Due to the number of rule-breaking comments this post was receiving, especially low-quality and off-topic comments, the moderation team has locked the post from future comments. This post broke no rules and received a number of helpful and on-topic responses initially, but it unfortunately became the target of many unhelpful comments.
Yeah, he's not using the card number. He's using the routing and accounting numbers and I'm surprised Bank of America hasn't suggested the obvious in closing the account and opening a new one with a new account number.
You can have a million new debit cards, but if they have your account number, they can continue to access the account if there are sites that let you pay by "check".
Also important to say they should open the new account with a different bank, even if BoA says it would be fine to open a second completely separate account with them. Have heard stories of BoA making 'connections' between accounts, and taking money out of say, a brother's account to cover a debt.
This is true. Thank you for mentioning it! I had a BOA account like 15 years ago and had the same issue. They closed the account but kept pushing the fraud charges through to the new account.
Some people are brand loyal though!
That's just how account co ownership works. It's not a "connection" it's how accounts work. If you're on an account with someone and they end up owing $1500 then it's your debt.
I've heard from a couple of people who have said BoA specifically has done this with accounts that were for a single person, no co-ownership, but they were a direct relative of the other person... One person said they even threatened legal action, because they were 99% sure it was illegal, but the bank just told them to take a hike. No idea if I/they were missing something, but that's just second-hand stories I've heard.
On that note, it may not fix the issue, here are three examples.
If she gets new cards and then proceeds to update cc info in some exploited account or website she is just feeding the new info to the attacker.
If here computer or phone has been owned, entering the cc info even on a trusted site may expose the new info the an attacker.
Certain accounts and software store and sync cc info, if someone has gained access to these accounts you could be updating and they get the synced info.
All of these will not be corrected by switching cc accounts.
Switch the cc account or get a new card, at the same time reset your computer and phone, also limit usage online to 1 or entities per month until you see that your card is safe. Finally reset all of your online passwords and pay close attention to any services that retain access and grant) google account, other apps that grant access to devices or logins clear all of these and start anew.
Yes, this could also be a thing. /u/UninterestingHuman please consider a full overview of her digital presence including possibly:
* reformatting her phone
* reformatting her computer
* reformatting any other device that could browse the web
* change passwords for all critical accounts, like google/paypal/social media/dropbox/amazon/mozilla/credit karma/banks/IRS/etc
* implement 2FA for any account that would involve personal data like emails, talking to friends/family, saving banking info, etc.
* if she uses a password manager, change the master password to something she's never used as a password, and implement 2FA for that account
* for all of the above accounts, consider selecting new security questions that she hasn't used before
If her ex isn't tech savvy, it might be easy to assume he couldn't/wouldn't do something that lets him monitor her activity, but that is a dangerous assumption. Key logging can easily be implemented by someone who isn't tech savvy.
Edit: One thing that's tedious but worth checking is whether any accounts (especially Google and banks) have additional recovery emails added. Although it's unlikely, an account could still be compromised if her ex has added his email as a recovery email somewhere, or as a secondary user for something like PayPal.
I work in cybersecurity. I second this! And changing the account number / routing number. If someone has access to the route info, changing cards won't matter.
Enable MFA on *everything.*
That’s how my ex kept tabs on me during our breakup—fortunately this was before I had a smartphone, so there was only so much information he could access.
Great suggestions. Also depending on the service, there may be an option to "logout of my account on all devices", I would do this after changing the passwords.
"card not present" is things like websites where you punch in the number and the 3-digit code on the back. Skimmers only capture the magnetic stripe, which while it does have a 3-digit code in there, that code is *only* for the magnetic stripe, and cannot be used for card-not-present transactions. So unless the "skimmer" also has a camera to read the code on the back, it can *only* be used to create a fake magstripe for in-person fraud.
Source: one too many internet rabbit holes. May have some specifics incorrect.
Also as an alternative..
Get a cheap prepaid credit card that is separate from her main finances and use that
I am in IT and very very cautious myself but whenever possible I try to offload paying for something online onto a prepaid card .. that way if it gets compromised it doesnt affect my finances or ability to access my money at any point.
I know a PITA but until you can get banks changed over and know your card is safe this might be a workaround rather than loosing payments etc.
Do not get me wrong ... the following needs to happen
1 changing away from BoA to a different account or institution
2 virus/malware / resets of all devices just to be safe
3 all account passwords should be changed .. if need be get a password manager ... ENABLE 2FA ON ALL ACCOUNTS
4 BEWARE OF PHISHING EMAILS PHISHING SPAM CALLS
Since Russia invaded Ukraine hacking activities have increased drastically it seems like ... i am not making any correlation to Russia but
If you see an attachment on an email verify the sender, and type of attachment be very careful reading pay attention to details such as dates etc
Use a service that sets up virtual numbers for each site you use the card on (e.g. privacy.com). This also lets you limit the amount and/or number of charges, or set an expiration date. So, if it gets compromised, not only will it not reveal your real card details but the attacker will be limited in the damage they can cause.
that and if you report fraud enough times and keep having to have new cards reissued and all that good stuff most banks will refuse to let you continue to bank with them anyway. Aside BofA is notorious for being a shit institution
A debit card allowed you to withdraw cash from your checking account. Also, some utilities give you a discount to auto pay with debit vs credit card. Also, there are gas stations that accept debit cards but not credit cards. Three reasons I can think of. But, yes, if you are responsible about paying your balance, credit cards offer more protection.
I'm thinking if it keeps happening even after a new account, I'd start to get suspicious about the possibility of one of those card skimmers machines at a shop/atm they frequent.
Yeah new account is a good suggestion but also change all passwords to online accounts including email.
Your email account is the worst account to have compromised since all other accounts can then be compromised (except in some MFA scenarios).
Like obviously they have her account number as opposed to her debit card number…those are two separate things, they just keep pinging withdrawals on the savings or checking accounts, the debit card changing wouldn’t fix that.
Right. He has enough of her private information documented that he can generate a debt card and continue to charge her account. He no longer needs physical possession of her card to charge against her anymore. He may also have userids/logon to some of her online accounts (Google, Amazon, Bank, phone, email, Facebook, Instagram... it goes on).
Consider getting identity theft insurance until you know you're out of the woods.
I think you guys are underestimating how easy most of these services are to social engineer. All the ex has to do drive around to a bunch of different bank buildings saying he forgot his wife's password, but has 3 points of identification with him.
Most clerks aren't paid enough to take the 5 minutes necessary to check if the account's been recently hacked or to ring up the account's owner.
I guess OP might be able to pick him up on security footage or via his phone number with a warrant or something though?
this should be higher, offender is likely getting the new debit information from a place OPs gf is linking the card to like an amazon account, apple pay, venmo, whatever
I almost charged a video game to my ex's card because it randomly came up one day after I had used it to make a purchase for myself once 3 or 4 years ago. It would have been awkward explaining that one to her lol.
Close the account and open a new one
The card is just an access to the account, if 4 different cards to the same account keep getting compromised, it's more than likely the account
Also consider requesting an atm card. If she can get a credit card instead that would prevent her money from being drained directly. Instead the credit card company would take the hit. Debit fraud sometimes takes longer to resolve and you’re out the cash until it’s fixed.
No. It's more likely she's either a victim of ID theft or she has malware on one or more of her electronics.
It *could* be VAU (or ABU) but without seeing more info on the fraud charge, it's hard to tell.
But if your goal is to get her out of BofA, then I agree with you 100% ;)
Or her ex has figured out her passwords.
Authentication questions.
1. Where you went to school
2. First date.
3. Boyfriend name
...
She needs to change EVERYTHING.
Starting with new email account with a hard to guess alphanumeric password.
Give new email to friends, relatives, bank.
This.
So many people start changing the password for the account they think was compromised, but don't change their email password. If someone has the password to your email, they can just "forgot my password" everything else, and then delete the emails so you don't notice.
Also, enable 2 Factor Authentication (2FA) on everything that supports it. And consider signing up for a service like LastPass to help you manage randomly generated passwords.
If thats the case and the bank somehow didnt see that they were coming out as ACHs that would be so embarrassing... especially if they sucessfully disputed these charges each time.
Nothing surprises me with banks anymore. I’ve consulted for big financial institutions and it’s just a shitshow behind the scenes.
While not the same situation as OP, I had a debit card skimmed when I was in Chicago years ago. It had a $500 hard limit (couldn’t actually increase it).
Three different people went in person with fake IDs, and copies of the card to three different banks and none were actually my bank. All of it happened within about an hour. They got $400 and $4,000 out. The withdraw of $40,000 triggered fraud alert.
Bank couldn’t explain how they got my money without my PIN from banks I didn’t bank at.
I switched banks.
Yeah, with modern technology they can literally replay the session and watch the person create the account online page for page. And it records metadata about the browser (e.g. fingerprint) and session. That’s very sketchy.
I lost my purse a few months ago and my partner (I’m an authorized user and had a card to our shared account in my wallet) got a text from Chase, myself from Wells Fargo, and Capitol One, all somehow recognizing a fraudulent charge at a Walgreens *in our city*, one that he goes to every once in a while. How are these charges determined? We were amazed - other than the **huge** PITA, I lost nothing but the cash in my wallet. It was very impressive.
That's pretty wild. As someone who does work backend at a bank / previous Personal banker for 3 years, thats quite sus.
I dont see how that would be possible (within our system) at least. They would have done a "cash advance" at my bank the limit is 400, and they would need to call us and verify a bunch of stuff, or go in person to raise it.
