Massive bank data leak: are you affected and what can you do now?

On February 18, 2026, the DGFiP (French Public Finances Directorate) officially announced the hacking of the national bank account file in a press release, known as FICOBA (Bank Account File).

The IBANs and personal data of nearly 1.2 million taxpayers are currently in the public domain, and even if it doesn't involve access to bank balances, the stolen information, such as identity, address, or bank account details, is enough to fuel targeted fraud.

Faced with unauthorized SEPA Direct Debits and fake bank advisor scams, here are the best practices to adopt to limit the risks…

Easy SEPA Direct Debits To fully grasp the scale of this phenomenon, it's important to understand that with an IBAN and a consistent identity, it's possible to set up a SEPA direct debit mandate to subscribe to a service or make an online purchase. Indeed, some services accept these transactions in just a few clicks, with verification afterward. However, European regulations govern these practices. In the event of an unauthorized direct debit, you have 13 months to dispute it, and banks are required to verify the existence of a valid mandate. In the absence of proof, reimbursement is provided for by law, but the process can still be lengthy. It's therefore best to act preventively…

Monitor, filter, block: the right reflexes

While it may seem obvious, the first reflex is to monitor your accounts. Banking apps now allow for near-instantaneous transaction tracking, especially with real-time notifications, even if some fraudsters use names similar to major brands to fly under the radar.

The second approach involves creating a whitelist, which restricts direct debits to authorized creditors only. This means that any external attempt is automatically rejected.

Conversely, creating a blacklist allows you to block creditors identified as fraudulent. However, as a general rule, this involves direct contact with a bank advisor, which can make the process longer.

Finally, in case of serious doubt, some banks offer the possibility of temporarily disabling transfers or blocking certain features from the customer area. A drastic measure, but effective for containing an ongoing incident.

Vishing, the fake bank advisor scam

Beyond withdrawals, the main risk remains vishing, that is to say, the fake bank advisor scam. Thanks to data from FICOBA, a scammer can make their story seem more credible by citing your address or your IBAN.

As a reminder, no bank ever asks for login credentials or validation codes by phone or email. In case of a suspicious call, hang up and contact your advisor directly via the official app, or on the number printed on your bank card.