Wow - what a nightmare!! I’m surprised the CU software didn’t block any further logins after several attempts - assuming they were unsuccessful.

This is so crazy, and I'm so sorry it happened to you. I truly hope that the bank makes it right on Monday. I feel like all of the missed login attempts should've alerted the bank to alert you and I'm surprised it didn't shut things down until you could be contacted.

What a nightmare ☹️

I'm wondering if the culprit is an employee of the CU - or someone who was able to access the info through an employee...?

Oh no, this is awful. I agree that the CU should have froze out whoever kept attempting to login, especially considering how infrequent the log in history has probably been. Hope you can this resolved without a major hassle. So sorry this has happened.

Yes, I have discovered that they now offer those features - 2 factor ID, notifications of withdrawals or transactions etc. They didn't have them when I became their customer, and for some reason it never occurred to me - and it should have - to check if they were - even as I began utilizing them at my other bank and business.

It adds to the question of who did this, doesn't it? Not only found a way into my account, but an account that didn't have protections enabled. Although perhaps that is not as uncommon as I assume.

When we know better, we do better. I have every kind of alert activated on my accounts, so I get notified by email when my bank account is accessed, and when any kind of transaction occurs. This means sometimes multiple notifications in my email inbox daily, and I open every one and check it out.

I just had a thought - do you get paper statements in the mail?

No, no paper statements mailed. Which begs to ask the question - why did my only notification of the overdraft come by mail, arriving 5 days after the fact, instead of emailing me? My primary bank emails such things, along with my daily account activity.

Credit Unions and smaller regional banks are often targets for these:

Credential Cracking

Credential cracking (OWASP OAT - 007) ─ Also known as ‘brute forcing,’ credential cracking is a way to identify valid credentials by trying different values for usernames and passwords (usually from lists of breached account credentials that were made public by malicious parties and hackers). Hackers deploy bots to hack into customers’ accounts using the brute force approach, dictionary attacks (inputting large numbers of words), and guessing attacks to identify valid login credentials. Brute force attack symptoms include a sudden increase in failed login attempts and high numbers of account hijacking complaints from customers.

I am definitely going to be asking the credit union how this could escape their notice!

Something vaguely similar happened to my sister and DSIL.

DSIL wrote checks to pay some bills. He put them in their mailbox right in front of their house. When he got back to his in-home office, he realized he had missed a bill. He wrote the check and carried it out to the mailbox. Flag was still up but the box was empty! In the 10 or so minutes that he had been in the house, someone had stolen their mail, thereby obtaining the bank routing number and DD/DSIL’s account number.

They immediately called the bank. The bank, for all intents and purposes, closed their account. However, the bank left the account active just to see if anyone tried to access the account. This was done by the bank with no liablity on DD/DSIL. Sure enough, many months later someone tried to write a check on their account!

Is ther any possibility that the check to the IRS was stolen out of your mailbox? The thief could have stolen it, copied the info, and sent the check on to the IRS, so that you were not aware of any criminal activity.

Just finished reading this one - a woman's life savings drained from her Chase account and Chase is denying her restitution...

https://www.cbsnews.com/detroit/news/bank-scam-text-message-chase-bank/

bbstx, I paid the IRS via online ACH transfer. So, not a physical check - but the banking information might have been available to someone working at the IRS, or a hack into their system?

carolb, that is outrageous!!

I do no banking by phone, and have my 2 factor sent to my email. I would be accessing my accounts from home always (I might have to think about how to manage if I do travel overseas again).

Carolb, when we lost Mom several months ago, as her executor and POA, I called my atty and asked him how to begin. After discussing some amounts (not a large estate), he said I think you can handle this yourself without incurring my expenses and offered to send me a couple of forms I would need. Then asked, which bank will you be dealing with. When I said Chase, he responded 'Oh No. They are just the worst to deal with. Call me back if you find you do need my help.' I managed, but not without some effort and angst. It was 9 months before I could really call everything finalized and was able to close her accounts. No local branch here in this community and I made at least a half dozen 50 miles trips to speak to someone with authority in person at Chase.

Ugh, morz - Chase is so huge, I don't see how we can expect them to be easy to deal with.