Buy your information from other scammers online.
• Install spyware on your computer via public Wi-Fi.
• Create fake bank login websites to pilfer your credentials.

With that data, they can open new credit cards, apply for loans, and even collect your tax refund.

Reports also suggest that potential account holders abandon digital applications to set up new bank accounts if the process takes longer than five minutes [*]. As a result, banks have relaxed their identification requirements, unintentionally opening the door to fraud.

6. Take over your bank account

Mr. Cooper, one of America's largest mortgage servicers, was the recent victim of a data breach. Over 14 million people had their names, addresses, phone numbers, SSNs, dates of birth, and bank account numbers stolen [*].

While your bank account information isn’t going to give scammers instant access to your finances, they can use it as leverage.

For example, they may send you a phishing email from Ally bank (or whatever financial institution you use) asking you to “confirm” your login details — and include your real account number to trick you into trusting the legitimacy of the message.

7. Conduct tax fraud

Besides using stolen information to fraudulently file for tax returns, hackers also steal data from tax professionals.

• Scammers ask the IRS to send the refund via direct deposit.
• When the refund hits, the fraudsters call victims pretending to be IRS agents.
• They claim the refund was deposited in error and the victim needs to return the money or face an arrest, hefty penalties, or SSN suspension.
• Terrified, the victims follow the scammer’s instructions, wiring money, buying gift cards, or sending cash via Zelle or Venmo.

If you receive multiple unexpected tax refunds through direct deposit without an explanation letter from the IRS, it’s probably a scam. Ask your bank to return the funds, and call the IRS to report the fraud.

Are You Liable for Charges That Scammers Make By Using Your Bank Account?

Generally speaking, you are not liable for charges scammers make with your bank account details. However, there are a few guidelines you should follow to properly file a claim and avoid liability.

For unauthorized ACH payments

To avoid paying for illegitimate ACH transactions, you must notify your bank about suspicious activity within 60 days of your bank statement.

For fraudulent online purchases

You have 60 days to avoid charges. Once you notify your financial institution, it has 10 business days to investigate the issue. If a crime has occurred, the bank must refund you within one business day and report its findings to you within three business days.

For forged checks disbursed in your name

Banks may hold you responsible if they feel you contributed to the forgery — either directly or through some form of negligence. To minimize your liability:

• Report the forged check to your bank immediately. Time frames for proper reporting vary from state to state. However, federal law limits your liability to $50 if you file a claim within two business days of the transaction. If there were multiple check forgeries, ask the bank to close your account.
• File a police report. You may also be asked to complete an affidavit stating that you did not authorize the check.

For fraudulent tax returns filed in your name

Call the IRS Identity Protection Specialized Unit at 800-908-4490 [*]. These employees will instruct you to:

• Complete an Identity Theft Affidavit. Form 14039 marks your IRS account for questionable activity.
• Report Identity Theft to the Federal Trade Commission. Go to IdentityTheft.gov or call the FTC Identity Theft hotline at 877-438-4338.
• Contact the fraud departments of all three credit bureaus. Call Equifax at 800-525-6285, Experian at 888-397-3742, and TransUnion at 800-680-7289 to place fraud alerts on your credit reports.

How Do Scammers Steal Your Bank Account Numbers?

Phishing attacks

Phishing attempts may look like fake bank text messages and emails, or phone calls that claim to be from your bank or other trusted companies (like Amazon or Apple). Information leaked on the Dark Web makes it seem like the callers are from legitimate organizations.

A couple in Colorado panicked when they received a text from Chase Bank asking if they had initiated a wire transfer for $4,500 [*]. After promptly responding “No,” they received a phone call from a scammer pretending to be a bank representative. All he needed to lock down their account was a one-time passcode, which he then used to steal $137,000.

“Skimming” and “shimming” devices

Fraudsters attach tiny devices to ATMs that steal your card details when you swipe or insert them.

Six people in Rhode Island now face charges for their roles in a card-skimming scheme that spanned at least six states [*]. By installing devices on ATMs and retail self-checkout terminals at Walmart and BJ’s Wholesale Club, they withdrew over $300,000 from victims’ accounts. 

Hackers may also target companies that store your financial information, such as online businesses or payment processors like ShopPay and Stripe.

With whom can you share your bank account number?

Bank account numbers should be kept private as much as possible. Only share them with people or companies you know and trust, such as:

• Tax filing services to pay for or receive annual tax credits.
• Your employer to set up direct deposit for recurring paychecks.
• Online payment and money transfer services such as PayPal or Zelle to deposit funds into your account.
• Credit card or loan providers to enable automatic bill withdrawal.
• Close friends or family members to whom you write checks.

Even trusted institutions may suffer data breaches. Consider Aura’s financial fraud protection to closely monitor your bank accounts.

Do Scammers Have Your Bank Account Number? Do This

If you suspect scammers have your bank account number or that you’re a victim of identity theft, it’s critical to act quickly:

1. Call your bank. They’ll help you file a fraud claim and may freeze or cancel your accounts.
2. Notify any company that was impacted. This could include payment apps, digital banking services, utility providers, and online stores.
3. Freeze your credit. Report the fraud to Equifax, Experian, and TransUnion, and ask to freeze your credit file. Banks may also run a ChexSystems report before opening new accounts; it’s worth placing a freeze there, too. Memorize your PIN so that you can lift the freeze if you apply for a new account or loan.
4. Change your online banking passwords. Create new, strong, and unique passwords and store them in a password manager. Also enable multi-factor authentication (MFA) to ensure another line of defense against fraudsters.

Keep thieves out of your bank account. Try Aura free for 14 days.