October 1, 2018

Stolen Social Security Benefits: You Must Read This

A good friend of ours had the unimaginable happen. Someone stole his data files and filed a fraudulent Social Security claim for benefits under his name. Because he had not asked to start receiving his benefits, this theft of money and his identity continued for a while.

As you can imagine undoing the damage is a long and laborious process. In a stroke of good luck there were apparently enough red flags raised at the bank selected to receive the fraudulently-filed benefits that they rejected all of the transfer attempts. They alerted the Social Security Administration that there appeared to be a problem. Even so, Social Security has to update his records to show he hasn't filed for benefits and the money paid did not go to him. The process could take 90 days.

The takeaway is simple: if you are over 62 and have not started receiving Social Security benefits you are a prime target of these lowlifes. It is essential that you make sure no one has filed for your benefits. 

The following release from AICPA provides an excellent summary of the problem and what steps you should take to keep your files safe (or as safe as they can be in today's world). The author had his benefits misdirected, too. Even as a CPA he fell victim. In the following he is advising fellow CPA's what to do. His suggestions apply to everyone.

If you or your clients are at or nearing retirement age, you need to know that hackers are targeting social security accounts. I found out the hard way. My career as a CPA Personal Financial Specialist was devoted to advising individuals and families on their most important financial goals, including tax, retirement, estate, risk management, investment and retirement planning.

After decades of helping my clients navigate and manage these important decisions, imagine my surprise when I received a letter in the mail shortly after my 67th birthday congratulating me on initiating my Social Security benefits. The trouble was, although I had entered the glory years of retirement, I had not yet applied for Social Security benefits, opting to wait until age 70 to receive my benefits. Further digging uncovered the unfortunate fact that a thief had received $19,236 of my benefits. I was dumbfounded.
How did this breach occur? And if I was victimized, who else might be at risk? What can you do to prevent this or respond should this happen to you or your clients?
Who is at risk?
All individuals age 62 to 70 who have not yet applied for benefits are at risk, particularly if their personal information was exposed in the Equifax breach. For beneficiaries over age 66.5, the risk is even greater. In my case, a fraudulent application was made one month after I turned 67.

The timing is not coincidental – in fact it reveals that the thief was sophisticated enough to understand the Social Security system. Individuals who have reached full retirement age and have not applied for benefits can receive a retroactive payment from Social Security of up to six months of benefits. So, beginning at age 66.5 (for people born between 1943 and 1954), thieves can access the maximum amount of back benefits.
How did this happen?
While I’m not entirely sure how the thief obtained my personal information, it’s likely that the Equifax data breach, which exposed the vital personal identification data of as many as 143 million consumers, contributed to the identity theft. According to the Equifax website, my personal information was potentially exposed as a result of the breach.
Prior to the Equifax breach, I had frozen my credit with all three credit bureaus, effectively denying any attempts to obtain credit in my or my wife’s names. Despite the freeze, the thief was able to have my benefits direct deposited into an account opened with a bank that proudly advertises at major retailers that they do not perform credit checks prior to issuing prepaid Visa debit cards.