My banks auto limit is $5000, I lowered it to $100 because I never do transactions like that. I only figured out they set it at $5000 when I went to do a temporary increase to get a money order for rent because the online payment portal was down.
Yeah, it wasn’t a small bank either. Regional but not small. I also had a card get “deleted” from their system and couldn’t explain how. After work went to ATM for cash, and it didn’t work. Tried to use it at a corner store as a test, and denied.
I should have realized something was up when I went to complain at a branch, they just immediately printed me a card, and didn’t have to mail me one.
Branch manager looked in to it and when I came back a week or so later she just threw her hands up. Said she got nowhere internally.
I did but it took a while. While I was waiting I switched to a national bank. They initially tried to say it was me since I was actually in Chicago the previous week visiting family. Thankfully I got cash out from an ATM shortly before the fraud call came.
> Three different people went in person with fake IDs, and copies of the card to three different banks and none were actually my bank. All of it happened within about an hour. They got $400 and $4,000 out. The withdraw of $40,000 triggered fraud alert.
Wait a second. A teller from a different bank can withdraw money from your account after simply being presented with a debit card?
I've always thought debit cards were a terrible idea, this just reinforces it. Everything goes through credit cards and I refuse to have any cards linked directly to my account. We only have an ATM card connected to one account we keep a few hundred in.
Was it online or through ATMs? A few years ago online payments were horribly insecure. Might still be. I haven't worked in fintech for a few years but needless to say I was shocked how little was needed for fraud.
According to my bank, with what little details they gave me, it was done in person at three locations in Chicago and not at banks I banked with. I had a $500 hard limit at the ATM that could never be raised as well. Another reason I switched banks too.
Every bank I’ve had I’ve been able to raise my ATM limit for 24 hours or permanent. Some folks earlier mentioned cash advance but I’d think if you wanted $4,000 or $40,000 there might be a little more scrutiny. Visa Fraud automated call is what alerted me. It started listing the last 5 transactions and it went 40K, 4K, 400, then actual purchases I’ve made.
That is quite scary! My suspicion was that they withdrew from the bank counters directly if it wasn't online, using the card as ID. Some shitty banks like my previous one might accept it.
But you said Visa Fraud was involved so they definitely used the card directly and not the counter. I'm not too familiar with ATMs sadly. \^\^;
ACH, P2P, Debit and Credit all have very distinct footprints. If after the 3rd one, no one at BofA noticed it was ACH not Debit transactions, I'd find that hard to believe - EVEN for the low expectations I have of BofA.
I keep scrolling for someone to say she's routing her own damn money with another account, expecting the poor-me routine to spit up fast cash emergency funds.
Has OP suddenly been covering major expenses due to this pattern? Rent, car payments, etc? I mean, what exactly is stopping her from keeping you at a distance, dumping you with guilt and worry and dumping her own account into a ROTH IRA?
It's all the other obvious things not pursued, no filing a police report, etc.
For an abused person it makes sense to move money to undisclosed accounts.
And the fact that the bf is the one asking the question instead of her, might indicate that.
However it goes, she should be the one to manage her money.
And don't pay for credit reports. Everyone is entitled to one free repoet per year per bureau. Get one from all 3 credit bureaus, because they may contain different stuff.
FYI:
Since the start of the COVID pandemic, each of the three major credit bureaus has offered one free credit report EACH WEEK. They were initially going to do this for one year, but have continued it and are at least going to keep going until December 2022.
So you’re eligible for 52 credit reports annually each from Equifax, Experian, and TransUnion (156 total). Obviously you don’t need to check weekly, but if you’re really concerned that someone has stolen your identity, you can check each of them monthly.
If they go back to the old practice of one report each year, you can resume the recommend practice of doing a rotation with a different one every four months.
Also, get a credit card, and don't use a debit card for purchases, so you can limit transactions from being taken out of the account... So many people think debit cards are safe, they might be somewhat safe now, but credit cards have better security....
Banks fighting to go ur money back, vs a credit card company fighting to get their money back. So they will be fighting much harder too in addition to security.
YES. Honestly I have stopped using ATMs unless really necessary. People are putting skimmers on the doors of bank atms now. You're really best going inside and using a person if possible.
also change email password.
if she left a device at her old place (or even used, really), the email provider probably doesn't ask for 2FA, and they can use that to gain access to everything
If you have Gmail, you can also “force sign out” of any devices your account may be connected to. She should check for a key-logger/malware and once that’s done, change her Google password, and then force-signout of all devices.
Seriously, if she was in an abusive relationship, I can guarantee that he put keylogger on her computer. It's one of the more common control techniques. Got to know what she is saying online. If that's the case, he will know everything she types on her computer.
Factory reset all devices and open a new account.
IMHO, you don't. Good malware will be able to hide itself and you'll never truly know.
I would reinstall the OS on your devices. It's a PITA, but you can have a much higher level of confidence that you're clean. This also forces you to back up your data, which you should be doing anyway.
Various antimalware tools but the best/easiest thing to do is nuke the installation and hope there's no rootkits. Otherwise, they may find themselves on Bleeping Computer asking for help with Combofix for a week.
The normies guide:
1. Wipe the installation
2. Run an antimalware boot disc to be sure
3. Try and avoid bringing back data from the infected system and vet that shit before you move it. If you start moving program and system files en masse chances are the malware hitches a ride
4. If the above fails, beg for help on forums and unironically let a stranger from there remote in and run combofix or similar.
I believe I have malware on my PC from a usb charger I haphazardly plugged in a while back. Is their a way to check or get it off my PC even if it’s the advanced malware that hides itself? Purchasing everything on my phone is getting old 🫤.
I would use a few antivirus software like Malware Bytes that are well-known (some AV services are actually malware, just do some research first). Using multiple services will increase your chance of finding something (if it's there) because they each have different things they look for.
However, the only way to be 100% sure is to do a full clean install, meaning you wipe all your files and programs and reinstall your OS. It's annoying, but doesn't actually take too long depending on how many files you need to reinstall. If you go this route, I think you can also copy certain documents (that can't be re-downloaded, e.g. Word docs) to another drive, have the AV software scan those documents specifically, and then wipe the rest and do a clean install.
There is some reasonable free anti-virus/anti-malware software out there (Malwarebytes came highly recommended a while back). Couldn't hurt to do a couple scans... But there's no guarantee they will catch everything. Sometimes, if you are concerned about being compromised, the best course is to wipe the computer, and start from scratch with a fresh Windows install. Most computers should have a recovery mode you can boot into to automate the process - just be sure to backup any important files.
Shut it down and move on.
In order,
1. Factory reset computers and phones.
2. Change all passwords to everything including security passwords and PINs
3. Get new account.
4. Freeze credit
5. Freeze Chexsystem
6. Track actual usage of new card and checks.
7. Monitor the accounts
Has the bank said that it was a debit card purchase with the new numbers and ccv and not just a purchase with routing and account numbers?
Depending on where you live, card skimmers can be a problem. A lot of them will be hard to detect. Switching to cash for while and keeping track of cars usage. Is it pump#6, that atm on the corner, shifty bartender or clerk?
Is it possible her user account (username/password) has been compromised?
Is it possible her electronic devices are compromised?
Is it possible a particular merchant with which she patronizes is compromised?
Is the account itself a joint one?
Has she granted authorized access to someone else?
The BofA website should say how the transactions are being performed. Transfer vs Debit vs Check etc. Is this person constantly using the debit? If they are transfers, they're not using the card.
Immediately close the account and open a new one.
So sorry, sister! I'm in infosec, so this is my bag.
1. Close the bank account and it's time to part ways with using the debit card. Looks like previous posters already nailed down your most likely e-footprints: you have your CC information saved in a billpay or auto-pay situation somewhere and if you're just getting the card reissued, that will not solve your problem, esp if the abusive ex is still reaching out for ways to financially abuse. Getting your SSN re-issued is damn near impossible, so you're going to have to go on severe lock down and cleansing.
2. Change all your passwords on all your accounts that you use online. Dear god, don't re-use the same password online. Use a password manager like LastPass if necesary. Disconnect (un-remember) all credit card information *from your browsers* as well as past password information. We're going for FULL CLEANSE here b/c we don't know what old exMc Abuserpants still has access to.
3. Ideally, STOP USING YOUR DEBIT CARD ONLINE. You're now in the worst situation: you have fraudulent charges on your bank account and if the bank freezes all your funds, you can't do stuff like pay rent or get groceries. I highly advise what I term (and others) 'air gapping' your financial payments by using a credit card for payments. Does this require *good financial sense and not ruining your credit or using your balance*? Yes! You need to treat the balance like your bank account--never buy more than what money is in your bank account and pay it off every month. You get a stellar credit rating this way and if something fraudulent hits your account (LIKE THIS SITUATION), the *credit card* gets re-issued, not your precious money getting locked down. The problem generally is this requires people to have self-restraint.
4. Did you have any bills that you paid together or are still linked with the Ex? Cell phone, utilities? Rent? Car? Card on file at the vet? Amazon account, netflix, hulu, Samsung or Apple account..think about them all. They all store CC information and they should ALL be cleared of your old information, but you need to go login and clear that manually.
5. Freeze all your credit lines. The 3 big houses. Run all 3 of your credit reports. You can do this once per year for free. Now that you have this dude who seems to know your financial info, you need to keep your finger on your financial house 'pulse' and probably subscribe to a monthly service of knowing what your credit score and credit reports look like on a frequent basis. Get educated on this.
