Move in the first hour
With a hacked email you race to lock the account. With a hacked money account, you also race the clock on your legal protections. Do these first:
- Call the bank or card issuer directly — the number on the back of your card or inside the official app, not a number someone gave you. Tell them the account is compromised and ask them to freeze it and flag the fraud.
- Freeze or replace the card and stop any pending transfers they can still stop.
- Change the password and turn on the strongest two-factor the bank offers, then sign out other sessions.
- Report it in writing too (secure message or email), so there is a dated record of when you notified them — that date is what protects you.
Your federal rights: the clock decides
For U.S. bank and debit-card accounts, the Electronic Fund Transfer Act and its Regulation E cap how much you can be on the hook for — and the cap depends on how fast you report, not on how the breach happened:
- Report within 2 business days of learning your card or credentials were lost or stolen → liability for unauthorized transfers is capped at $50.
- Report after 2 business days (but you still act) → the cap can rise to $500.
- An unauthorized transfer on your statement must be reported within 60 days of the statement being sent. Past that window you can be liable, without a cap, for further transfers the bank could have prevented had you reported in time.
That is why the dated report matters more than almost anything else you do today. When in doubt, notify first and sort out the details after.
PayPal works differently
PayPal is not a bank account, and its protections are its own. PayPal's policy generally asks you to report an unauthorized transaction within 180 days, through its Report a Problem / Resolution Center flow — a separate process and a separate window from Regulation E, not the same rule. If a linked bank or card funded the fraudulent PayPal payment, report to both PayPal and that bank, because each has its own timeline.
The caution that catches most people
Account-takeover fraud against money accounts almost always rides on a phone call or text that sounds like your bank. Remember one rule: no real bank ever calls and asks you to read back a one-time code, your password, or your PIN.The “fraud department” agent rushing you to confirm a code is the fraud — they are using that code to approve their own transfer. Hang up and call the number on your card.
If money left the account, identity details were exposed, or you need a documented investigation for a dispute, account compromise recovery and identity theft investigationare the SleuthX services that pick up where the bank's own process stops.
Sources
- Consumer Financial Protection Bureau (CFPB), How do I get my money back after an unauthorized transaction?. https://www.consumerfinance.gov/ask-cfpb/how-do-i-get-my-money-back-after-i-discover-an-unauthorized-transaction-or-money-missing-from-my-bank-account-en-1017/
- Consumer Financial Protection Bureau (CFPB), Regulation E, §1005.6 — Liability of consumer for unauthorized transfers. https://www.consumerfinance.gov/rules-policy/regulations/1005/6/
- PayPal, How do I report an unauthorized transaction or account activity?. https://www.paypal.com/us/cshelp/article/how-do-i-report-an-unauthorized-transaction-or-account-activity-help136
- PayPal, Purchase Protection. https://www.paypal.com/us/legalhub/buyer-protection
