For the past two decades, Liz Birenbaum’s 88-year-old mother, Marge, has received her Social Security check on the second Wednesday of each month. It’s her sole source of income, which pays for her room at a long-term care center, where she landed last October after having a stroke.
When the deposit didn’t arrive in January, they logged into Marge’s Social Security account, where they found some startling clues: the last four digits of a bank account number that didn’t match her own, at a bank they didn’t recognize.
“Someone had gotten in,” said Ms. Birenbaum, of Chappaqua, N.Y. “Then I hit a panic button.”
It quickly became evident that a fraudster had redirected the $2,452 benefit to an unknown Citibank account. Marge, who lives in Minnesota, had never banked there. (Ms. Birenbaum requested to refer to her mother by her first name only to protect her from future fraud.)
Ms. Birenbaum immediately started making calls to set things right. When she finally connected with a Social Security representative from a local office in a Bloomington, Minn., the rep casually mentioned that this happens “all the time.”
“I was stunned,” Ms. Birenbaum said.
Social Security-related scams, overall, are pervasive — fraudsters pose as employees to try to extract both money and valuable identifying details from people in a variety of evolving schemes. But this particular fraud — where criminals use stolen personal information to break into online Social Security accounts or create new ones, and divert benefits elsewhere — has plagued people for a more than a decade.
Once fraudsters gain access to an individual’s online Social Security account, they can change a beneficiary’s address and direct deposit information, or request replacement cards.
Nearly everyone is a potential target. The Social Security Administration sends checks to more than 70 million beneficiaries, including retirees and disabled people, totaling nearly $120 billion every month. An estimated 2,000 beneficiaries had their direct deposits redirected last year, according to anti-fraud officials at the Social Security Administration.
It can be a lucrative fraud, and a devastating benefit to lose. An estimated $33.5 million in benefits — intended for nearly 21,000 beneficiaries — were redirected in a five-year period ending in May 2018, according to the most recent audit from the Office of the Inspector General, an independent group responsible for overseeing investigations and audits at the agency. Another $23.9 million in fraudulent redirects were prevented before they happened over the same time period.
“Fraudsters were able to obtain sufficient information about a true beneficiary to convince the Social Security Administration that they were that beneficiary,” said Jeffrey Brown, a deputy assistant inspector general at the Office of the Inspector General, who analyzed the issue in 2019. “Once they were in the front door, they were able to change their direct deposits.”
Social Security-related scams spiked during the pandemic, according to O.I.G. officials, when Social Security offices were closed to the public, forcing people to rely on the agency’s online services.
The Federal Trade Commission, which collects self-reported complaints from consumers, said more than 7,600 people reported that their benefits had been diverted from 2019 through the end of 2023, with an uptick in activity last year.
“A lot of consumers are letting us know they found out that their direct deposit was redirected to another account or a fraudulent account,” said Maria Mayo, associate director of the F.T.C.’s division of consumer response and operations. “A lot of times they are saying they got an impostor call and they provided their information, and they believe that is how that information was used to redirect the benefit.”
In another twist, there were roughly 6,100 fraudulent claims last year, or 0.3 percent of all web-initiated retirement claims, that involved criminals who filed for benefits on the earnings records of Americans who had reached retirement age, but had not yet claimed benefits, anti-fraud officials at Social Security said.
Criminals collect the personal identifying information they need in any number of ways, which they later use to break into government accounts or create fraudulent ones. You need a Social Security number to establish an online account with the agency, but you don’t need the entire nine-digits to crack open an existing one.
Amy Nofziger, director of fraud victim support at AARP Fraud Watch Network, recently scanned through her database of cases and came across a handful of victims who had a third-party snag their Social Security number within the past six months. One unsuspecting person gave it to an impostor promising insurance subsidies. Another criminal posed as a representative of the victim’s bank. In yet another case, the fraudster pretended to be calling from a credit bureau to verify the victim’s Social Security number.
Sometimes identity thieves claim they’re calling from a doctor’s office, and in other instances they’re able to compromise a person’s device and collect valuable information, such as passwords or other personal details saved.