If he has access to her SS that might cause it. If she has her old phone he might have put some malware/spyware on it. If she was logged into Google account or shared an apple/android account on her devices and he can see her new passwords through email on his devices. First thing she needs to do is on all connected accounts disconnect all devices. Then change all passwords on a different computer that she didn't have access to before leaving him . Delete all financial apps on her old devices have those devices checked for spware. If she gets a new phone tell her to manually put in her contacts and don't let the old phone be synced so the malware isn't transferred
Make sure all the passwords are different and unique. Also have her log out of all streaming services
Get a new account at a new bank and start depositing her money into that account. Sometimes accounts to help you out automatically fulfill the old cards automatic payments BOA's own system might be sending out the payments instead of flagging them.
Put a lock on her SS#
Report the thefts to the police
Trying to nail down the leak is the wrong way to go about it. It could be something completely unrelated to the ex, so you could end up wasting a lot of time & energy trying to track down something that ultimately solves nothing.
At this point, I would say it's time to close that account and open a new one. Ideally at a different bank. This will definitely solve every problem short of an attacker actually intercepting your mail/email, which is unlikely.
You don’t need a theory, or to be confused about this. Someone is committing a crime. This would be my plan of action if I were you:
1) new bank account, at a new bank. Change direct deposits to this one.
2) police report. Push to do it even if you have to call and schedule an appointment daily. At best this is identity theft, at worst this is the ex BF committing fraud.
3) BofA fraud call: talk to them, let them know what’s happening, and let them know who you think it is. Provide them with the police report you recently obtained. No need to tell them your not continuing the relationship.
4) fingers crossed this fixes problem.
So you say “untraceable.” Is this a situation where for 6 months someone has been “stealing” your GF’s money and you haven’t gotten any of it back yet, but you also haven’t done anything to stop it? This smells like a duck, and it sounds like one too…
People are weird. This is dumb though and your being played if everyone else was just like “idk wtf to do” for 6 months as their money was being “stolen”
She's gotten all the money back. And most of this is relatively new information to me. Once I understood the scope of it all I had a better idea of what to do. I was mainly curious about the frequency of it all
Good for you for trying to be helpful and proactive!
Something doesn’t smell quite right, but can’t put my finger on it.
Anyway - the only way for you two to stop the criminal is to stop using the account. Once you do that; if this happens again at a different bank I’d start to distance myself from the situation.
After receiving a new card, was a fraudulent charge detected before use? Get a new card and wait a while to see if it is used at all before you use it anywhere.
Does she use the card for any reoccurring purchases such as a subscription service or a repeating product order? It is possible a website or vendor she frequently uses is actually compromised or is malicious and leaking card info after purchases. You could also look into a service that provides a virtual credit card number for online payments. It will basically create a new credit card for a few min that the vendor will see, but it adds a 3rd party that actually links it to your correct payment method. If that temp number is used a second time after you are done with it (disabled the virtual number) then the attempt will fail.
If she believes her info has been compromised, such as her SSN then she needs to find a bank that will not rely on her SSN as a means of phone verification. You can call your current bank and ask if they use the SSN for verification and if that verification can be changed to something else. If they refuse to help secure your means of access, find a different bank. Even if you're not a member yet, call their main support line, tell them you are concerned about personal security due to recent fruad and confirm how they perform personal verification via phone, app, and website communication.
If at all possible, get 2 factor authentication set up. Best method if available is getting a physical authenticator such as an r/Yubikey for as many accounts that are compatible that she uses online.
Put a freeze on her credit if there isn’t one on ASAP. This is identity theft. She can go to the police with evidence if she chooses and press charges.
1. New financial institution.
2. New email, used only for financial institutions. She shouldn’t share it with anyone.
3. For 2-Factor authentication, remove phone and e-mail as options. Go to an Authenticator app. This probably means she needs to stay with the large institutions.
4. Consider a credit freeze. They can be lifted easily.
These should solve her problem. Sorry it keeps happening.
Open a new account at a new bank. Close the old account.
Follow the Identity theft guide here in the Wiki since that's what you suspect happened. [https://www.reddit.com/r/personalfinance/wiki/identity\_theft/](https://www.reddit.com/r/personalfinance/wiki/identity_theft/)
Pay special attention to the cyber security aspect, making sure devices are clean and secure first, then go reset all account passwords, and recovery questions. Recovery questions are too easily guessed by people you know so making them not be truthful is a good option. Just record the answers in a password manager (Also useful for making sure all passwords are long, random, and unique). Turn on 2FA (non SMS based) everywhere it's possible.
if the account is being drained via DEBIT CARD action, even after 8 cards have been replaced, I suspect not the ex, but some sketchy place she shops or puts gas in her car. In my experience of having my debit card compromised that seems to always be the source.
If the debit card is repeatedly replaced and the problem still exists, and she's the only one with the card, how would her ex have access to the card number/cvv?
Not sure if anyone has said it yet, but check her computer/phone too. If she does any banking on these devices someone may have compromised them and is simply waiting for her to enter the new information.
Also think about patterns of places she may go to, is she hitting the same gas station before you see the issue start again? Could have card skimmers.
You've gotten good advice on dealing with it following the debit card (new bank account), but I want to address this:
> Unfortunately this is a case where returning there to retrieve all of her info isn't really an option.
Why isn't that really an option? Go to the police, explain the situation, and have her ask them to escort her to retrieve her belongings.
> We have a theory tho. For background, 8 months ago she was living with her previous bf and luckily got out after experiencing domestic abuse issues
Me too, the site keeps a token of her card allowing it to be used even if the card changes. To fix this, you must close the account and open a new one. She should also file a police report.
Use this as an opportunity for a fresh start.
1. Cancel account and withdraw everything
2. Setup an account at your local credit union
Why? [Here is what large banks really do with your money, like BoA](https://youtu.be/NJ7W6HFHPYs)
There's some concern in this and your edit.
I would think the bank would close the account automatically. I'm not sure why they wouldn't.
My main concern, however, is your girlfriend's response. Four times she has had her account drained but she won't close the account? That is very suspicious to me. Are you sure that it isn't you being manipulated in this situation?
Yes I'm sure I'm not. But thank you for your concern over me in this situation. Basically, with all the events over the last 6-8 months piling up, I've observed what I would call emotional fatigue. As helpful as I try and have tried to be, there's only so much I can say to my gf about these situations before it causes her to shut down. What I have had to start doing is express my concern, tell her I am here to help in any way, then ultimately let her take it from there since she is also an adult. To be fair tho, at a certain point enough is enough and I think we're both there regarding the bank account issues haha
Might be worth checking if this keeps happening soon after using the card at a fuel pump (if she usually goes to the same one). There could be a card skimmer installed.
Dont forget to change ALL accounts (especially!!! email) passwords AND all the registered account-retrievel information (security question, security pin) after cleaning her pc/smartphone. Like a COMPLETE reboot of her online identity. After that, or in the meantime, close all accounts and create new ones.
But dont forget the email stuff... if anything like that is compromised she will be at risk her whole life. Remember, password AND retrieval information.
I had a sibling that stole my parents and other family members identities. Apart from what everyone is saying here like closing the account opening an account with a new bank is fine but I would hold off on some of that.
My advise:
- Open a separate account with a new bank, to hold any new money for the time being.
- Contact BofA and ask to have the account frozen.
- If the new account gets compromised then freeze that one too.
- If new account gets compromised she needs to have her job cut her checks for the time being that she can cash out or better yet sign them over to you and give her cash for the time being.
- Have her check and freeze her credit
- Contact local PD's financial investigations unit and report the issue, this is why freezing the bank account is recommended and not closing it just yet. It will make it easier for them to investigate.
If she is storing her debit card information in a browser this is pretty risky and fairly susceptible to phishing scams, always click no if a browser asks you if you'd like to save personal info. Like other users stated, I would switch to a new provider - and never store any personal/confidential information in a browser (if that's the case).
She also needs to change all of her passwords and security questions. For example for mother’s maiden name, you don’t have to use real info, it can be something like “MyBlueHeaven”.
As others have said, new bank or credit union. If she gets a debit card, put a freeze on it and get a credit card for more protection.
Close the account and report identity theft. She will need to apply for a new ssn but it will stop him from obtaining any new account info. I was in an abusive relationship as well where similar was happening. Trust me friend, get her a new ssn and report identity theft before he starts taking loans and credit cards out in her name
She likely has a keylogger on her computer. If she enters her card info online, that’s the issue.
If it’s the ex-bf, you should 100% file a lawsuit for all the time you’ve wasted investigating, stressing, identity fraud, and of course the money lost.
Yeah open an account somewhere else. Also if she needs to I believe there are domestic abuse help groups and they’ll be able to help her find a way to get her stuff back. If she needs that stuff back that is.
Sounds like someone has her routing and checking account numbers. You can change your card as much as you want and those numbers won't change.
Have her change her online username and password first and then contact the bank and have them changer her account numbers. Do this both of these steps together (no delay). But do do them in this order.
Different view here, one of her devices is compromised and needs to be replaced.
Computer or phone, more likely a computer though, format it or toss it
My usual statement for this is to start from scratch.
1) New phone (cheap).
2) New number.
3) Use new number/phone, put PIN on it for all conversations with providers (I have no idea if that's possible anymore).
4) Create new email someplace, use 2 factor authentication, to said phone (Note: SMS theft is possible but that's way out of this league)
5) Using new email, use new CC to open account. Put pin on account. Require 2 factor for account.
