A few months ago, I woke up to a strange transaction in my checking account – a $3,000 withdrawal from my Ally checking account to a bank account I have with a fintech company called Douugh. I didn’t realize it yet, but I was about to become – or perhaps more accurately, I was – the victim of bank fraud.
Douugh is one of those neobanks that functions mainly (or in this case, only) with a phone app. Earlier this year, I opened a Douugh account to test it out, but since then, I hadn’t done anything with it. I certainly didn’t remember initiating a $3,000 from my Ally checking account.
Alarmed at the transaction, I opened my Douugh app to see what was going on, but unfortunately, couldn’t get any further information. The Douugh app has a design flaw where they don’t show you your pending transactions. So, when I opened my Douugh app, all I saw was a $0 balance and no other information that was useful to me.
I ended up giving Ally a call to see if they could give me any insight into the $3,000 withdrawal. Unfortunately, they didn’t have any information either, but they did offer to close my checking account and initiate a dispute for me. Closing my Ally checking account was going to be a pain though – my entire financial life revolves around that account – so before doing that, I decided I better get in touch with Douugh first. Maybe they could help me.
The Customer Service Issues Begin
But that’s when I hit my first snag. When I tried to contact Douugh, I discovered that they didn’t have a phone number on their website. I managed to dig up a phone number using Google, but that number went to a voicemail that told me to send an email if I needed support. Yikes! A bank that only uses email for customer service is not good, especially in a situation like this where I needed immediate support.
With no other options, I went ahead and sent an email to Douugh customer service, figuring that maybe they’d get back to me in a few hours. I’ve sent emails to other banks in the past and have often been pleasantly surprised at how fast they respond. But there was no such luck with Douugh. It took them almost two days to respond to my email. And the response I received wasn’t helpful. All they said was that it looked like I had initiated the transfer from my Douugh account and if I didn’t want to do that, I could send the money back once it cleared. They didn’t seem to be worried about potential fraud or security concerns.
Something didn’t seem right, but at this point, I wasn’t sure what was going on or what the scheme was. After all, the money from my checking account hadn’t been moved to a third party. It was only moving from one of my bank accounts to another bank account I owned.
The Bank Fraud Happens
Two days after the initial $3,000 withdrawal, it became evident that I was the victim of bank fraud. That morning, I woke up to hundreds of random email subscriptions in my inbox. Whoever had compromised my accounts had signed my email up for every email subscription possible. A quick Google search told me that this is a standard thing bank thieves do. They clog your email with spam so you won’t notice emails from your bank.
A few hours later, the $3,000 transfer from Ally was posted into my Douugh bank account. Moments later, I received a message telling me that my debit card was reported lost and that a new one was issued to me. Then, there was a large transaction from my Douugh account. Someone was using my debit card. This was possible because when you request a new debit card in the Douugh app, Douugh immediately issues you a new card and gives you all of the new debit card details in the app. The thief didn’t need the physical debit card. If he had access to my Douugh account, he had access to the debit card too.
Once I saw this happen, I immediately contacted Douugh to try to get them to do something about the bank fraud. But of course, Douugh doesn’t have a customer service number, so all I could do was send an email and wait. It took about 6 hours before someone from Douugh finally called me. And during that time, the thieves initiated another $3,000 transfer from my Ally checking account. I didn’t have $3,000 in my Ally checking account, so that transfer overdrew my account.
It might be a bit confusing to follow, so let me recap how this bank fraud worked:
- I had my Ally checking account linked to Douugh in the Douugh app. This meant if someone got into my Douugh account, they could initiate a transfer from Ally into Douugh.
- It appears the thieves hacked my Douugh account. Douugh doesn’t have two-factor authentication, so I had no idea someone had hacked my account. They didn’t hack my Ally account (it has two-factor authentication, which makes it much harder to hack).
- After getting access to my Douugh account, the hacker initiated a $3,000 withdrawal from Ally into Douugh. Once again, I had no idea that the transaction happened because Douugh doesn’t send you a notification when you initiate a transfer.
- As soon as the money hit my Douugh account, the hacker marked the debit card as lost, then had a new card issued. Douugh provides all of the debit card info in the app, so the hacker used that info to make large transactions online.
Getting My Money Back
At this point, I was out $6,000. But what really made me mad was that this whole ordeal seemed entirely preventable. I had contacted Douugh about this transaction two days earlier. The fact that I could only contact Douugh via email was the reason why we couldn’t solve the issue before it happened.
To be fair, the customer service rep from Douugh was apologetic and said they’d make this right. First, I had them close my Douugh account. I wasn’t using Douugh anyway, but at this point, I wasn’t ever going to do business with this company again.
Next, the rep told me that Douugh would accept full responsibility for the fraudulent transactions and I’d be reimbursed the full $6,000 that was stolen. Thankfully, the $6,000 did eventually arrive. The big problem was that it took almost a month to get my money back. The money was stolen from my account in mid-October. I didn’t get the $6,000 back until well into November. By then, I had to pay my mortgage, credit cards, utilities, and any other random bills I had. Because I was out $6,000, I had to dig into my savings to cover these bills.
