Safe Online Banking: The 7 Rules Your Bank Won't Tell You

Your bank will tell you to create a strong password and enable two-factor authentication. What they will not tell you is that those two steps alone are not nearly enough to keep your money safe online.

Banking fraud cost Americans over $10 billion in 2025. And the people most frequently targeted are adults over 55 — not because they are less capable, but because they tend to have larger account balances, more established credit, and habits that scammers have learned to exploit. Here are seven rules that will dramatically reduce your risk.

Rule 1: Never Bank on Public Wi-Fi Without a VPN

This is the single most important rule on this list, and almost nobody follows it.

When you log into your bank at the coffee shop, the library, or the airport, you are sending your username and password over a shared network. Anyone else on that same network with basic tools can potentially see what you are doing.

Real example: In 2024, a retired teacher in Florida logged into her credit union at a hotel during vacation. A scammer on the same hotel Wi-Fi intercepted her login credentials and drained $8,400 from her checking account before she got home.

The fix is simple: use a VPN every time you go online — especially when banking. A VPN encrypts your connection so that even if someone is monitoring the network, they see nothing but scrambled data.

If you must bank on the go, turn on your VPN first. Better yet, switch to your phone's cellular data (4G or 5G) instead of Wi-Fi. Cellular connections are much harder to intercept.

Rule 2: Type Your Bank's URL Directly — Every Single Time

Scammers create fake bank websites that look identical to the real thing. They buy web addresses that are almost the same as your bank's — one letter off, or with an extra word added. Then they buy ads so their fake site shows up in Google search results above the real one.

Real example: Search ads impersonating Chase, Bank of America, and Wells Fargo have appeared repeatedly in Google results over the past two years. People click, enter their credentials on what looks exactly like their bank's login page, and hand their information directly to criminals.

The rule: never Google your bank's name and click a search result. Instead, type the address directly into your browser's address bar. Even better, bookmark your bank's real website and always use that bookmark.

Before entering any password, look at the address bar and confirm:

• The URL starts with https:// (the "s" means secure)
• The domain name is exactly right — not "chase-secure-login.com" or "bankofamerica-verify.com"

Rule 3: Never Click a Link in an Email or Text From Your "Bank"

Your bank might email you statements or alerts. That is normal. What is not normal — and what your bank will almost never do — is send you an email with a link asking you to log in, verify your identity, or confirm a transaction.

If you get an email or text that says something like "Unusual activity detected — click here to verify," do not click. Instead, open a new browser window, type your bank's URL directly, and log in to check your account. If there is a real problem, you will see it there.

Real example: A man in Ohio received a text message that appeared to come from his bank's fraud department. It included a link to "verify a suspicious charge." He clicked, entered his login information, and within minutes the scammers had initiated a $12,000 wire transfer.

This rule applies to phone calls too. If someone calls claiming to be from your bank, hang up and call the number on the back of your debit card. Real fraud departments will never be offended by you verifying their identity.

Rule 4: Use a Unique, Strong Password for Every Bank Account

This is where most people fall short. If you use the same password for your bank that you use for your email, your Amazon account, or that recipe website you signed up for three years ago, you are at serious risk.

When any one of those websites gets hacked — and they do, regularly — criminals take the stolen email and password combinations and try them on banking sites. This is called "credential stuffing," and it works because most people reuse passwords.

You do not need to memorize dozens of complex passwords. A password manager handles that for you. It generates strong, unique passwords for every site and fills them in automatically when you log in.

Rule 5: Turn On Every Alert Your Bank Offers

Most banks let you set up alerts for specific account activities: transactions over a certain amount, logins from new devices, password changes, wire transfers, and more. Turn on all of them.

These alerts give you the fastest possible warning if someone is accessing your account. The sooner you know about unauthorized activity, the more likely you are to recover the money. Ideally, set them up as text message alerts — you will see a text faster than you will check your email.

Here is what to enable:

• Any login from a new device or browser
• Any transaction over $50 (adjust to whatever makes sense for your normal spending)
• Any transfer to an external account
• Any change to your password, email address, or phone number
• Any ATM withdrawal (especially if you rarely use ATMs)

Rule 6: Check Your Accounts at Least Twice a Week

Many people only look at their bank account when they get a monthly statement. By then, a scammer could have been making small, unnoticed charges for weeks.

Make it a habit to log in and review your transactions at least twice a week. Look for charges you do not recognize — even small ones. Scammers often test stolen account information with tiny charges ($1 to $5) before making larger withdrawals.

If you see anything you do not recognize, call your bank immediately. Do not wait to "see if it clears" or assume it will resolve itself.

Rule 7: Use a VPN on Every Device That Touches Your Financial Accounts

This goes beyond Rule 1. A VPN should not just be something you turn on at the coffee shop. It should be running on every device you use to access your bank, your investment accounts, your Social Security portal, or your Medicare information.

That includes your phone, your tablet, and your home computer. While your home Wi-Fi is safer than public Wi-Fi, it is not immune to attacks — especially if you are still using the default password that came with your router.

A VPN creates an encrypted tunnel around all your internet traffic. It is the digital equivalent of having an armored truck carry your financial information instead of sending it on an open road.

Key Takeaways

• Never bank on public Wi-Fi without a VPN running — this is the number one risk most people ignore.
• Always type your bank's web address directly into your browser. Never trust search results or email links.
• If your bank "contacts" you by email, text, or phone, verify independently by calling the number on your card.
• Use a different password for every financial account — a password manager makes this effortless.
• Turn on all available transaction and login alerts so you catch unauthorized activity immediately.
• Check your accounts at least twice a week and question any charge you do not recognize.
• Run a VPN on every device you use for banking, investing, or managing benefits.

Your bank has a fraud department, but their job is to respond after something goes wrong. These seven rules are how you stop things from going wrong in the first place.

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.