Chicago (CBS) — A year ago, one couple wrote a check for $625. Then, someone tried to deposit more than a dozen other checks worth around $20,000 using that original signed check as their counterfeit canvas. CBS 2’s Dorothy Tucker investigates how that can happen.

In 2017, Judy Block wrote a check for $625 to pay the escrow for her real estate taxes.

“The check never left my hand. It went from me to the bank,” she said.

She literally walked the Bank of America check across the street to deposit it at Chase. A few months after the $625 withdrawal on her Bank of America statement, she and her husband Ron noticed some suspicious large withdrawals.

Both a check for $2,200 and one for $2,300 had Block’s signature on them. But they were made out to Bruce Rahl, whom the Blocks don’t know.

So, the two real estate brokers did what anyone would do. They called Bank of America for answers, which they didn’t have. No bank would explain to the Blocks or us how thieves got their hands on the Blocks’ original check.

Fraud expert William Kresse thinks this is a new variation on a very old theme.

“Every check that goes through a bank now is being scanned, and the image is stored,” said Kresse. “Now someone at the bank could have gone in and absconded with these images. Somebody on the outside could have hacked into the bank’s computer system and stolen these images.”

And here’s something else you don’t want to hear.

“If they were able to hack into or get access to a check that was being stored by the bank, they probably got hold of a lot more,” Kresse said.

Once thieves have the image, Kresse said it’s easy for them to create a fake check by changing the check number, the person it’s paid to and the amount. Then they can deposit it into any bank across the country simply by using a bank’s mobile app.

“They might be able to extract that money … and maybe transfer it even overseas,” said Jeremy Batterman, a threat intelligence security expert with Trustwave SpiderLabs who thinks banks need better software to detect fraudulent checks.

As for the Blocks, the thief tried to cash 18 phony checks via mobile bank apps. Fortunately, after the Blocks filed a claim with Bank of America, the bank didn’t pay on the rest. But when the Blocks tried to get a refund on the two that were cashed, the $4,500, it wasn’t easy.

“We had to file a police report,” said Judy Block.

In May 2018, the Blocks got a letter from Bank of America saying it never got the money back from Wells Fargo, so they closed that file without returning the Blocks’ money.

“Here it is one year later and we have no money, no calls, we have nothing,” said Ron Block.

“As a show of good faith, Bank of America should put the money back into the Blocks’ account,” said Kresse.

And they did.

CBS 2 contacted the bank on a Friday, and by the following Monday the Blocks had their money back.

“We were jumping around like we were winning the lottery,” said Judy Block.

“If it wasn’t for you we wouldn’t have ever gotten our money back,” said Ron Block.

Bank of America wouldn’t talk about security measures or this specific case other than to say they paid the claim.

Wells Fargo told CBS 2 that it, “has robust security processes and procedures in place to authenticate our customers through all channels – mobile, online, phone and in-person – and continue to enhance and improve these controls to help ensure that we can protect our customers. Security is a top priority.”

A Chase spokesperson told CBS 2, “the check was held for 90 days, then destroyed as well as the digital image which is our standard procedure. We can’t speculate what may have happened with the checks before they were deposited.”