Millions of dollars are lost to scammers
Long-running fraud involves using stolen data to divert electronic or paper deposits
For the past two decades, Liz Birenbaum’s 88-year-old mother, Marge, has received her Social Security check on the second Wednesday of each month. It’s her sole source of income, which pays for her room at a long-term care center, where she landed in October after having a stroke.
When the deposit didn’t arrive in January, they logged into Marge’s Social Security account, where they found some startling clues: the last four digits of a bank account number that didn’t match her own, at a bank they didn’t recognize.
“Someone had gotten in,” said Birenbaum, who lives in Chappaqua, N.Y. “Then I hit a panic button.”
It quickly became evident a fraudster had redirected the $2,452 benefit to an unknown Citibank account. Marge, who lives in Minnesota, had never banked there. (Birenbaum requested to refer to her mother by her first name only to protect her from future fraud.)
Birenbaum immediately started making calls to set things right. When she finally connected with a Social Security representative from a local office in Bloomington, Minn., the rep casually mentioned this happens “all the time.” “I was stunned,” Birenbaum said. Social Security-related scams, overall, are pervasive — fraudsters pose as government employees to try to extract both money and valuable identifying details from people in a variety of evolving schemes. But this particular fraud — in which criminals use stolen personal information to break into online Social Security accounts or create new ones and divert benefits — has plagued people for more than a decade.
Once fraudsters gain access to a person’s online Social Security account, they can change a beneficiary’s address and direct deposit information or request replacement cards.
Nearly everyone is a potential target. The Social Security Administration sends monthly checks to more than 70 million beneficiaries, including retirees and disabled people. An estimated 2,000 beneficiaries had their direct deposits redirected last year, according to anti-fraud officials at the Social Security Administration.
It can be a lucrative fraud and a devastating benefit to lose. An estimated $33.5 million in benefits — intended for nearly 21,000 beneficiaries — were redirected in a five-year period ending in May 2018, according to the most
recent audit from the Office of the Inspector General, an independent group responsible for overseeing investigations and audits at the agency. Another $23.9 million in fraudulent redirects were prevented before they happened over the same time period.
“Fraudsters were able to obtain sufficient information about a true beneficiary to convince the Social Security Administration that they were that beneficiary,” said Jeffrey Brown, a deputy assistant inspector general at the Office of the Inspector General, who analyzed the issue in 2019. “Once they were in the front door, they were able to change their direct deposits.”
The Federal Trade Commission, which collects self-reported complaints from consumers, said more than 7,600 people reported their benefits had been diverted from 2019 through the end of 2023, with an uptick in activity last year.
“A lot of consumers are letting us know they found out that their direct deposit was redirected to another account or a fraudulent account,” said Maria Mayo, associate director of the FTC’s division of consumer response and operations. “A lot of times, they are saying they got an impostor call, and they provided their information, and they believe that is how that information was used to redirect the benefit.”
In another twist, there were roughly 6,100 fraudulent claims last year, or 0.3% of all web-initiated retirement claims, that involved criminals who filed for benefits on the earnings records of Americans who had reached retirement age but had not yet claimed benefits, anti-fraud officials at Social Security said.
Criminals collect the personal identifying information they need in any number of ways, which they later use to break into government accounts or create fraudulent ones.
You need a Social Security number to establish an online account with the agency, but you don’t need the entire nine-digits to crack open an existing one.
The Social Security Administration sends notices to beneficiaries through the mail asking them to contact the agency if they didn’t authorize a recent change to their direct deposit information, which has thwarted millions of dollars in benefits from being diverted and lost, OIG officials said. It is also possible to block changes to the accounts.
Birenbaum, who reported the crime to the OIG and FBI and alerted her state and federal representatives — once spent 2½ hours on hold with the Social Security Administration before connecting with a regional case worker. The rep was able to see her mother’s direct deposit information had been altered in early December, the month before the benefits vanished.
Marge received the missing money March 1, about a month and a half after they discovered the problem.
“For her, it ended on a happy note,” Birenbaum said, “but for many, who don’t have advocates pushing every day, cybercriminals win.”