What To Do If Your Bank Account Is Hacked

Discovering unauthorized activity in your bank account is alarming — but how you respond in the first hours and days can make a significant difference in how much money you recover and how quickly your account gets secured. Here's what the process looks like, what your rights are, and what factors shape the outcome.

Recognize the Signs First

Not every suspicious transaction means your account was hacked, but the following are common indicators that something is wrong:

  • Withdrawals or purchases you don't recognize
  • Locked access — your password suddenly doesn't work
  • Alerts from your bank about logins from unfamiliar locations or devices
  • Missing money that doesn't match your own spending
  • New payees or linked accounts you didn't add

Sometimes these are errors or merchant holds. Other times, they signal a genuine compromise. Either way, the right first move is the same: act immediately.

Step 1: Contact Your Bank Right Away 🚨

Your first call should be to your bank's fraud department — not their general customer service line if you can avoid it. Most banks have a dedicated fraud hotline printed on the back of your debit card or listed on their website.

When you call:

  • Report every unauthorized transaction you've identified
  • Ask them to freeze or suspend your account to stop further activity
  • Request a new account number and new debit card
  • Ask them to document your claim with a case or reference number

Time matters here. Federal regulations — specifically Regulation E, which governs electronic fund transfers — set liability limits that depend heavily on how quickly you report the problem.

Understanding Your Legal Protections

Regulation E is the primary federal consumer protection law for unauthorized electronic transactions on checking and savings accounts. It sets out a tiered liability structure based on when you report the fraud:

Reporting TimingYour Maximum Liability (General Framework)
Before any unauthorized use$0
Within 2 business days of learning about itUp to $50
3–60 days after your statement is sentUp to $500
More than 60 days after statementPotentially unlimited for transactions after that window

These are the federal baseline figures — your specific bank's policies may offer stronger protections than the law requires, but never weaker. Many banks advertise zero-liability policies for debit card fraud, which can be more generous than the federal standard.

Credit cards are a separate category. They fall under the Fair Credit Billing Act, which generally caps your liability at $50 for unauthorized charges — and most major issuers voluntarily extend full zero-liability protection. If fraudsters also accessed a credit card connected to your account, the dispute process and protections differ from your deposit account.

Step 2: Change Your Credentials and Secure Your Devices

Once your bank is alerted, shift your focus to cutting off the attacker's access:

  • Change your online banking password immediately — use a strong, unique password you haven't used elsewhere
  • Enable two-factor authentication (2FA) on your bank account if it isn't already active
  • Change passwords on your email account, especially if it's linked to your banking login for password resets
  • Scan your devices for malware or keyloggers — this is often how banking credentials are stolen
  • Review whether any banking apps are authorized on devices you don't recognize

If you reuse passwords across accounts, treat all of those accounts as potentially compromised and update them as well.

Step 3: File a Formal Dispute

A phone call to your bank starts the process, but follow up in writing. Many banks allow you to submit a fraud dispute through their online portal or mobile app. Request confirmation that your dispute has been received and ask about the timeline for investigation.

Under Regulation E, banks are generally required to:

  • Investigate your claim within 10 business days (in most circumstances)
  • Provide provisional credit to your account while the investigation is underway, if the investigation takes longer than that window
  • Reach a final resolution within 45 days for most cases (or up to 90 days in certain situations, such as new accounts or point-of-sale transactions)

These timelines can vary depending on the specifics of your case and your bank's procedures. Ask your bank explicitly what to expect.

Step 4: Report to the Appropriate Authorities

Depending on the nature of the hack, you may want to file reports beyond your bank:

  • FTC (Federal Trade Commission): File a report at reportfraud.ftc.gov — this creates an official record and can support your bank dispute
  • Internet Crime Complaint Center (IC3): Relevant if the fraud involved online activity or cybercrime
  • Local police: Some banks require a police report number as part of their fraud investigation process — ask whether yours does
  • Consumer Financial Protection Bureau (CFPB): If you believe your bank isn't handling your dispute fairly, the CFPB accepts complaints and has oversight authority

Step 5: Check Your Credit Reports 🔍

A hacked bank account may be one piece of a larger identity theft situation. If criminals obtained your Social Security number or other identifying information, they may attempt to open new accounts or lines of credit in your name.

  • Pull your credit reports from all three major bureaus (Equifax, Experian, TransUnion)
  • Look for accounts, inquiries, or addresses you don't recognize
  • Consider placing a fraud alert on your credit file — this prompts lenders to take extra verification steps before opening new credit
  • If you have reason to believe your identity was more broadly compromised, a credit freeze prevents new credit from being opened in your name entirely

The distinction between a fraud alert and a credit freeze matters: a fraud alert is temporary and advisory; a freeze actively blocks new credit applications. Both are free under federal law.

What Affects How Much Money You Get Back

Recovery isn't guaranteed, and the outcome varies based on several factors:

How quickly you reported: The single biggest variable. The Regulation E timeline above is clear — waiting costs you protection.

Type of account and transaction: Debit vs. credit, ACH transfer vs. card transaction, wire transfer vs. mobile payment — each has different dispute rules and different levels of consumer protection. Wire transfers, in particular, carry weaker reversal protections once funds have left your account.

Your bank's internal policies: Many banks offer protections beyond the legal minimum. Their fraud team's judgment about the circumstances of your claim also plays a role.

Whether you shared credentials: If you voluntarily gave someone access — even under a scam — some banks may categorize that differently than a straightforward hack. Authorized push payment fraud (where you were deceived into sending money yourself) is a growing gray area in consumer protection law.

Your account history and documentation: Having clear records of your normal transaction patterns and acting promptly strengthens your claim.

After the Dust Settles: Protecting Yourself Going Forward

Once the immediate crisis is resolved, it's worth looking at what made you vulnerable:

  • Were you using weak or reused passwords?
  • Did you click a link in a phishing email?
  • Was your device infected with malware?
  • Did you share account details via phone or text with someone posing as your bank?

Understanding how access was gained helps you close that specific door — and informs what monitoring habits or security tools are worth adopting. Account alerts (text or email notifications for every transaction) are one of the simplest early-warning systems available through most banks at no cost.

The right longer-term response depends on what happened and how exposed your broader financial and personal information may be — which is why working through those questions with your bank and, if needed, an identity theft recovery service, matters more than any single checklist.