One Friday afternoon in February 2018, Ward Waltman came home to a voice mail that sounded suspicious. A woman claiming to be from the Social Security Administration left a message asking Waltman, a retired federal employee in Manakin Sabot, Va., to call her back. His first thought: “This sounds like a scam.”
But over that weekend, Waltman started wondering if the call might be legitimate. He was then 68 years old and had not yet claimed his Social Security benefit. And he knew that his personal information had likely been stolen multiple times in recent data breaches involving insurance giant Anthem and credit bureau Equifax. What if a fraudster was using his personal details to claim his Social Security benefit?
Infographic: Protect your credit
It seemed like a stretch. After all, years earlier Waltman had followed the Social Security Administration’s advice for sidestepping fraud. He set up his own “My Social Security” account, which allows users to estimate their retirement benefits and change their contact details, among other features.
So Waltman logged into his account, a process that requires not only a user name and password but also a security code sent to the user’s mobile phone or email. What he saw confirmed his fears. His email address had been changed to an address he didn’t recognize, and a claim had been filed for his retirement benefits.
Waltman called Social Security. The message was indeed legitimate, and the representative had called Waltman because she suspected the claim was fraudulent. Within 45 minutes, the matter was resolved and the bogus claim denied. But Waltman was left with an unsettling question: How had the hacker defeated Social Security’s seemingly robust security systems? “I was stunned that it seems so easy for crooks to take advantage of the Social Security system,” Waltman says. “But that’s the online world we live in.”
Online weaknesses for Social Security
As the Social Security Administration strives to serve more customers online, the agency and current and future Social Security beneficiaries face the growing threat of cyber attacks. Social Security identified nearly 63,000 likely fraudulent online benefit applications in fiscal 2018, according to the agency’s Office of the Inspector General, up from just 89 in fiscal 2015. From February 2013 to February 2016 (the most recent data available), the Inspector General received more than 58,000 fraud allegations related to My Social Security accounts — an issue that persists today, according to the OIG. Meanwhile, there has been exponential growth in Social Security imposter scams, in which fraudsters claiming to be Social Security staffers contact victims — often via robocalls — and try to extract money or personal details. More than 35,000 people reported such scams in 2018, according to the Federal Trade Commission, up from 3,200 a year earlier.
These days, it’s tough to avoid dealing with Social Security online. But when you understand Social Security’s cyber security strengths and weaknesses, there are steps you can take to safeguard your personal information, keep close tabs on your benefits, and with any luck, ward off the fraudsters.
The Social Security Administration is a treasure trove for hackers. The agency holds data on nearly every American, averages about 70 million monthly beneficiaries, and paid roughly $1 trillion in benefits in fiscal 2018, mostly through electronic transactions. And like many organizations across the public and private sector, the agency is pushing customers to use its online services even as it struggles to stay a step ahead of cyber crooks. In 2012, for example, the agency launched the My Social Security portal, and it encourages users to view benefit statements and manage their benefits online.
Today, the agency plans to further expand its online services “to reduce unnecessary field office visits by the public,” according to the OIG. But since 2012, the OIG noted in a recent report, its auditors “have identified weaknesses that, when aggregated, resulted in a significant deficiency” in Social Security’s information systems security.
The agency says it’s working hard to keep pace with the fraudsters. “Social Security is committed to protecting and securing the information entrusted to us,” agency spokesman Mark Hinkle said in an email. As fraud techniques evolve, he says, “we are continually reviewing our systems to ensure we identify potential fraud risks and determine if additional controls are necessary.”
Social Security benefits up for grabs
As of July 2018, nearly 38 million people had created My Social Security accounts at www.ssa.gov/myaccount. The portal allows you to view your earnings record and benefit payment history and change your address or direct deposit information, among other services.