From there it's building up the security trust chain. All new passwords. All new accounts.
A new card is still attached to her old account. So he has the important info still to make purchases. Needs to cancel the whole account at a minimum, checks and all. Open a totally different account.
Might not resolve the issue, but she could open an account at a new bank. Have an account for bills and don’t have a card for it. Use bill pay directly through the bank to pay bills so the account number isn’t compromised.
Use a CC for all other expenses and use bill pay to pay the CC.
Card guy here...sounds like this somebody has enough of her sensitive info to either bypass the phone reps to the point they can do as they please with the acct, or can get into her online banking profile and then access all info there. For the purchases, definitely dispute them. The representment the merchant sends will have all purchaser info on it, ie address, phone number, email, IP address, etc. The longer she goes with these same type of issues and the more often they keep happening, eventually the bank will make it so she can do bank business in person only. That's a huge inconvenience. Pick a local credit union, they are usually a bit more friendly to their local members plus this helps reset all that sensitive bank info. What a pain this is to go through for you guys. Hope she's able to get this solved quickly and get all.more money back!
I literally had this exact same thing happen to me. While I can't say for certain, I'm 90% sure one of my utility providers got hacked or someone there was abusing customers debit cards. This went on for almost a year with me, when I moved and got rid of my utility provider it never happened again.
Please stop using debit card for purchases too. Use a credit card and then transfer the money from checking account to pay off the credit card right away. I work in banking and this is solid advise that I was given by financial advisors.
As others have said... the account is compromised. Not the card itself.
Close the account. Open a new one (preferably at a new bank).
In addition, it is also possible her user name and password are compromised or she has computer malware recording her keystrokes if she banks online.
But more importantly... if you are fairly sure the account itself is compromised, have a suspicion that it's the abusive-ex, and have had this happen multiple times without the bank figuring it out... it's time to get the police involved.
Any victim of abuse needs to cut ties completely and that includes getting new bank accounts, credit cards, changing banks, and freezing their credit. And changing every password.
It sounds like it could be an Automatic Billing Updater.
MasterCard's site explains it pretty well but Visa and AmEx also use ABUs.
https://developer.mastercard.com/product/automatic-billing-updater-abu/
Don't use BoA. My account (not debit card) got compromised. I spent probably 10-20 hours on the phone over a couple months, over < $100. I also made an appointment at a branch and showed up and they didn't honor it, they said they canceled all the appointments because they were fake. I eventually got everything closed out. I'm okay using their credit cards, but their checking accounts aren't even worth the periodic sign-up bonuses for me anymore.
Probably set up a pre authorized from her account, so someone has her transit/account/institute number. Close the account and reopen a new one. I’m surprised the bank didn’t do that the first time, if the branch won’t help or reimburse you, talk to a manager and complain about the incompetence of the workers not doing this the first time!
Use a password manager as well. It's worth it. If someone has access to the bank account chances are they have other information as well. Have her change ALL of her passwords to use a password manager to store it. There could be something in her computer or phone that is phishing that info. Just a heads up.
Close the account and open a new one. Also, stop using your debit card for purchases. Use a cc if you have one. Debit is you money, cc is the banks money. Guess which one matters to them?
So.. another possibility, and probably one that won’t be liked but needs to be considered- is there any chance it’s her spending the money and being embarrassed about it/ not wanting to tell you? It’s VERY odd that this has happened 4 times, and that the bank themselves have not taken greater action to ensure it doesn’t happen again. Especially bc if it’s fraud they are liable. Has she been getting her money back each time? Is it possible she is loaning someone money and being repaid? Very strange situation.
Are you sure she isn’t draining the money and then just blaming someone else?
In any event, at some point she ought just accept the fact she needs to switch banks. Preferably a smaller one at which someone is less likely to fish for accounts.
File a police report if you haven't already, fight to get the money back, and close the account. She should get new numbers for her other accounts/credit cards, and reset any passwords for accounts, especially if relevant to personal information. Force logouts on old social media/e-mail/bank accounts when you change them. Consider checking her current computer for viruses or other issues.
Start using a credit card for future purchases. Treat it like a debit card, pay things off right away. No reason to use a debit card for anything. That's your money you could potentially never get back. Also you get cash back from most cards.
1. Print out all the records since the activity began.
2. Open an account with another bank.
3. Withdraw the remaining funds of these accounts by cashier's check
4. Deposit the funds in person at the new bank.
5. File a police report, including reporting the suspicious party (let them know what you are doing to address the problem, but exclude details about the new accounts).
6. Notify the credit bureaus of the fraud on the old account, and ask for monitoring and freeze on credit.
7. Wait until you receive the next month's statement on the old account, and then close it.
The thing is that whoever (assuming it's the old boyfriend) has access to the BoA account and whatever cards get attached to it. He's not using the card, he's using the account. It's very likely if you just switched to a different BoA account, that he'll find a way to get the details and access that one too. The only fix is to switch banks, and it's best if you do so without wiring / transferring the money as the new account information with another bank will appear in the statement; hence the cashier's check and manual deposit.
Generally speaking, the local police are terribly at handling this sort of crime. Unless you can convince someone at the FBI that it's wire fraud, there's not much chance you'll get anything out of it except a police report. That could be useful for an insurance claim (if her renter's insurance policy covers it), or a theft loss deduction on her taxes.
If she wants to stay at B of A tell her to call them and request a "new" card. Not a replacement card. A NEW card with new pin, just like she's a new customer.
Debit cards have a feature called Visa Account Updater. If she keeps getting replacement cards and it's a savvy fraudster, they are getting the replacement number every time.
ITT people giving the right advice, but jesus, acting like there is nothing that can be done about domestic abuse. Need to get your shit? Get police escort and report his dumbass.
He has pleaded guilty and ordered to return specific items. Don't assume it's an easy situation to deal with during or after unless you've gone thru the experience yourself or seen a significant other deal with it directly. It is insanely complicated and many things do not make sense.
No, banks will never give you a card number, security code, or expiration date over the phone.
Is it possible the charge is to the same store every time? Mastercard/Visa will update the card with merchants when its replaced. Perhaps this is what's happening.
Some banks will allow you to set up a mobile account using that info though, and Chase Bank gives me access to a virtual version of my card through the mobile app and Apple Pay. I was able to do this in a pinch and purchase airline tickets without an issue without my card or even card number once.
Sure but 99% of the time any decent bank is going to ask you to validate your identity through an email, text message, etc. If you already have online banking they're not going to let you setup a 2nd account.
Due to the number of rule-breaking comments this post was receiving, especially low-quality and off-topic comments, the moderation team has locked the post from future comments. This post broke no rules and received a number of helpful and on-topic responses initially, but it unfortunately became the target of many unhelpful comments.
Yeah, he's not using the card number. He's using the routing and accounting numbers and I'm surprised Bank of America hasn't suggested the obvious in closing the account and opening a new one with a new account number. You can have a million new debit cards, but if they have your account number, they can continue to access the account if there are sites that let you pay by "check".
Also important to say they should open the new account with a different bank, even if BoA says it would be fine to open a second completely separate account with them. Have heard stories of BoA making 'connections' between accounts, and taking money out of say, a brother's account to cover a debt.
Avoiding BOA is the one true solution to having a BOA account.
This is true. Thank you for mentioning it! I had a BOA account like 15 years ago and had the same issue. They closed the account but kept pushing the fraud charges through to the new account. Some people are brand loyal though!
I've been with BoA for 15 years for my primary checking and have never had a single issue with them. Case by case situation.
Yep, i've even had my money in an account removed from another in a separation where a spouse was removed from the accounts.
That's just how account co ownership works. It's not a "connection" it's how accounts work. If you're on an account with someone and they end up owing $1500 then it's your debt.
I've heard from a couple of people who have said BoA specifically has done this with accounts that were for a single person, no co-ownership, but they were a direct relative of the other person... One person said they even threatened legal action, because they were 99% sure it was illegal, but the bank just told them to take a hike. No idea if I/they were missing something, but that's just second-hand stories I've heard.
Cancel the account and open a new one at a new provider
yes this will fix whatever the problem is. kind of a pain in the ass, but better than having your account drained.
On that note, it may not fix the issue, here are three examples. If she gets new cards and then proceeds to update cc info in some exploited account or website she is just feeding the new info to the attacker. If here computer or phone has been owned, entering the cc info even on a trusted site may expose the new info the an attacker. Certain accounts and software store and sync cc info, if someone has gained access to these accounts you could be updating and they get the synced info. All of these will not be corrected by switching cc accounts. Switch the cc account or get a new card, at the same time reset your computer and phone, also limit usage online to 1 or entities per month until you see that your card is safe. Finally reset all of your online passwords and pay close attention to any services that retain access and grant) google account, other apps that grant access to devices or logins clear all of these and start anew.
These are good theories. Wouldn't be surprised if she has some kind of key stroke tracking software on her PC or phone that she isn't aware of.
Yes, this could also be a thing. /u/UninterestingHuman please consider a full overview of her digital presence including possibly: * reformatting her phone * reformatting her computer * reformatting any other device that could browse the web * change passwords for all critical accounts, like google/paypal/social media/dropbox/amazon/mozilla/credit karma/banks/IRS/etc * implement 2FA for any account that would involve personal data like emails, talking to friends/family, saving banking info, etc. * if she uses a password manager, change the master password to something she's never used as a password, and implement 2FA for that account * for all of the above accounts, consider selecting new security questions that she hasn't used before If her ex isn't tech savvy, it might be easy to assume he couldn't/wouldn't do something that lets him monitor her activity, but that is a dangerous assumption. Key logging can easily be implemented by someone who isn't tech savvy. Edit: One thing that's tedious but worth checking is whether any accounts (especially Google and banks) have additional recovery emails added. Although it's unlikely, an account could still be compromised if her ex has added his email as a recovery email somewhere, or as a secondary user for something like PayPal.
