A couple of months ago, I opened a business checking account, for a small press that I'm starting. I'm starting it very slowly; the only check I wrote on that account was to pay the lawyer who helped me set up the business.
Two weeks ago, I looked at my bank statement for that checking account for the first time, and I was taken aback, because there were five checks listed that I had not written.
The statement showed images of the fronts of the checks. They looked just like ordinary checks, drawn on my bank, but the names and addresses in the upper left-hand corners had nothing to do with me or my business. But the account number at the bottom of each check was my account number.
The checks were written to auto-parts stores and garden-supply stores, in amounts ranging from about $500 to about $1500. In the upper left corners, some of them had business names related to cars and gardening. They also had driver's license numbers.
After I got over the initial shock, my first guess as to what was happening was that the bank had somehow managed to assign the same account number to my business and to at least two other businesses, which would obviously have been a horribly bad mistake on the bank's part.
I contacted my bank rep. Who informed me that the companies and people named in the upper left corners of the checks were not customers of my bank.
In other words, this wasn't a case of the bank assigning the same account number to multiple accounts; it was a case of check fraud, in which someone had gone to what I imagine was a fair bit of trouble to create very real-looking fake checks with my account number on them.
I was outraged at the implied lack of protections on my account. I had always assumed (without thinking about it) that at some point in the check-cashing process, someone would verify that the name on the check matched the account number on the check.
But it turns out that they don't. The black hats in this situation appear to have used the checks to buy stuff at stores that don't do on-the-spot checking-account verification; then those stores presumably gave the checks to their own banks; and the stores' banks got money from my bank by saying “Please send me $x from the bank account with this number.” And my bank complied.
In other words: If someone has your checking account number, then as far as I can tell, all they need to do to write checks on your account is create some fake checks with your account number on them.
And because your checking account number appears on every check you write, it's not really a secret. Anyone who you pay using a check has access to your account number, and thus to your account.
(One of the weird things about my particular situation is that my account number was much more secret than most people's, because I had only written the one check. I completely trust the lawyer, but the only other people who had access to my account number were my bank, my lawyer's bank, and the company that prints the checks. Eventually I remembered that the first check I mailed to the lawyer got lost in the mail, so I'd had to write and send another one; so it's possible that the black hats got ahold of the check that got lost. But if they had one of my actual checks, then why didn't they use my real business name on their checks, instead of making up other business names?)
I still don't really understand all this. If banks really don't check that the name matches the account number, that seems to me to be a huge and obvious security flaw; but everyone I've talked with has assured me that it's true.
On the other hand, almost nobody seems to have ever heard of this exact scenario before, specifically the part where the black hats are writing checks with someone else's name on them. This isn't a case of stealing one of my checks and bleaching off the ink and repurposing the check; this is a case of getting checks printed up, that look just like real checks, that have my bank's name and logo, and my account number, but someone else's name. Several someones.
I've heard secondhand that other people have heard of this scenario, but nobody I've spoken with directly has encountered it, and in the twenty-five years that I've been writing checks, nothing like this has ever happened to me before.
So I'm still confused. By all accounts, this is a pretty easy thing to do; but by all accounts, it's a very rare thing to happen. I haven't yet figured out how to reconcile those two things with each other. If it's easy, I would expect that more black hats would do it; if it's rare, I would expect that to be because it's hard.
At any rate, I filled out some forms stating that those checks were fraudulent (my bank rep made some mistakes on the forms that distressed me further, but we worked that out, and it turned out she was just in a rush and that she had never seen this situation before so had never had to fill out those forms before), and the money is now back in my account. And the bank rep froze the original account and has issued me a new account number and will be issuing me new checks.
So all is well. And I'll probably even stick with my bank, because as far as I can tell, no other bank has any protections against this kind of thing happening either.
But the whole thing was weird and distressing and tense-making. It wasn't as awful as it could have been, because it was so obviously wrong that I assumed from the start that the bank would give me my money back. (Which I guess is either privilege or naivete talking, but in this case it turned out to be true.) But it was still not a fun thing.