Skip to content

How Cybercrooks Can Hack Your Online Bank Accounts

If you think your checkbook and paper statements keep you safe, think again

Worried woman reviews her bank statement, afraid that there may be fraudulent charges.

David J. Green - lifestyle themes / Alamy Stock Photo

En español |  You log into your banking site and immediately notice something’s wrong, horribly wrong.

Somehow, your account has been compromised and money is missing. At the risk of fearmongering, this isn’t as uncommon as you might think.

Like many Americans, you might have become a victim of bank fraud. And it’s usually tied to a password that has been stolen, guessed or tricked into sharing with cybercriminals.

“Unfortunately, most people use the same credentials for their online bank accounts as they do for social media and online shopping sites,” says Georgia Weidman, author of the book Penetration Testing: A Hands-On Introduction to Hacking. “If one of those vendors is compromised and attackers gain access to the stored credentials, they may be able to reuse them on the online banking site.”

Skepticism is your friend

“Another common attack is phishing, or basically asking the user to attack themselves,” says Weidman, who also founded Bulb Security.

The cybersecurity company is devoted to device vulnerability assessment, training and penetration testing — essentially ethical hackers for hire.

“An attacker might send you an email or text message pretending to be your bank and asking that you validate a recent purchase,” she says. “When you click on the link in the text message, it takes you to what looks exactly like your online bank account, except it is actually a clone controlled by the attacker.”

You might think you’re at, for example, but if you look closely, it’s

Some scammers will even call you — yes, by telephone — and pretend they’re from Microsoft, the IRS, your bank, and so on to try to persuade you to give out your personal information to (ironically) protect you.

Don’t fall for it.

“Besides, your bank or other financial institution won’t ask you to confirm these credentials in an email or by an unsolicited phone call,” says global security evangelist Tony Anscombe at ESET, also a technology security company. “When in doubt, contact your bank to see if it was really them. Chances are it wasn’t.”

Don’t bank online? You’re still at risk

And here’s a discomforting fact: Even if you don’t opt for online banking through a website or app, identity theft could lead to a crook opening an online account in your name.

What to do?

Reduce the odds of becoming a victim of bank fraud with these five tips.

1. Use strong and unique passwords

Never use the same password for all of your online activity. As Weidman cautions, if a service is hacked and your password is exposed — if your bank suffers a data breach, for instance — cybercriminals may try it on another account.

“Even if the password is similar between online accounts, hackers use software tools to try to guess the stolen credentials,” Anscombe says.

A recent study revealed the most common password was 123456, followed by 123456789 and QWERTY.

Also, don’t use your kids’ or pets’ names, phone number, date of birth, or mother’s maiden name. All of this info could be easily attainable, especially in this era of social media.

Not only should you use different passwords for all accounts — and password manager apps are a handy way to remember them all — you also can use a passphrase instead of a password, a sequence of words and other characters including numbers and symbols.

Anscombe says a passphrase can be super easy to create, such as the phrase “my red Ford Mustang is No. 1” becoming the passphrase “myr3dFoMu#1!”

2. Enable two-factor authentication

Make it harder for the bad guys to access your data by adding a second layer of defense.

Apple's two factor authentication for iCloud accounts can make their devices more secure

Cristian Dina / Alamy Stock Photo

Two-factor authentication for Apple iCloud from a desktop and mobile device

Two-factor authentication means you not only need a password, passcode or biometrics logon such as a fingerprint or facial scan to confirm only you can access your accounts, but you also receive a one-time code to your mobile phone to type in.

In other words, two-factor authentication combines something you know, your password, with something you have, your smartphone.

“Like password managers, two-factor authentication isn’t 100 percent perfect, but it puts you many steps ahead of other users who have weak or the same passwords on all their accounts,” Weidman says.

3. Install good antimalware

Just as you wouldn’t leave the front door to your home unlocked, you shouldn’t let your tech be vulnerable to attacks, whether it’s a virus or other malicious software, called malware, that sneaks onto your device or happens because you were tricked into giving out sensitive information.

Reputable antimalware that’s updated often can identify, quarantine, delete and report any suspicious activity coming into your computer or flag sensitive information going out.

“Most people don’t think of protecting their smartphone, too, which is a big problem,” Anscombe says. “Make sure you have good cybersecurity protection. And don’t fall for phony texts.”

4. Opt for fraud detection; review your statements

Some, but not all, credit-card companies and banks can push notifications to your mobile device if something looks suspicious during a purchase — such as a large amount charged or a location in a different state than your usual address.

You may be asked to confirm it was really you who made a purchase with a simple Y or N.

On a related note, be sure to review your bank statements every so often to see if anything looks odd. If so, contact your bank or credit-card company immediately.

5. Watch out for Wi-Fi hotspots

Do not conduct any financial transactions such as online banking, trading or shopping when you’re using a public computer in an airport lounge, hotel or library or when you’re using a public Wi-Fi network, say, at your favorite coffee shop.

You never know if your information is being tracked and logged — so wait until you’re on a secured internet connection at home. Or use your smartphone as a personal hotspot, which is safer than free Wi-Fi.

“And make sure no one is looking over your shoulder at a coffee shop or on an airline,” Anscombe says.

A few more suggestions to mitigate the risk of bank fraud:

  • Update your software. Cybercrooks look for vulnerabilities in operating systems or programs/apps. Set your software to automatically update, so you don’t have to remember to do so.
  • Back up regularly. It doesn’t really matter how you want to do it — a free cloud service, external hard drive or USB thumb drive. As long as you’re proactive about backing up your important files regularly, you’ll minimize any damage if attacked.
  • Lock your devices. Be sure your laptop, tablet and smartphone require a PIN or password to unlock. Otherwise you’re exposing your files to strangers if your device becomes lost or stolen. Use your fingerprint or face to authenticate you, called biometrics identification, because it’s fast, convenient and secure.  

You don’t need a degree in computer engineering to protect yourself from bank fraud.

Use these tips, remain alert and rely on some smart software. You can greatly reduce the odds of becoming a victim.

Marc Saltzman has been a freelance technology journalist for 25 years. His podcast, "Tech It Out," aims to break down geek speak into street speak.

AARP’s Fraud Watch Network can help you spot and avoid scams. Sign up for free Watchdog Alerts, review our scam-tracking map, or call our toll-free fraud helpline at 877-908-3360 if you or a loved one suspect you’ve been a victim.