But the accounts have proven tempting to fraudsters. One issue: Social Security needs to “improve its identity verification controls to ensure users are who they claim to be,” the OIG said in September Congressional testimony. Indeed, crooks don’t have to be terribly sophisticated to set up an account in someone else’s name, cyber security experts say. To open an account, you enter basic details such as your name, date of birth and Social Security number, then answer a series of multiple-choice questions meant to verify your identity, such as “on which of these streets have you never lived?” and “which of the following is your middle or former name?” In some cases, the answers are freely available in public records or on social media. And if they’re not, hackers can buy the information for about $3 on sites that sell stolen data, says Alex Holden, chief information security officer at information security firm Hold Security. “A determined individual will have an easy time getting this information,” he says.
Slowing — not stopping — hackers
Recent efforts to beef up My Social Security account security may slow down hackers who try to break into other people’s accounts, but they’re no cure-all, cyber security experts and the OIG say. In 2017, the My Social Security portal started requiring two-factor authentication, meaning users trying to register or log in must enter a security code that is sent to their mobile phone or email address. “It could be a speed bump for the bad guys,” says Brian Krebs, who blogs about cybercrime and Internet security at KrebsOnSecurity.com, but “I’m not sure it adds a lot of verification that people signing up are who they say they are.”
If you’re already receiving Social Security benefits, a crook who gains access to your My Social Security account could change the direct-deposit information to redirect benefits to his own account. And if you have reached age 62 but not yet claimed your benefits, a thief who gets hold of your personal information could file a bogus claim in your name.
The recent spike in likely fraudulent online benefit claims can be attributed to an increase in fraud attempts as well as changes in the agency’s process for flagging suspicious claims, the OIG says.
In recent months, the agency has taken additional steps to deter fraudulent online benefit claims — but they’re not exactly bulletproof, according to the OIG. Late last year, the agency started using the same identity-verification process for online benefit applications that it uses for the My Social Security portal. You must now attempt to open a My Social Security account before you can file an online claim. But if you run into problems creating an account, you can still submit the online claim, and the agency will contact you to verify your identity before processing it, according to the OIG. And given that the portal’s identity-verification controls haven’t stopped thieves from fraudulently establishing accounts or changing direct-deposit information, using those same controls for online benefit applications may not prevent all fraudulent online benefit claims, the OIG said in a November report.
Defend yourself against Social Security fraud
“The agency employs a multifaceted approach towards fraud prevention and regularly performs data analytics against online applications and My Social Security transactions to identify anomalous activity and take action,” Hinkle says. But the agency, the OIG and cyber security experts all agree that individuals need to be on guard, too.
What should current and future beneficiaries do? Although it’s not a 100% fix, register your My Social Security account “before somebody else does it for you,” Krebs says. Log on regularly to check for suspicious activity.
For an additional layer of protection, add “extra security” to your My Social Security account. This process ties the account to your address and credit card or other financial information, and “it is the best defense available at this time,” the OIG says.
You can also block electronic access to your Social Security record at www.socialsecurity.gov/blockaccess. This prevents anyone — including you — from viewing or changing your personal information through Social Security’s website or automated phone line. If you later need to access your information, you can remove the block after confirming your identity with Social Security.
If a fraudster manages to file a claim for your benefits, Social Security will work to resolve the issue promptly and ensure you receive the benefits you’re due, Hinkle says. In some cases, you may get a 1099 form for benefits you didn’t receive, the OIG says. You would need to contact Social Security to unwind the bogus claim and have a corrected 1099 issued zeroing out the reported income.
Finally, “do not pick up your phone unless you know who’s calling,” says Amy Nofziger, director of fraud victim support at AARP Fraud Watch Network. Scammers claiming to be Social Security employees may tell you there’s a problem with your account, that your Social Security number has been suspended because of suspected illegal activity, or even that you’re owed a cost-of-living benefit increase. They’ll then try to extract personal information from you. Your caller ID may even show Social Security’s real phone number (1-800-772-1213) — but the scammers are faking that number. If a caller threatens your benefits, suggests you’ll face legal action if you don’t provide information, or pressures you to send cash or put money on gift cards, it’s likely a fraudster.
If you’re not sure whether a call is legitimate, you can hang up and call 1-800-772-1213 to speak with a real Social Security representative. And if you’ve been targeted by a scammer, report it at www.ftc.gov/complaint and oig.ssa.gov/report.