How safe am I in sending banking info online in this instance?

My kid’s school has gone cashless. Basically this means that all payments made for school stuff is done online. So far so good. HOWEVER, the system they’ve set up is ringing all sorts of bells and I’d like to know if I’m worrying over nothing or not.

They are asking that we allow them to link the school payment account directly to our bank (sort of like direct deposit at work I gather) and in order to do so we must send a form with an attached voided check to the company responsible. They ask that we send it via fax or mail (unsecured, and it’s clear across the country) OR that we email it. Again, unsecured.

My question, how safe is it to email such information without some measure of encryption or secured link?
I know that the company responsible is relatively small (according to the person I spoke with, only 8 people in the office).
How much safer or riskier is it to do things this way rather than say the way an online store would operate?
It just seems wrong to allow an unknown third party direct access to my bank, despite being vetted by the school.

Should I be concerned or should I just shut up and send the info they ask?

One thing you might want to consider is opening an account specifically for this situation. Open the account with the minimum amount needed to keep the account open and pay for your child’s supplies. That way, if something does get intercepted, the thieves won’t be able to clear out your main account.

It’s not safe at all and you should voice your concerns. If you have to do it, set up the second account like BobArrgh suggested.

Aren’t they just trying to verify your routing and account number, which is at the bottom of every check? If you’ve ever written a check to anyone, that person/company has the same info.

The form you are sending…what sort of information is it asking?

I wouldn’t be worried, personally, but your money is not mine to worry about.

Bob’s suggestion is a fine one. When I needed to accept wire transfers for my business, I called up the bank and asked how to do this. The first thing the manager did when I spoke to her was to open a free second checking account for us so that our real account with lots of money in it couldn’t be compromised by wire transfers. Then she told me all the info I needed to send to the transfer-ee, which included our (new) account number and routing number.

I guess the question is, what sort of limits are there on transfers between bank accounts? How does the OP’s bank know that it is ok for the school to transfer money out of his account? There don’t seem to be any controls on things like that. Is it just a matter of the school being a known entity to the bank?

FWIW I would consider fax a lot safer than unencrypted e-mail.

In Europe, people and companies routinely post their bank details on letterhead, online, etc. There’s nothing you can do with the account and routing numbers (i.e., the same information that would appear on a cheque) except to deposit money into the account. It seems it’s only in the US that there’s this paranoia over miscreants stealing one’s basic bank account details and using them to withdraw one’s life savings. There was a thread here a couple months ago on whether or not this scenario was actually plausible, but unfortunately I don’t remember enough details to search for it.

Fax cannot be intercepted without a wiretap.

Email is not secure unless encrypted, but the attacker has to be somewhat motivated. (Some types of encryption has been known to be broken by highly motivated attackers.)

I can’t advise you about whether the arrangement itself is a good idea. I do this with my HOA to pay dues. It seems strange that a school would want to do this. Credit cards or PayPal is a more typical alternative.

I’m sorry to say this, but education department admins aren’t the sharpest tools in the shed, as a general rule, so I very seriously doubt that they’ve thought this through. But when the shit hits the fan and one or more families get corn holed, what do you thing the odds are that any of these supposedly educated people will take responsibility?


That means you basically have to either go through the trouble of setting up another account - which is not necessarily risk-free if your accounts are linked - or telling them to stuff it. Personally, I would opt for the latter.

If the objective is to make payments online, ask if they’ve ever heard of this fantastic new service that’s all the rage called, ummmm, I think it’s something like Pay Buddy. Nooo. Ummm . . . Oh yeah “PayPal”.

At least that can be funded with cash, credit card, bank account, whatever.

If they can’t grasp the concept, just tell them to give you an estimate for the semester and you will give them cash. If at the end it’s more or less, then you can settle up at that point.

There’s no excuse for requiring that this be funded from your bank account. It’s simply bullshit.

They probably don’t want to lose the ~3% on credit card or PayPal transactions. Adds up.

IMHO, the biggest risk is that the school will somehow screw up your bank account, by withdrawing too much, putting some kind of lock on it, withdrawing payments multiple times, or something. Much lower risk is that the school will expose your bank account info (either because their database got stolen or someone accidentally exposes it).
Compared to that, the risk of someone intercepting an e-mail or fax is not worth worrying about (remember: even if you misdial a fax machine or mistype an e-mail address, odds are really, really, really, low that a randomly dialed fax machine or e-mail account will belong to someone with the intent and means to do anything with your bank information).

I have autopay from my bank account on utility bills, but I would really really hesitate to use autopay for something as large, irregular, and likely to have mistakes as a tuition bill. I might consider it if I had to explicity authorize every payment, but only if my authorization is done at the bank end.

True, but there’s nothing to stop them from including a surcharge for that amount in the case of people who prefer to use that method.

