Yesterday someone stole $10,000 from my store bank account. I noticed early in the morning that it happened overnight. I spent the day figuring out the details, closing and re-opening new accounts, and to some extend contacting vendors. It occurred to me this could be a real disaster if I were on an extended trip.
I won't have online access to my accounts for several more days. Until then, items will bounce off the old account and the bank will call me each morning to verify the days transactions. As my bank manager pointed out, I have a strong cash position, which will help. Imagine losing all your money and not being able to process transactions. It took an hour sitting with the bank manager to close and re-open the various accounts, but there will be many hours of work to follow.
To be clear, it was not an employee. I think it was professional criminals. Whomever did this had my banking information and was able to log into my online banking or otherwise see my account online. Nobody but me has this. I am assuming my account password was hacked.
How do I know this? Test transactions from another bank preceded the withdrawal the day before. This is when an institution sends a couple small withdrawals from your account and then sends a total of that amount back as a deposit. If you didn't do this, it's a warning you're about to be in trouble. Contact your bank immediately. You had to be able to see these micro transactions on my account to be verify them with the other institution, and since it happened within a day, it meant they had online banking access, and not a paper copy of my bank statement.
That other institution where the money was sent was Capital One. I happen to have a Capital One credit card, so I called them as a customer and learned more than you probably would otherwise. My money was being transferred to a business checking account that had been opened ten years previously, probably some abandoned account. The name on that account was not mine. When I asked for more information, that's when they informed me I had reached the end of our conversation. How did they know I wasn't trying to hack that account?
Capital One sent me back to my bank, who had me fill out a Written Statement of Unauthorized Debit. All of this, the withdrawal, phone calls, and reporting to my bank, happened within a couple hours on the same day. This morning I noticed the $10,000 withdrawal was temporarily removed while they investigated. I am probably fine. If $10,000 had been shipped to some offshore Nigerian account or business, I assume it would be gone. American bank to American bank? They don't put up with shenanigans.
When my online banking is re-established, I'll have to set up everything again. It turns out of the 50 or so online payees, only 14 need to be re-added. There's an element of clean up.
What Could I Have Done Different?
Account information was breached somewhere, but it's clear to me this couldn't have happened without online banking access. Make sure your passwords are extra secure. At this stage, if you can remember a password, it's probably not good enough. Nobody else had access to my account, which was everyones first question. I do not think this was an employee or a vendor, because of the online banking element.