Yeah, that's how the banking system works. Every single check in your checkbook has your account number and routing number on it, and those two numbers are literally the only pieces of information necessary to transfer money out of your account.
What the system lacks in technical security is (supposedly) made up for by legal protections/processes--yeah, it's incredibly easy to take money out of an account, but that transaction _will_ get reversed if it was fraudulent.
It will get reversed if you notice it and report it soon enough. But the law only requires they give you 60 days after they transmit you a statement. I believe for businesses, you are only protected for 2 days.
I get that is how it works, just seems alarming that the bank didn't send me anything. If I typo my pin code in the grocery store I get an email and text right away. My debit card has limits how much one can withdraw. A wire transfer has no limits, yet an org that never did a wire transfer from my account shows up and pulls a large amount and I get nothing.
It's just a different type of transaction. Not sure about your bank, but mine has separate alert settings for ACH vs. Debit transactions. I have alerts set up for both (and wires for that matter).
Yep. Nowadays with cash-by-phone, it gets even scarier: I had $5000 withdrawn from my account due to bad OCR on a check. It took way too much effort to get it reversed as well, even though the picture of the check in the banking app showed obviously wrong information.
What the system lacks in technical security is (supposedly) made up for by legal protections/processes--yeah, it's incredibly easy to take money out of an account, but that transaction _will_ get reversed if it was fraudulent.