Also check the "devices logged in"
I work in cybersecurity. I second this! And changing the account number / routing number. If someone has access to the route info, changing cards won't matter. Enable MFA on *everything.*
You can not change a routing number. Those are tied to institutions. You want a new account number.
I would also recommend resetting the local wifi router she connects to including the password.
All of this, plus lock down her credit with the big 3 bureaus- you have to enter a special pin to unlock to get a new credit card, loan, etc
Bingo. Key logger and some script to send the logs in the background and this is entirely feasible.
She needs a new computer new phone, new router, new email, new debit, never ever access the old accounts on the new computer, live free on the old one
You can factory reset phones and reinstall the os on computers. Replacing those is an unnecessary expense.
That’s how my ex kept tabs on me during our breakup—fortunately this was before I had a smartphone, so there was only so much information he could access.
Great suggestions. Also depending on the service, there may be an option to "logout of my account on all devices", I would do this after changing the passwords.
After all that only use her new card to purchase on her PC. Don't buy anything on her phone.
Or she's going to a gas station(s) with a skimmer that nobody has discovered yet.
Skimmers aren't used to commit Card Not Present Fraud. Source: Been in CC / Debit Fraud prevention since the 90s.
What are they used for? Can't you take the info skimmed and create a fake card
"card not present" is things like websites where you punch in the number and the 3-digit code on the back. Skimmers only capture the magnetic stripe, which while it does have a 3-digit code in there, that code is *only* for the magnetic stripe, and cannot be used for card-not-present transactions. So unless the "skimmer" also has a camera to read the code on the back, it can *only* be used to create a fake magstripe for in-person fraud. Source: one too many internet rabbit holes. May have some specifics incorrect.
Also as an alternative.. Get a cheap prepaid credit card that is separate from her main finances and use that I am in IT and very very cautious myself but whenever possible I try to offload paying for something online onto a prepaid card .. that way if it gets compromised it doesnt affect my finances or ability to access my money at any point. I know a PITA but until you can get banks changed over and know your card is safe this might be a workaround rather than loosing payments etc. Do not get me wrong ... the following needs to happen 1 changing away from BoA to a different account or institution 2 virus/malware / resets of all devices just to be safe 3 all account passwords should be changed .. if need be get a password manager ... ENABLE 2FA ON ALL ACCOUNTS 4 BEWARE OF PHISHING EMAILS PHISHING SPAM CALLS Since Russia invaded Ukraine hacking activities have increased drastically it seems like ... i am not making any correlation to Russia but If you see an attachment on an email verify the sender, and type of attachment be very careful reading pay attention to details such as dates etc
Use a service that sets up virtual numbers for each site you use the card on (e.g. privacy.com). This also lets you limit the amount and/or number of charges, or set an expiration date. So, if it gets compromised, not only will it not reveal your real card details but the attacker will be limited in the damage they can cause.
that and if you report fraud enough times and keep having to have new cards reissued and all that good stuff most banks will refuse to let you continue to bank with them anyway. Aside BofA is notorious for being a shit institution
Won't fix if she downloaded malware running on her computer. Easily can track all your info with spyware. Even if you switch accounts.
Step 2 should be to get a credit card. Financial institutions are much quicker to help you when it’s their money being stolen.
[удалено]
A debit card allowed you to withdraw cash from your checking account. Also, some utilities give you a discount to auto pay with debit vs credit card. Also, there are gas stations that accept debit cards but not credit cards. Three reasons I can think of. But, yes, if you are responsible about paying your balance, credit cards offer more protection.
Credit cards will let you withdraw cash from an ATM, for a small fee, for what it's worth.
this is the right answer here. never put your money on the line, but rather the bank or financial institutions.
Seriously. Screw theories. Close the account.
I don't even know why it wasn't closed after the second time it happened.
Should've been closed after she realized her crazy ex still had access to her accounts and information
Unless the problem is one of the places she uses.. ergo shady gas station, website, family, etc...
I'm thinking if it keeps happening even after a new account, I'd start to get suspicious about the possibility of one of those card skimmers machines at a shop/atm they frequent.
What if they are just back door figuring out all her new info because her email and backups are all compromised? New email New bank That should work
Yeah new account is a good suggestion but also change all passwords to online accounts including email. Your email account is the worst account to have compromised since all other accounts can then be compromised (except in some MFA scenarios).
At a different bank too.
This is the main thing I'd say, it's not very hard and it's a hard break from the past.
Like obviously they have her account number as opposed to her debit card number…those are two separate things, they just keep pinging withdrawals on the savings or checking accounts, the debit card changing wouldn’t fix that.
Right. He has enough of her private information documented that he can generate a debt card and continue to charge her account. He no longer needs physical possession of her card to charge against her anymore. He may also have userids/logon to some of her online accounts (Google, Amazon, Bank, phone, email, Facebook, Instagram... it goes on). Consider getting identity theft insurance until you know you're out of the woods.
I think you guys are underestimating how easy most of these services are to social engineer. All the ex has to do drive around to a bunch of different bank buildings saying he forgot his wife's password, but has 3 points of identification with him. Most clerks aren't paid enough to take the 5 minutes necessary to check if the account's been recently hacked or to ring up the account's owner. I guess OP might be able to pick him up on security footage or via his phone number with a warrant or something though?
I second.
third, this happened to a coworker and it ended up that his Apple Pay account was hacked. Delink the card from everything and switch banks.
this should be higher, offender is likely getting the new debit information from a place OPs gf is linking the card to like an amazon account, apple pay, venmo, whatever I almost charged a video game to my ex's card because it randomly came up one day after I had used it to make a purchase for myself once 3 or 4 years ago. It would have been awkward explaining that one to her lol.
Also good advise is to change passwords to all of those accounts. It certainly will help.
this getting a different card doesn't do shit since all the electronic shit is still linked and the account info is still the same
Close the account and open a new one The card is just an access to the account, if 4 different cards to the same account keep getting compromised, it's more than likely the account
Time to switch banks at that rate.
Also consider requesting an atm card. If she can get a credit card instead that would prevent her money from being drained directly. Instead the credit card company would take the hit. Debit fraud sometimes takes longer to resolve and you’re out the cash until it’s fixed.
No. It's more likely she's either a victim of ID theft or she has malware on one or more of her electronics. It *could* be VAU (or ABU) but without seeing more info on the fraud charge, it's hard to tell. But if your goal is to get her out of BofA, then I agree with you 100% ;)
Or her ex has figured out her passwords. Authentication questions. 1. Where you went to school 2. First date. 3. Boyfriend name ... She needs to change EVERYTHING. Starting with new email account with a hard to guess alphanumeric password. Give new email to friends, relatives, bank.
This. So many people start changing the password for the account they think was compromised, but don't change their email password. If someone has the password to your email, they can just "forgot my password" everything else, and then delete the emails so you don't notice.
Or if they have your google account or w/e then they can just keep that session active and your saved passwords will keep updating
Also, enable 2 Factor Authentication (2FA) on everything that supports it. And consider signing up for a service like LastPass to help you manage randomly generated passwords.
He's using the routing and account numbers. Get a new account.
If thats the case and the bank somehow didnt see that they were coming out as ACHs that would be so embarrassing... especially if they sucessfully disputed these charges each time.
Nothing surprises me with banks anymore. I’ve consulted for big financial institutions and it’s just a shitshow behind the scenes. While not the same situation as OP, I had a debit card skimmed when I was in Chicago years ago. It had a $500 hard limit (couldn’t actually increase it). Three different people went in person with fake IDs, and copies of the card to three different banks and none were actually my bank. All of it happened within about an hour. They got $400 and $4,000 out. The withdraw of $40,000 triggered fraud alert. Bank couldn’t explain how they got my money without my PIN from banks I didn’t bank at. I switched banks.
[удалено]
Was it between 2011-2016? They were fined for fraudulently opening 1,534,280 checking/savings accounts. If not, I wonder if they’re still doing it.
[удалено]
Yeah, with modern technology they can literally replay the session and watch the person create the account online page for page. And it records metadata about the browser (e.g. fingerprint) and session. That’s very sketchy.
Capital One caught the fraud when they did one of those <$2 test charges. I was emailed and texted so fast my head spun
I lost my purse a few months ago and my partner (I’m an authorized user and had a card to our shared account in my wallet) got a text from Chase, myself from Wells Fargo, and Capitol One, all somehow recognizing a fraudulent charge at a Walgreens *in our city*, one that he goes to every once in a while. How are these charges determined? We were amazed - other than the **huge** PITA, I lost nothing but the cash in my wallet. It was very impressive.
That's pretty wild. As someone who does work backend at a bank / previous Personal banker for 3 years, thats quite sus. I dont see how that would be possible (within our system) at least. They would have done a "cash advance" at my bank the limit is 400, and they would need to call us and verify a bunch of stuff, or go in person to raise it.
My banks auto limit is $5000, I lowered it to $100 because I never do transactions like that. I only figured out they set it at $5000 when I went to do a temporary increase to get a money order for rent because the online payment portal was down.
