Active Incident? 24/7 Response →
SleuthX

For Individuals & Families

Bank or PayPal Account Hacked? What to Do and Your Rights

With money accounts, the clock — not the password — decides how much you're on the hook for. Here are the exact federal timelines and the order to work the problem.

All articles·8 min read·June 29, 2026

Move in the first hour

With a hacked email you race to lock the account. With a hacked money account, you also race the clock on your legal protections. Do these first:

  1. Call the bank or card issuer directly — the number on the back of your card or inside the official app, not a number someone gave you. Tell them the account is compromised and ask them to freeze it and flag the fraud.
  2. Freeze or replace the card and stop any pending transfers they can still stop.
  3. Change the password and turn on the strongest two-factor the bank offers, then sign out other sessions.
  4. Report it in writing too (secure message or email), so there is a dated record of when you notified them — that date is what protects you.

Your federal rights: the clock decides

For U.S. bank and debit-card accounts, the Electronic Fund Transfer Act and its Regulation E cap how much you can be on the hook for — and the cap depends on how fast you report, not on how the breach happened:

That is why the dated report matters more than almost anything else you do today. When in doubt, notify first and sort out the details after.

PayPal works differently

PayPal is not a bank account, and its protections are its own. PayPal's policy generally asks you to report an unauthorized transaction within 180 days, through its Report a Problem / Resolution Center flow — a separate process and a separate window from Regulation E, not the same rule. If a linked bank or card funded the fraudulent PayPal payment, report to both PayPal and that bank, because each has its own timeline.

The caution that catches most people

Account-takeover fraud against money accounts almost always rides on a phone call or text that sounds like your bank. Remember one rule: no real bank ever calls and asks you to read back a one-time code, your password, or your PIN.The “fraud department” agent rushing you to confirm a code is the fraud — they are using that code to approve their own transfer. Hang up and call the number on your card.

If money left the account, identity details were exposed, or you need a documented investigation for a dispute, account compromise recovery and identity theft investigationare the SleuthX services that pick up where the bank's own process stops.

Sources

  1. Consumer Financial Protection Bureau (CFPB), How do I get my money back after an unauthorized transaction?. https://www.consumerfinance.gov/ask-cfpb/how-do-i-get-my-money-back-after-i-discover-an-unauthorized-transaction-or-money-missing-from-my-bank-account-en-1017/
  2. Consumer Financial Protection Bureau (CFPB), Regulation E, §1005.6 — Liability of consumer for unauthorized transfers. https://www.consumerfinance.gov/rules-policy/regulations/1005/6/
  3. PayPal, How do I report an unauthorized transaction or account activity?. https://www.paypal.com/us/cshelp/article/how-do-i-report-an-unauthorized-transaction-or-account-activity-help136
  4. PayPal, Purchase Protection. https://www.paypal.com/us/legalhub/buyer-protection

Related services

Meet Your Practitioner

Quinnlan Varcoe

Founder & CEO

GIAC-certified · 15 industry certifications

With operational experience across Fortune 50 security programs and the defense industrial base, Quinnlan founded SleuthX in 2022 to provide clients with the caliber of expertise typically reserved for the largest enterprises. Her work in threat intelligence and digital forensics has earned the trust of 26,000+ cybersecurity professionals who follow her analysis.

“26,000 professionals follow my work because I say what others won't — and I can back it up technically.”

Fortune 50 BackgroundDefense IndustryThreat IntelligenceDigital PrivacyIncident Response
Quinnlan Varcoe, Founder & CEO

Hacked bank or PayPal account: quick answers

Certified Expertise

GIAC · AWS · Splunk · CompTIA

Transparent pricing

Trusted by partners across the practice

DAS Health
Exhibit A Cyber
Ally Security
KIRO Group
Black Mirage
Kalles Group
Gridware
CQR
Archstone Security
Cyvergence
Sentinel Cyber
Cloud Underground
Seron Security
Hexen
Koru Risk Management
DAS Health
Exhibit A Cyber
Ally Security
KIRO Group
Black Mirage
Kalles Group
Gridware
CQR
Archstone Security
Cyvergence
Sentinel Cyber
Cloud Underground
Seron Security
Hexen
Koru Risk Management