For the past two decades, Liz Birenbaum’s 88-year-old mother, Marge, has received her Social Security check on the second Wednesday of every month. She is her only source of income, with which she pays for her room in a long-term care facility, where she landed last October after suffering a stroke.

When the deposit didn’t arrive in January, they logged into Marge’s house. social security accountwhere they found some surprising clues: the last four digits of a bank account number that didn’t match theirs, at a bank they didn’t recognize.

“Someone had broken in,” said Birenbaum, of Chappaqua, New York. “So I hit the panic button.”

It quickly became apparent that a scammer had redirected the $2,452 profit to an unknown Citibank account. Marge, who lives in Minnesota, had never banked there. (Ms. Birenbaum requested to refer to her mother by her first name only to protect her from future fraud.)

Ms. Birenbaum immediately began making calls to fix things. When she finally contacted a Social Security representative at a local office in Bloomington, Minnesota, the representative casually mentioned that this happens “all the time.”

“I was stunned,” Birenbaum said.

Social SecurityRelated scams are generally widespread: scammers pose as employees to try to extract both money and valuable identification details from people in a variety of evolving schemes. But this particular fraud, in which criminals use stolen personal information to log into Social Security accounts online or create new accounts and divert benefits elsewhere, has plagued people for more than a century. one of each.

Once scammers gain access to an individual’s online Social Security account, they can change the beneficiary’s address and direct deposit information, or order replacement cards.

Almost everyone is a potential target. The Social Security Administration sends checks to more than 70 million beneficiaries, including retirees and disabled people, totaling almost $120 million each month. An estimated 2,000 beneficiaries’ direct deposits were redirected last year, according to Social Security Administration anti-fraud officials.

It can be a lucrative scam and a devastating loss of profit. An estimated $33.5 million in benefits (going to nearly 21,000 beneficiaries) were redirected over a five-year period ending in May 2018, according to the most recent audit by the Office of the Inspector General, an independent group responsible for supervise investigations and audits at the agency. Another $23.9 million in fraudulent redirects were prevented before they occurred during the same period.

“The fraudsters were able to obtain enough information about a true beneficiary to convince the Social Security Administration that they were that beneficiary,” said Jeffrey Brown, deputy assistant inspector general for the Office of the General Inspectorwho analyzed the problem in 2019. “Once they were in the front door, they were able to change their direct deposits.”

Social Security scams have increased during the pandemic. according to the OIG officials, when Social Security offices were closed to the public, forcing people to rely on the agency’s online services.

The Federal Trade Commission, which collects self-reported complaints from consumers, said more than 7,600 people reported that their benefits had been diverted from 2019 through the end of 2023, with a spike in activity last year.

“Many consumers tell us that they discovered that their direct deposit was redirected to another account or to a fraudulent account,” said Maria Mayo, associate director of the FTC’s division of consumer response and operations. “Many times they say they received a call from an impostor and provided their information, and they believe that’s how that information was used to redirect the benefit.”

In another twist, there were approximately 6,100 fraudulent claims last year, or 0.3 percent of all retirement claims initiated on the web, involving criminals who applied for benefits on the income records of Americans who had reached the age retirement, but had not yet claimed benefits. Social Security anti-fraud officials said.

Criminals collect the personally identifiable information they need in a variety of ways, which they then use to break into government accounts or create fraudulent accounts. You need a Social Security number to establish an online account with the agency, but you don’t need the full nine digits to open an existing account.

Amy Nofziger, director of fraud victim support at the AARP Fraud Watch Network, recently examined her case database and found a handful of victims who had their Social Security number stolen by a third party in the past six months. An unsuspecting person gave it to an impostor promising insurance subsidies. Another criminal posed as a representative of the victim’s bank. In yet another case, the scammer pretended to be calling from a credit agency to verify the victim’s Social Security number.