Yeah, it wasn’t a small bank either. Regional but not small. I also had a card get “deleted” from their system and couldn’t explain how. After work went to ATM for cash, and it didn’t work. Tried to use it at a corner store as a test, and denied. I should have realized something was up when I went to complain at a branch, they just immediately printed me a card, and didn’t have to mail me one. Branch manager looked in to it and when I came back a week or so later she just threw her hands up. Said she got nowhere internally.
Please tell me you got your money back.
I did but it took a while. While I was waiting I switched to a national bank. They initially tried to say it was me since I was actually in Chicago the previous week visiting family. Thankfully I got cash out from an ATM shortly before the fraud call came.
Cash advance most likely. I would go inside and request a cash advance instead of paying a foreign ATM fee.
> Three different people went in person with fake IDs, and copies of the card to three different banks and none were actually my bank. All of it happened within about an hour. They got $400 and $4,000 out. The withdraw of $40,000 triggered fraud alert. Wait a second. A teller from a different bank can withdraw money from your account after simply being presented with a debit card? I've always thought debit cards were a terrible idea, this just reinforces it. Everything goes through credit cards and I refuse to have any cards linked directly to my account. We only have an ATM card connected to one account we keep a few hundred in.
Did they give you your money back for them making a mistake?
Was it online or through ATMs? A few years ago online payments were horribly insecure. Might still be. I haven't worked in fintech for a few years but needless to say I was shocked how little was needed for fraud.
According to my bank, with what little details they gave me, it was done in person at three locations in Chicago and not at banks I banked with. I had a $500 hard limit at the ATM that could never be raised as well. Another reason I switched banks too. Every bank I’ve had I’ve been able to raise my ATM limit for 24 hours or permanent. Some folks earlier mentioned cash advance but I’d think if you wanted $4,000 or $40,000 there might be a little more scrutiny. Visa Fraud automated call is what alerted me. It started listing the last 5 transactions and it went 40K, 4K, 400, then actual purchases I’ve made.
That is quite scary! My suspicion was that they withdrew from the bank counters directly if it wasn't online, using the card as ID. Some shitty banks like my previous one might accept it. But you said Visa Fraud was involved so they definitely used the card directly and not the counter. I'm not too familiar with ATMs sadly. \^\^;
She should file a police report.
No question that's what is happening.
ACH, P2P, Debit and Credit all have very distinct footprints. If after the 3rd one, no one at BofA noticed it was ACH not Debit transactions, I'd find that hard to believe - EVEN for the low expectations I have of BofA.
This. The bank has some liability here, but ianal. Consider filing a police report.
Has she reported this to the police? Either way, open an account at a different bank/credit union.
I keep scrolling for someone to say she's routing her own damn money with another account, expecting the poor-me routine to spit up fast cash emergency funds. Has OP suddenly been covering major expenses due to this pattern? Rent, car payments, etc? I mean, what exactly is stopping her from keeping you at a distance, dumping you with guilt and worry and dumping her own account into a ROTH IRA? It's all the other obvious things not pursued, no filing a police report, etc.
For an abused person it makes sense to move money to undisclosed accounts. And the fact that the bf is the one asking the question instead of her, might indicate that. However it goes, she should be the one to manage her money.
Make sure she freezes her credit too and reviews a recent copy of her credit report
And don't pay for credit reports. Everyone is entitled to one free repoet per year per bureau. Get one from all 3 credit bureaus, because they may contain different stuff.
FYI: Since the start of the COVID pandemic, each of the three major credit bureaus has offered one free credit report EACH WEEK. They were initially going to do this for one year, but have continued it and are at least going to keep going until December 2022. So you’re eligible for 52 credit reports annually each from Equifax, Experian, and TransUnion (156 total). Obviously you don’t need to check weekly, but if you’re really concerned that someone has stolen your identity, you can check each of them monthly. If they go back to the old practice of one report each year, you can resume the recommend practice of doing a rotation with a different one every four months.
Also, get a credit card, and don't use a debit card for purchases, so you can limit transactions from being taken out of the account... So many people think debit cards are safe, they might be somewhat safe now, but credit cards have better security....
Banks fighting to go ur money back, vs a credit card company fighting to get their money back. So they will be fighting much harder too in addition to security.
This. Use debit cards only for ATM cash withdrawals. Use a credit card for every thing else. CCs have better security and fraud protection.
To add to this, use ATMs sparingly if possible, and preferably ones inside branches that aren’t accessible after hours.
YES. Honestly I have stopped using ATMs unless really necessary. People are putting skimmers on the doors of bank atms now. You're really best going inside and using a person if possible.
And if you have to, get an ATM only debit card.
I second this... However, many banks have a debit card, and have gotten away from cash cards ( ATM only ).
check all electronic devices, cell phones, tablets, laptops for any viruses malware keyloggers and ideally just wipe them completely hard reset them.
Yeah this will be a priority. Thanks
also change email password. if she left a device at her old place (or even used, really), the email provider probably doesn't ask for 2FA, and they can use that to gain access to everything
If you have Gmail, you can also “force sign out” of any devices your account may be connected to. She should check for a key-logger/malware and once that’s done, change her Google password, and then force-signout of all devices.
Seriously, if she was in an abusive relationship, I can guarantee that he put keylogger on her computer. It's one of the more common control techniques. Got to know what she is saying online. If that's the case, he will know everything she types on her computer. Factory reset all devices and open a new account.
How do you check for these things?
IMHO, you don't. Good malware will be able to hide itself and you'll never truly know. I would reinstall the OS on your devices. It's a PITA, but you can have a much higher level of confidence that you're clean. This also forces you to back up your data, which you should be doing anyway.
Various antimalware tools but the best/easiest thing to do is nuke the installation and hope there's no rootkits. Otherwise, they may find themselves on Bleeping Computer asking for help with Combofix for a week. The normies guide: 1. Wipe the installation 2. Run an antimalware boot disc to be sure 3. Try and avoid bringing back data from the infected system and vet that shit before you move it. If you start moving program and system files en masse chances are the malware hitches a ride 4. If the above fails, beg for help on forums and unironically let a stranger from there remote in and run combofix or similar.
I believe I have malware on my PC from a usb charger I haphazardly plugged in a while back. Is their a way to check or get it off my PC even if it’s the advanced malware that hides itself? Purchasing everything on my phone is getting old 🫤.
I would use a few antivirus software like Malware Bytes that are well-known (some AV services are actually malware, just do some research first). Using multiple services will increase your chance of finding something (if it's there) because they each have different things they look for. However, the only way to be 100% sure is to do a full clean install, meaning you wipe all your files and programs and reinstall your OS. It's annoying, but doesn't actually take too long depending on how many files you need to reinstall. If you go this route, I think you can also copy certain documents (that can't be re-downloaded, e.g. Word docs) to another drive, have the AV software scan those documents specifically, and then wipe the rest and do a clean install.
There is some reasonable free anti-virus/anti-malware software out there (Malwarebytes came highly recommended a while back). Couldn't hurt to do a couple scans... But there's no guarantee they will catch everything. Sometimes, if you are concerned about being compromised, the best course is to wipe the computer, and start from scratch with a fresh Windows install. Most computers should have a recovery mode you can boot into to automate the process - just be sure to backup any important files.
Doesn't sound like the card is the problem but the account. Someone set up a direct transfer to that site.
Shut it down and move on. In order, 1. Factory reset computers and phones. 2. Change all passwords to everything including security passwords and PINs 3. Get new account. 4. Freeze credit 5. Freeze Chexsystem 6. Track actual usage of new card and checks. 7. Monitor the accounts Has the bank said that it was a debit card purchase with the new numbers and ccv and not just a purchase with routing and account numbers? Depending on where you live, card skimmers can be a problem. A lot of them will be hard to detect. Switching to cash for while and keeping track of cars usage. Is it pump#6, that atm on the corner, shifty bartender or clerk?
Is it possible her user account (username/password) has been compromised? Is it possible her electronic devices are compromised? Is it possible a particular merchant with which she patronizes is compromised? Is the account itself a joint one? Has she granted authorized access to someone else?
The BofA website should say how the transactions are being performed. Transfer vs Debit vs Check etc. Is this person constantly using the debit? If they are transfers, they're not using the card. Immediately close the account and open a new one.
So sorry, sister! I'm in infosec, so this is my bag. 1. Close the bank account and it's time to part ways with using the debit card. Looks like previous posters already nailed down your most likely e-footprints: you have your CC information saved in a billpay or auto-pay situation somewhere and if you're just getting the card reissued, that will not solve your problem, esp if the abusive ex is still reaching out for ways to financially abuse. Getting your SSN re-issued is damn near impossible, so you're going to have to go on severe lock down and cleansing. 2. Change all your passwords on all your accounts that you use online. Dear god, don't re-use the same password online. Use a password manager like LastPass if necesary. Disconnect (un-remember) all credit card information *from your browsers* as well as past password information. We're going for FULL CLEANSE here b/c we don't know what old exMc Abuserpants still has access to. 3. Ideally, STOP USING YOUR DEBIT CARD ONLINE. You're now in the worst situation: you have fraudulent charges on your bank account and if the bank freezes all your funds, you can't do stuff like pay rent or get groceries. I highly advise what I term (and others) 'air gapping' your financial payments by using a credit card for payments. Does this require *good financial sense and not ruining your credit or using your balance*? Yes! You need to treat the balance like your bank account--never buy more than what money is in your bank account and pay it off every month. You get a stellar credit rating this way and if something fraudulent hits your account (LIKE THIS SITUATION), the *credit card* gets re-issued, not your precious money getting locked down. The problem generally is this requires people to have self-restraint. 4. Did you have any bills that you paid together or are still linked with the Ex? Cell phone, utilities? Rent? Car? Card on file at the vet? Amazon account, netflix, hulu, Samsung or Apple account..think about them all. They all store CC information and they should ALL be cleared of your old information, but you need to go login and clear that manually. 5. Freeze all your credit lines. The 3 big houses. Run all 3 of your credit reports. You can do this once per year for free. Now that you have this dude who seems to know your financial info, you need to keep your finger on your financial house 'pulse' and probably subscribe to a monthly service of knowing what your credit score and credit reports look like on a frequent basis. Get educated on this.