I don’t know how much coin we be talkin’ 'bout here, but unless it’s well into 4 figures, I’ll eat the surcharge before I give someone access to my bank account. I mean, it’s more than just giving them your account and routing numbers. You also have to sign an authorization which, if anyone bothers to read it, will probably have shit in there to turn your hair white.

As for the cash option, all they have to do is overestimate what the costs are likely to be and require that much up front. Again, anyone who doesn’t want to do it that way can still opt for the direct w/drawal method.

I’m just saying give people some options. Don’t force them to use a single method that may be less than prudent or secure.

Just remember, autopay is just one letter away from autopsy.

Unless I misunderstand (either your setup or the OP’s situation), this is different. That is, the opposite. To set up autopay, you put their account information in the system. Again, unless I misunderstand, in this case they (i.e., the school) are asking for your information.

Personally, I have little problem with online banking (now…it took me awhile to learn a bit about the process and to get comfortable with the idea) to make payments to other people. But I refuse to grant other people/companies access to my account. Maybe doing so is fine for most people, maybe the actual risk is low enough that it’s not worth worrying about; but it clearly adds an additional security-breach possibility that is both unnecessary and easily avoidable.

Not to mention that you can never be sure exactly when they’re going to take their payment…on a tight budget (like me), deposit/withdrawal timing matters. I’d rather not have to pay overdrawn fees.

No, it’s not good.
What about poor families, who don’t have a computer – how are they supposed to pay these school fees? (Or is this a private school, that excludes poor children? My comments on that would not be suitable for this forum, only the pit.)

Not only can they do “stuff”, they did it to me once. Here are the 2 things they did:

  1. Withdrew money from my account by creating a fake check to be deposited into my account, and getting cash back for some amount that was less than the balance in my checking account. The fake check bounced and I was out the “cash back” portion until it all got straightened out and the bank ultimately suffered the loss.
  2. Wrote fake checks using my account to places like Walmart, Target, etc.

Ultimately I wasn’t out any money, but it is a hassle to correct all of this stuff.

My greatest concern is that in order to do this, I’ve got to send an authorization allowing the bearer of that authorization access to my bank accounts. I’m seriously concerned about the ease with which it would be possible to fudge who the recipient is from “school” to “miscreant” should someone with malicious intent wish to do so.
Granted, a fax would allow greater security, but nonetheless I am concerned.

Secondly, I’ve a problem with giving ANY third party authorized access to my banking info. When I pay my bills online I do so through the bank. The various business I pay are unable to access my account directly. I connect to the bank, and the bank transfers the money to them.
This company is the opposite. I tell the school how much, they pull it out of my account. In the event of a dispute, there’s literally nothing preventing them from billing and making me do the work to fix any errors.

Would these concerns be sufficiently valid to bring the to the school board finance office?

With regards to several other points made, there is no other way to pay for “optional” activities. They won’t accept cash for anything that is considered optional. They’ll take it for things the kids have to get, but nothing else.
Computer access is pretty much thorough (it’s a public school but internet and computer access is pretty close to 100% for where I live). Having said that, when I asked, they did have a process in place for extenuating circumstances.

Since whoever is making these decisions probably won’t listen to anything you have to say (since they are obviously certain that they know better), you need to bring in the big guns in order to get them to ditch this policy, which seems at best naive.

I would contact several law enforcement officials, preferably ones who deal with internet and bank fraud. Explain clearly but as briefly as possible exactly what is required of you and how the program is intended to work. Then express your concerns, again clearly but succinctly and ask them to advise you (in writing) as to the any security concerns they see.

I would start by talking to the detective bureau of your local police or sheriff’s office. They are probably the first people who are contacted by victims so even if they don’t handle such cases themselves, they will know who does and can probably offer an opinion on the program’s relative safety and security (or lack of same). If it is negative as I suspect will be the case. Ask them to give you something in writing that will advise the school board of their potential liability.

Nothing scares the crap out of a bureaucrat faster than the treat of a lawsuit.

If that doesn’t work out well for whatever reason, try other possibilities. For example I would contact my state attorney general’s office as well as my county prosecutor.

And don’t think you’re being a pain in the ass. If they have any interest in their jobs whatsoever, they will be happy to nip a potential crime in the bud. There’s enough crime out there, so it’s not like they would miss the extra work.

dzero: thanks. Going to do that tomorrow. Hadn’t even occurred to me.

Mail is safe, after all you mail checks every month, right? Ask to send the form and the voided check separately if either contains info the other does not, like a ssn.

However, too often info like this is stolen from the company, or someones laptop, or they continue to bill you years after you no longer receive their services. This last is VERY common with Health Clubs, etc.

So sending the info is pretty damn safe. Them safeguarding the info is not.