When gathering various pieces of a person’s identity, fraudsters may also turn to marketplaces on the dark web, where much personal identifying information — often stolen through security breaches — is for sale.
Pam Dixon, executive director of the World Privacy Forum, a research group focused on data governance and protection, said people living in medical or assisted living facilities were also often vulnerable to these crimes. “It is among the ugliest forms of identity theft,” she added.
Just months before Marge’s benefits were redirected, the O.I.G. issued a report that said the administration’s portal, called my Social Security, did not fully comply with federal requirements for identity verification: It said it didn’t go far enough to verify and validate new registrants’ identities, in all cases. And once an account is established through one of two identity verification portals, which is required to access the my Social Security account, the agency does not require users to reverify their identities using strong enough proof (such as presenting a driver’s license along with, say, a selfie).
This wasn’t the first time the independent investigators found deficiencies, which date back to the introduction of the my Social Security portal in 2012. The Office of the Inspector General recommended bolstering its digital identity verification process in 2016, and while the agency has made several improvements, O.I.G. officials said it still wasn’t fully compliant when it released its latest audit in 2023.
The Social Security Administration said it had carried out several of the office’s recommendations since the portal was introduced, including the addition of a fraud analysis team for investigations. The agency has also updated its identity verification process to respond to emerging threats, it said, and plans further updates.
“Our office conducts ongoing analytics of online transactions and we look for anomalous behavior, and if we see new characteristics, we flag those and implement additional controls to stop any behavior that is potentially fraudulent,” said Joe Lopez, assistant deputy commissioner for analytics, review and oversight at Social Security.
“The environment is always developing,” he added, “and we modify our models as needed.”
The Social Security Administration sends notices to beneficiaries through the mail asking them to contact the agency if they didn’t authorize a recent change to their direct deposit information, which has thwarted millions of dollars in benefits from being diverted and lost, O.I.G. officials said. It is also possible to block changes to the accounts.
The issue would have been impossible for someone like Marge to rectify on her own. It was challenging enough for Ms. Birenbaum, a marketing consultant, and her brother, based near their mother in a Minneapolis suburb, who worked together to recover the benefits and secure Marge’s account.
Ms. Birenbaum — who reported the crime to the O.I.G. and the F.B.I. and alerted her state and federal representatives — once spent two and a half hours on hold with the Social Security Administration before connecting with a regional case worker. The rep was able to see that her mother’s direct deposit information had been altered in early December, the month before the benefits vanished.
Ms. Birenbaum’s brother visited their mother’s local Social Security office and became Marge’s “representative payee,” which allows him to handle her affairs (Social Security does not accept powers of attorney). They had to find ways to make the correction without bringing Marge to the office, which Ms. Birenbaum said would have been a “herculean task.”
Marge received the missing money on March 1, about a month and a half after they discovered the problem.
“For her, it ended on a happy note,” Ms. Birenbaum said, “but for many, who don’t have advocates pushing every day, cybercriminals win.”
How to Protect Yourself From Social Security Fraud
Consider locking down your accounts. Create a my Social Security account, but then add an e-services block, a feature that prevents anyone, including you, from seeing or changing your personal information online. You will need to contact your local office to remove it.
Another feature, a direct deposit fraud prevention block, stops anyone from enrolling in direct deposit, or changing your address or direct deposit information through your online account or a financial institution. You must contact a local office to make any changes or to remove the block.
Don’t trust, also verify. If your phone’s caller identification says “Social Security Administration,” don’t trust it — the number may be spoofed and the agency only calls beneficiaries in limited situations. Call back the agency through its mainline 1-800-772-1213 or call a local site using its office locator.
Report suspected scams and fraud to the Office of Inspector General’s website or call 1-800-269-0271.
Contact the Federal Trade Commission if you suspect someone has used your personal information, either through its website or calling 1-877-IDTHEFT (1-877-438-4338).
Review the Social Security Administration’s resource page on how to spot scams.