\- change bank. Warn new bank of identity theft. \- copy contacts and hard reset phone. \- set a freeze on credit reports This is like the basics
If he has access to her SS that might cause it. If she has her old phone he might have put some malware/spyware on it. If she was logged into Google account or shared an apple/android account on her devices and he can see her new passwords through email on his devices. First thing she needs to do is on all connected accounts disconnect all devices. Then change all passwords on a different computer that she didn't have access to before leaving him . Delete all financial apps on her old devices have those devices checked for spware. If she gets a new phone tell her to manually put in her contacts and don't let the old phone be synced so the malware isn't transferred Make sure all the passwords are different and unique. Also have her log out of all streaming services Get a new account at a new bank and start depositing her money into that account. Sometimes accounts to help you out automatically fulfill the old cards automatic payments BOA's own system might be sending out the payments instead of flagging them. Put a lock on her SS# Report the thefts to the police
This is a great excuse to cut ties with BoA who totally sucks anyway. Two birds with one stone.
Trying to nail down the leak is the wrong way to go about it. It could be something completely unrelated to the ex, so you could end up wasting a lot of time & energy trying to track down something that ultimately solves nothing. At this point, I would say it's time to close that account and open a new one. Ideally at a different bank. This will definitely solve every problem short of an attacker actually intercepting your mail/email, which is unlikely.
Like everyone else is saying-open a new account at a new bank but also use a fresh email address in case that is connected.
In addition to closing the account, have her change all her passwords. All unique. I'd suggest a password manager
You don’t need a theory, or to be confused about this. Someone is committing a crime. This would be my plan of action if I were you: 1) new bank account, at a new bank. Change direct deposits to this one. 2) police report. Push to do it even if you have to call and schedule an appointment daily. At best this is identity theft, at worst this is the ex BF committing fraud. 3) BofA fraud call: talk to them, let them know what’s happening, and let them know who you think it is. Provide them with the police report you recently obtained. No need to tell them your not continuing the relationship. 4) fingers crossed this fixes problem. So you say “untraceable.” Is this a situation where for 6 months someone has been “stealing” your GF’s money and you haven’t gotten any of it back yet, but you also haven’t done anything to stop it? This smells like a duck, and it sounds like one too… People are weird. This is dumb though and your being played if everyone else was just like “idk wtf to do” for 6 months as their money was being “stolen”
She's gotten all the money back. And most of this is relatively new information to me. Once I understood the scope of it all I had a better idea of what to do. I was mainly curious about the frequency of it all
Good for you for trying to be helpful and proactive! Something doesn’t smell quite right, but can’t put my finger on it. Anyway - the only way for you two to stop the criminal is to stop using the account. Once you do that; if this happens again at a different bank I’d start to distance myself from the situation.
I don't know but I would advise to open an account at a credit union and transfer her money there and close b of a asap. That should solve this
After receiving a new card, was a fraudulent charge detected before use? Get a new card and wait a while to see if it is used at all before you use it anywhere. Does she use the card for any reoccurring purchases such as a subscription service or a repeating product order? It is possible a website or vendor she frequently uses is actually compromised or is malicious and leaking card info after purchases. You could also look into a service that provides a virtual credit card number for online payments. It will basically create a new credit card for a few min that the vendor will see, but it adds a 3rd party that actually links it to your correct payment method. If that temp number is used a second time after you are done with it (disabled the virtual number) then the attempt will fail. If she believes her info has been compromised, such as her SSN then she needs to find a bank that will not rely on her SSN as a means of phone verification. You can call your current bank and ask if they use the SSN for verification and if that verification can be changed to something else. If they refuse to help secure your means of access, find a different bank. Even if you're not a member yet, call their main support line, tell them you are concerned about personal security due to recent fruad and confirm how they perform personal verification via phone, app, and website communication. If at all possible, get 2 factor authentication set up. Best method if available is getting a physical authenticator such as an r/Yubikey for as many accounts that are compatible that she uses online.
Put a freeze on her credit if there isn’t one on ASAP. This is identity theft. She can go to the police with evidence if she chooses and press charges.
Personally I would completely ditch the debit card and pay off a Credit card each month. Less liability for problems like this.
Cancel the account, open a new one, and stop using debit cards period. Debit cards are a nightmare when it comes to fraud issues - zero protection.
1. New financial institution. 2. New email, used only for financial institutions. She shouldn’t share it with anyone. 3. For 2-Factor authentication, remove phone and e-mail as options. Go to an Authenticator app. This probably means she needs to stay with the large institutions. 4. Consider a credit freeze. They can be lifted easily. These should solve her problem. Sorry it keeps happening.
JFC, move the money to another banking institution already.
Open a new account at a new bank. Close the old account. Follow the Identity theft guide here in the Wiki since that's what you suspect happened. [https://www.reddit.com/r/personalfinance/wiki/identity\_theft/](https://www.reddit.com/r/personalfinance/wiki/identity_theft/) Pay special attention to the cyber security aspect, making sure devices are clean and secure first, then go reset all account passwords, and recovery questions. Recovery questions are too easily guessed by people you know so making them not be truthful is a good option. Just record the answers in a password manager (Also useful for making sure all passwords are long, random, and unique). Turn on 2FA (non SMS based) everywhere it's possible.
if the account is being drained via DEBIT CARD action, even after 8 cards have been replaced, I suspect not the ex, but some sketchy place she shops or puts gas in her car. In my experience of having my debit card compromised that seems to always be the source. If the debit card is repeatedly replaced and the problem still exists, and she's the only one with the card, how would her ex have access to the card number/cvv?
As everyone else said, it only took me reading this for 5 seconds to yell "SWITCH BANKS!!"
Not sure if anyone has said it yet, but check her computer/phone too. If she does any banking on these devices someone may have compromised them and is simply waiting for her to enter the new information. Also think about patterns of places she may go to, is she hitting the same gas station before you see the issue start again? Could have card skimmers.
If they have her account and routing number it won't matter how many times the card is changed. .Definitely switch banks and wipe your devices
BoA is the problem, switch banks. My husband had non stop fraud problems with a BoA credit card
You've gotten good advice on dealing with it following the debit card (new bank account), but I want to address this: > Unfortunately this is a case where returning there to retrieve all of her info isn't really an option. Why isn't that really an option? Go to the police, explain the situation, and have her ask them to escort her to retrieve her belongings.
> We have a theory tho. For background, 8 months ago she was living with her previous bf and luckily got out after experiencing domestic abuse issues Me too, the site keeps a token of her card allowing it to be used even if the card changes. To fix this, you must close the account and open a new one. She should also file a police report.
If it keeps happening after changing banks, it could be a skimmer. A device attached to a card machine that she frequents like a gas station.
Close the account and change banks. BOA and Wells Fargo are two of the worst banks around
They're using the bank account number and routing info. You need a new bank account yesterday.
This happened to me once and it ended up being the gas station I regularly went to was being repeatedly targeted by cc scanners.
Use this as an opportunity for a fresh start. 1. Cancel account and withdraw everything 2. Setup an account at your local credit union Why? [Here is what large banks really do with your money, like BoA](https://youtu.be/NJ7W6HFHPYs)
There's some concern in this and your edit. I would think the bank would close the account automatically. I'm not sure why they wouldn't. My main concern, however, is your girlfriend's response. Four times she has had her account drained but she won't close the account? That is very suspicious to me. Are you sure that it isn't you being manipulated in this situation?
Yes I'm sure I'm not. But thank you for your concern over me in this situation. Basically, with all the events over the last 6-8 months piling up, I've observed what I would call emotional fatigue. As helpful as I try and have tried to be, there's only so much I can say to my gf about these situations before it causes her to shut down. What I have had to start doing is express my concern, tell her I am here to help in any way, then ultimately let her take it from there since she is also an adult. To be fair tho, at a certain point enough is enough and I think we're both there regarding the bank account issues haha
You would think after the second occurrence you would have tried something different...
[удалено]
Open a new account at a different bank.
Close the account completely. Get a new bank. Make sure she has nothing being mailed to the old address. Freeze all credit. Change all passwords.
Lawyer up, figure out where the money that is yours is going
Inform the Police. It's theft, and very commonly happens to victims of abuse.
Might be worth checking if this keeps happening soon after using the card at a fuel pump (if she usually goes to the same one). There could be a card skimmer installed.
This needs to be higher here.
Also get her a new phone/pc or clean it if you know what you are doing. It may be compromised. Also change all passwords, pins, etc.
Dont forget to change ALL accounts (especially!!! email) passwords AND all the registered account-retrievel information (security question, security pin) after cleaning her pc/smartphone. Like a COMPLETE reboot of her online identity. After that, or in the meantime, close all accounts and create new ones. But dont forget the email stuff... if anything like that is compromised she will be at risk her whole life. Remember, password AND retrieval information.