Sometimes identity thieves claim they are calling from a doctor’s office, and in other cases, they may compromise a person’s device and collect valuable information such as passwords or other saved personal data.

By collecting multiple pieces of a person’s identity, scammers can also turn to dark web marketplaces, where a lot of personally identifiable information, often stolen through security breaches, is for sale.

Pam Dixon, executive director of the World Privacy Forum, a research group focused on data governance and protection, said people living in medical or assisted living facilities are also often vulnerable to these crimes. “It’s one of the ugliest forms of identity theft,” she added.

Just months before Marge’s benefits were redirected, the OIG issued a report That said, the administration’s portal, called my Social Security, did not fully meet federal requirements for identity verification: it said it did not go far enough to verify and validate the identities of new registrants, across all cases. And once an account is established through one of two identity verification portalsrequired to access my Social Security account, the agency does not require users to re-verify their identities using sufficiently strong evidence (such as presenting a driver’s license along with, for example, a selfie).

This was not the first time that independent investigators found deficiencies, which they go back to the introduction of the my Social Security portal in 2012. The Office of the Inspector General recommended strengthening its digital identity verification process in 2016, and while the agency has made several improvements, OIG officials said it was still not fully compliant when it released its last audit in 2023.

The Social Security Administration said it had carried out several of the office’s recommendations since the portal was introduced, including adding a fraud analysis team for investigations. The agency also updated its identity verification process to respond to emerging threats, he said, and plans to make more updates.

“Our office conducts ongoing analysis of online transactions and we look for anomalous behavior, and if we see new features, we flag them and implement additional controls to stop any behavior that is potentially fraudulent,” said Joe Lopez, deputy assistant commissioner for analysis. review and inspection in Social Security.

“The environment is always developing,” he added, “and we modify our models as necessary.”

The Social Security Administration is sending notices to beneficiaries by mail asking them to contact the agency if they did not authorize a recent change to their direct deposit information, which has prevented them from being diverted and losing millions of dollars in benefits, officials said. the IGO. It is also possible to block changes to accounts.

For someone like Marge, the problem would have been impossible to solve alone. It was quite challenging for Ms. Birenbaum, a marketing consultant, and her brother, who lives near her mother in a Minneapolis suburb, who worked together to recover profits and secure Marge’s account.

Birenbaum, who reported the crime to the OIG and FBI and alerted his state and federal representatives, once spent two and a half hours on hold with the Social Security Administration before connecting with a regional caseworker. The representative could see that his mother’s direct deposit information had been altered in early December, the month before the benefits disappeared.

Mrs. Birenbaum’s brother visited his mother’s local Social Security office and became Marge’s “brother.”representative beneficiary”, allowing you to manage your affairs (Social Security does not accept powers of attorney). They had to find ways to make the correction without bringing Marge into the office, which Birenbaum said would have been a “herculean task.”

Marge received the missing money on March 1, about a month and a half after they discovered the problem.

“For her, it ended on a happy note,” Birenbaum said, “but for many, who don’t have defenders pressing in every day, the cybercriminals win.”

Consider locking your accounts. Create a my social security accountbut then add a electronic services block, a feature that prevents anyone, including you, from viewing or changing your personal information online. You will need to contact your local office to remove it.

Another feature, a direct deposit fraud prevention lock, prevents anyone from enrolling in direct deposit or changing their address or direct deposit information through their online account or a financial institution. You must contact a local office to make changes or remove the block.

Don’t trust, verify too. If your phone’s caller ID says “Social Security Administration,” don’t trust it—the number may be fake and only the agency calls beneficiaries in limited situations. Call the agency again through their main line 1-800-772-1213 or call a local site using their office locator.

Report suspicious scams and fraud toward Office of Inspector General website or call 1-800-269-0271.

Contact the Federal Trade Commission if you suspect that someone has used your personal information, whether through your website or by calling 1-877-IDTHEFT (1-877-438-4338).

Review the Social Security Administration resources page on how to detect scams.