Needless to say, it was nerve-wracking as I waited nearly a month for Douugh to send me back my $6,000. But at least I got everything back.
Lessons Learned From My Bank Fraud Experience
This is a story about my recent experience with bank fraud, but there are lessons that you can learn here from what happened with me. Here’s what you can take away:
Two Factor Authentication Is A Must. Make sure you have two-factor authentication activated with all of your financial accounts. I’ve found that most financial institutions have this set up automatically, especially if you attempt to log in from a different computer. Douugh has a major problem in that it doesn’t appear to have any two-factor authentication option. If someone got my username and password, they could log into my account from anywhere (which is exactly what happened).
Unlink Bank Accounts If You Aren’t Using The Bank. I do a lot of bank account bonuses, so I’m often linking bank accounts and moving money between them. I’ve never really thought this would be a problem, but after this experience, I can see how a hacker could use that to their advantage. Had my Ally account not been linked with Douugh, the hacker would’ve been met with an empty bank account. But because I had my Ally account linked, they could transfer money from that account, then spend it as soon as it hit the hacked account. In the future, I’m going to unlink bank accounts if I’m not using them anymore.
Be Wary With Some Of These Neobanks. For the most part, I’ve had a perfectly fine experience with these neobanks. But it never occurred to me that there could be new fintech banks that essentially have no customer service at all. If you’re going to use a neobank as your main bank account, do your research on their customer service options. As I write this, Douugh still doesn’t have a phone number listed on their website.
Credit Cards Are Undoubtedly Better Than Debit Cards. It’s pretty clear to me that credit cards are better than debit cards when it comes to fraud protection. The problem with debit card fraud is that if you’re the victim of fraud, the money being spent is your money. While you can get it back, there’s a good chance you’re going to be without that money for some time – potentially a long time. By contrast, if you have fraudulent transactions on your credit card, you’re never going to be out the money because it’s the bank’s money, not yours.
Have A Cash Buffer. Unfortunately, if you’re the victim of bank fraud, you need to be prepared to wait to get your money back, possibly for weeks or even months. I had $6,000 stolen, which is a significant sum for anyone. And while I did get my money back, by the time I got my money back, I had already had to pay my mortgage, credit cards, and utilities. Fortunately, I have a large emergency fund and I keep a cash buffer, but if I wasn’t in that position, this delay could have been really painful for me. Build an emergency fund and have it ready. You never know when you might need it.
Glad you were able to get everything back. Could this have been prevented if you change your account login for Douugh after the first transfer or were you locked out of your account?
Financial Panther says
When I saw the transfer, I did log into my Douugh account and changed the password. But it didn’t seem like it did anything. Seems like once they got access to the account, they stayed logged in even when I changed the password.
That makes me think their web facing software and security are sorely lacking.
Thanks for sharing, quite harrowing…..experience, I will double check all my accounts to be two factor authentication. That helps!
Yikes, that’s scary. I’m curious that you can’t prevent this on the Ally Bank side.
I have 2 credit union accounts. I transfer money from the old account to the new account, but I have to log into the account that’s *sending* the money and *push* it to the receiving account. I can’t log into the *receiving* account and *pull* it from the sending account. At least that’s what I was told when I set up the 2nd account.
Maybe you can set up something on the Ally account so that you’re notified when another account tries to pull money from it, even if it’s linked.
Accidentally Retired says
Oh man! Glad you got it worked out. This is exactly the reason why everyone needs to take their online security very seriously. More stuff like this will happen, especially with Crypto where you are operating with uninsured accounts. 2fa is a must, but you also need to use strong, unhackable passwords that are different for each account. I recommend a password manager like LastPass, Keeper Security or something similar. It is literally some of the best investment you can make. I also have some other advice here: https://accidentallyretired.com/resources/keep-your-money-investments-and-cryptocurrency-secure/1316
Stay safe out there everyone!
Judy jones says
I opened an account with Discover Bank online for the bonus and someone wired out $15K. It took 11 months and over 50 phones calls to get it back. They said I authorized it! Totally frustrating experience. On a wire transfer there is no limit of time they can take to investigate.
How do you think they got into your account in the first place? Breach from another company that exposed login info? Or login info that’s the same between accounts? I spend a lot of time changing all my wife’s passwords to unique ones from the 1 password she used at every website. That took FOREVER.
Mrs. FCB @financialchainbreakers says
OMG what a nightmare. I would have been seething and not sleeping for that whole time it took to get it worked out. Would it have helped to keep lower balances? I have an account with N26, which is also and online, app-based bank, which makes me a little uncomfortable. But I keep a low balance and only have it linked to another bank account that also has a low balance. Kind of sad all the hoops we have to jump through just to keep ourselves protected isn’t it? Glad your situation worked out!