Slightly tangental, Fidelity also has the option to put your accounts in "lock down" mode to prevent funding *outflows* (even transfers between accounts). This can help secure your account in addition to 2FA. I learned about this recently after +10yrs at Fidelity. Sadly, I don't think it is enabled by default.
I wish my bank had the same sort of option to prevent someone from just randomly guessing my account number for an ACH transfer.
This is exactly what I have wanted for a long time! I need to keep some amount of cash reasonably liquid (3-10 day retrieval process would be fine), but hate it sitting around, seemingly with no way to require the bank to mandate that it is really me making the withdrawal request.
Edit: Random internet poster did some testing (https://www.bogleheads.org/forum/viewtopic.php?t=382555) and found that the Fidelity Lockdown Mode will block ACATS pulls, but not ACH. Better than nothing, though still not what I want: money goes in, money does not come out until I sign something in blood.
As long as you notice the ACH transfer and notify Fidelity, there is a very high likelihood they will be able to return your money. It's pretty easy to turn notifications on for those accounts and get notified as soon as Fidelity is notified about an ACH transfer.
This is one of the reasons ACH transfers take a few days to settle, to allow for fraud checking before settlement.
Ya, I know. Fidelity's lockdown mode blocks ACATS, but not ACH. Hence why I covered ACH in my comment. ACATS is a non-issue, if you turn on Lockdown mode.
this will not work if someone broke into your account already, or stole your identity and disguised as you, the first thing they do is to unlock it. Fidelity should have some push-to-apps login approach, I'm not sure if it has one yet.
I wish my bank had the same sort of option to prevent someone from just randomly guessing my account number for an ACH transfer.