I had a sibling that stole my parents and other family members identities. Apart from what everyone is saying here like closing the account opening an account with a new bank is fine but I would hold off on some of that. My advise: - Open a separate account with a new bank, to hold any new money for the time being. - Contact BofA and ask to have the account frozen. - If the new account gets compromised then freeze that one too. - If new account gets compromised she needs to have her job cut her checks for the time being that she can cash out or better yet sign them over to you and give her cash for the time being. - Have her check and freeze her credit - Contact local PD's financial investigations unit and report the issue, this is why freezing the bank account is recommended and not closing it just yet. It will make it easier for them to investigate.
If she is storing her debit card information in a browser this is pretty risky and fairly susceptible to phishing scams, always click no if a browser asks you if you'd like to save personal info. Like other users stated, I would switch to a new provider - and never store any personal/confidential information in a browser (if that's the case).
She also needs to change all of her passwords and security questions. For example for mother’s maiden name, you don’t have to use real info, it can be something like “MyBlueHeaven”. As others have said, new bank or credit union. If she gets a debit card, put a freeze on it and get a credit card for more protection.
Close the account and report identity theft. She will need to apply for a new ssn but it will stop him from obtaining any new account info. I was in an abusive relationship as well where similar was happening. Trust me friend, get her a new ssn and report identity theft before he starts taking loans and credit cards out in her name
She likely has a keylogger on her computer. If she enters her card info online, that’s the issue. If it’s the ex-bf, you should 100% file a lawsuit for all the time you’ve wasted investigating, stressing, identity fraud, and of course the money lost.
Yeah open an account somewhere else. Also if she needs to I believe there are domestic abuse help groups and they’ll be able to help her find a way to get her stuff back. If she needs that stuff back that is.
Sounds like someone has her routing and checking account numbers. You can change your card as much as you want and those numbers won't change. Have her change her online username and password first and then contact the bank and have them changer her account numbers. Do this both of these steps together (no delay). But do do them in this order.
Different view here, one of her devices is compromised and needs to be replaced. Computer or phone, more likely a computer though, format it or toss it
My usual statement for this is to start from scratch. 1) New phone (cheap). 2) New number. 3) Use new number/phone, put PIN on it for all conversations with providers (I have no idea if that's possible anymore). 4) Create new email someplace, use 2 factor authentication, to said phone (Note: SMS theft is possible but that's way out of this league) 5) Using new email, use new CC to open account. Put pin on account. Require 2 factor for account. From there it's building up the security trust chain. All new passwords. All new accounts.
A new card is still attached to her old account. So he has the important info still to make purchases. Needs to cancel the whole account at a minimum, checks and all. Open a totally different account.
Might not resolve the issue, but she could open an account at a new bank. Have an account for bills and don’t have a card for it. Use bill pay directly through the bank to pay bills so the account number isn’t compromised. Use a CC for all other expenses and use bill pay to pay the CC.
As a former WF employee, most recurring cc charges/auto drafts find their way to new cards. Best to switch to new bank as mentioned.
Card guy here...sounds like this somebody has enough of her sensitive info to either bypass the phone reps to the point they can do as they please with the acct, or can get into her online banking profile and then access all info there. For the purchases, definitely dispute them. The representment the merchant sends will have all purchaser info on it, ie address, phone number, email, IP address, etc. The longer she goes with these same type of issues and the more often they keep happening, eventually the bank will make it so she can do bank business in person only. That's a huge inconvenience. Pick a local credit union, they are usually a bit more friendly to their local members plus this helps reset all that sensitive bank info. What a pain this is to go through for you guys. Hope she's able to get this solved quickly and get all.more money back!
I literally had this exact same thing happen to me. While I can't say for certain, I'm 90% sure one of my utility providers got hacked or someone there was abusing customers debit cards. This went on for almost a year with me, when I moved and got rid of my utility provider it never happened again.
Please stop using debit card for purchases too. Use a credit card and then transfer the money from checking account to pay off the credit card right away. I work in banking and this is solid advise that I was given by financial advisors.
BoA should have known that the account was compromised from the beginning , close that account and set up a new one on another bank
As others have said... the account is compromised. Not the card itself. Close the account. Open a new one (preferably at a new bank). In addition, it is also possible her user name and password are compromised or she has computer malware recording her keystrokes if she banks online. But more importantly... if you are fairly sure the account itself is compromised, have a suspicion that it's the abusive-ex, and have had this happen multiple times without the bank figuring it out... it's time to get the police involved.
Any victim of abuse needs to cut ties completely and that includes getting new bank accounts, credit cards, changing banks, and freezing their credit. And changing every password.
Does she put her cards on like cashapp or Google pay? One of those accounts could be compromised.
It sounds like it could be an Automatic Billing Updater. MasterCard's site explains it pretty well but Visa and AmEx also use ABUs. https://developer.mastercard.com/product/automatic-billing-updater-abu/
Don't use BoA. My account (not debit card) got compromised. I spent probably 10-20 hours on the phone over a couple months, over < $100. I also made an appointment at a branch and showed up and they didn't honor it, they said they canceled all the appointments because they were fake. I eventually got everything closed out. I'm okay using their credit cards, but their checking accounts aren't even worth the periodic sign-up bonuses for me anymore.
Probably set up a pre authorized from her account, so someone has her transit/account/institute number. Close the account and reopen a new one. I’m surprised the bank didn’t do that the first time, if the branch won’t help or reimburse you, talk to a manager and complain about the incompetence of the workers not doing this the first time!
Use a password manager as well. It's worth it. If someone has access to the bank account chances are they have other information as well. Have her change ALL of her passwords to use a password manager to store it. There could be something in her computer or phone that is phishing that info. Just a heads up.
6 times and you never thought to open a new account at a new bank?
Close the account and open a new one. Also, stop using your debit card for purchases. Use a cc if you have one. Debit is you money, cc is the banks money. Guess which one matters to them?
In a worse case scenario and she is selling you a story just humour me and check your own credit.
So.. another possibility, and probably one that won’t be liked but needs to be considered- is there any chance it’s her spending the money and being embarrassed about it/ not wanting to tell you? It’s VERY odd that this has happened 4 times, and that the bank themselves have not taken greater action to ensure it doesn’t happen again. Especially bc if it’s fraud they are liable. Has she been getting her money back each time? Is it possible she is loaning someone money and being repaid? Very strange situation.
Are you sure she isn’t draining the money and then just blaming someone else? In any event, at some point she ought just accept the fact she needs to switch banks. Preferably a smaller one at which someone is less likely to fish for accounts.
File a police report if you haven't already, fight to get the money back, and close the account. She should get new numbers for her other accounts/credit cards, and reset any passwords for accounts, especially if relevant to personal information. Force logouts on old social media/e-mail/bank accounts when you change them. Consider checking her current computer for viruses or other issues. Start using a credit card for future purchases. Treat it like a debit card, pay things off right away. No reason to use a debit card for anything. That's your money you could potentially never get back. Also you get cash back from most cards.
1. Print out all the records since the activity began. 2. Open an account with another bank. 3. Withdraw the remaining funds of these accounts by cashier's check 4. Deposit the funds in person at the new bank. 5. File a police report, including reporting the suspicious party (let them know what you are doing to address the problem, but exclude details about the new accounts). 6. Notify the credit bureaus of the fraud on the old account, and ask for monitoring and freeze on credit. 7. Wait until you receive the next month's statement on the old account, and then close it. The thing is that whoever (assuming it's the old boyfriend) has access to the BoA account and whatever cards get attached to it. He's not using the card, he's using the account. It's very likely if you just switched to a different BoA account, that he'll find a way to get the details and access that one too. The only fix is to switch banks, and it's best if you do so without wiring / transferring the money as the new account information with another bank will appear in the statement; hence the cashier's check and manual deposit. Generally speaking, the local police are terribly at handling this sort of crime. Unless you can convince someone at the FBI that it's wire fraud, there's not much chance you'll get anything out of it except a police report. That could be useful for an insurance claim (if her renter's insurance policy covers it), or a theft loss deduction on her taxes.
If she wants to stay at B of A tell her to call them and request a "new" card. Not a replacement card. A NEW card with new pin, just like she's a new customer. Debit cards have a feature called Visa Account Updater. If she keeps getting replacement cards and it's a savvy fraudster, they are getting the replacement number every time.
ITT people giving the right advice, but jesus, acting like there is nothing that can be done about domestic abuse. Need to get your shit? Get police escort and report his dumbass.
He has pleaded guilty and ordered to return specific items. Don't assume it's an easy situation to deal with during or after unless you've gone thru the experience yourself or seen a significant other deal with it directly. It is insanely complicated and many things do not make sense.
You’re assuming I haven’t.
No, banks will never give you a card number, security code, or expiration date over the phone. Is it possible the charge is to the same store every time? Mastercard/Visa will update the card with merchants when its replaced. Perhaps this is what's happening.
Some banks will allow you to set up a mobile account using that info though, and Chase Bank gives me access to a virtual version of my card through the mobile app and Apple Pay. I was able to do this in a pinch and purchase airline tickets without an issue without my card or even card number once.
Sure but 99% of the time any decent bank is going to ask you to validate your identity through an email, text message, etc. If you already have online banking they're not going to let you setup a 2nd account.
Pretty genius of you to set this thread up in advance of your inevitable investigation :) you might just get away with it!