If these stores had done a credit check, in my case, they would have found that I had freezes on all three bureaus and would have then rejected the false application they had blindly accepted with my stolen information.
But Equifax, the bank, and the retailers who market and sell these cards are not the only players involved. There is a flaw in the controls on the Social Security website that, unfortunately, does little to protect the beneficiary.
Beneficiaries who set up a my Social Security account can view their Social Security Statement, update their address and phone number, start or change direct deposit of their benefit payment, and view benefits online. This secure website sends an email or text message with a secure access code to the contact information on file on the website before login can be completed.
However, there is a separate, unsecure website that is not located within the secure my Social Security account, which was the door the thief used to perpetrate the fraud. This website, the Social Security Retirement/Medicare Benefit application, can be used to apply for benefits online.
On the unsecure website, the thief changed one digit of my phone number, entered a fake email address, set up direct deposit information for the bank prepaid card that had been fraudulently opened, and applied for benefits. Although the personal information entered by the thief did not match the information I had previously entered on the secure website, I received no notification of these changes or the fact that a benefit application had been made.
If there is a silver lining, it is that addresses cannot be changed on the unsecure benefit application website, so I received a letter in the mail congratulating me for initiating my benefits. Unfortunately, six months of back benefits and a current month of benefits, totaling over $19,000, had been dispersed to the fraudulent bank card account prior to when the Social Security Administration (SSA) mailed the letter and 11 days before I received it.
What Next?
Whether or not you are a victim of this crime, taking precautionary security measures to protect yourself from a diversion of benefits is critical. The SSA provides recommendations on how to secure your information online. Unfortunately, because of the notification breakdown and unsecure nature of the benefit application website, taking these steps does not ensure that you will not be victimized. At a minimum, I would recommend that you a create a my Social Security account and log in at least annually (more frequently if over age 62) to verify your personal information and benefit status.
If you discover that you or one of your clients has been the victim of a Social Security breach or theft, make an appointment (if you can) or wait in line at your local SSA office immediately. You will be interviewed and required to provide a written statement certifying the circumstances of the fraud. The agent will freeze further payments on your account.

Maintain digital and hard copies of everything that you receive. Furthermore, I was advised to file a police report with a case number, which I have maintained in my files. Finally, I had electronic access to my account blocked.
I just received Form SSA-1099 for the $19,236 that was disbursed out of my account.  I will now have to battle with both the IRS and the Social Security Administration, and eventually Medicare as this additional income would tip me over the threshold for means testing on my Parts B and D premiums.
I urge you to alert your clients of this and other cybersecurity risks. The AICPA Tax Section has a toolkit relating to tax identity theft, including a client identity theft checklist with action steps for recovery that is open to all AICPA members. Consumers can also benefit from materials on the AICPA’s 360 Degrees of Financial Literacy website relating to identity theft. In addition there is a page of SSA recommendations

The author of this release is James A. Shambo, CPA (retired), president of Lifetime Planning Concepts, Inc., which is located in Colorado Springs, CO.

This can be a serious matter and create a real mess in your life. I found this article eye-opening and worth my attentive followup.

Satisfying Retirement provides this post for informational purposes only. No compensation was received nor endorsements implied.


  1. This happened to me! But SSA checked with me before allowing the claim to proceed because they were suspicious. I said it wasn't me. Not long after it happened again! Same thing only this times I went to the SSA office in person. They set it up so that when I do start drawing SS I will have to go in person to get it started. I can't do it online. Small inconvenience but it prevents someone from making an online claim. Sheesh...

    1. Two people I know well have the same thing happen. I am sensing a connection, here, and it is me.

      This is a problem I wasn't aware of but it obviously not all that uncommon. Thanks, Galen, to point out the need for everyone to stay vigilant.

    2. I was lucky because in my case the SSA was vigilant!

  2. The more important article I have read in a long time for my personal savings! Sharing with friends. Thank you. Never even crossed my mind!

    1. I had no idea, either, until I was alerted by a friend.

  3. I just shared this with a couple relatives who have delayed benefits. I also saw that Tamra had a similar issue, or her husband did, bless her heart.

    1. With a serious issue like this, turning over the rocks reveals a lot of instances we had no idea happened.

  4. Florida is the leading state for social security fraud. Homestead being the capital. Someone there tried to divert my father's social security check to a new bank acct. We received a letter from Social Security office notifying Daddy of the requested change of banks. We contacted them, explained that he had not requested it and his online account ( which had been created by the swindler) was frozen to prevent it from happening again. Also had a credit card attempt. We think the information was pulled from his medical records. Scary world we live in.

    1. Yes, it is. Florida seems to have more than its fair share of scammers. I get at least six calls a week from people trying to sell me a vacation package or to help me sell a timeshare unit (that I sold 15 years ago). No matter that I block the phone number, they have an unlimited supply.

  5. Thank you for this valuable information! We both just checked our ss accounts and all is fine. However, we will be checking more frequently as a result of your story. We are trying to wait as long as possible and did not dream that this would be a drawback.

    1. Like you, I was completely unaware of the risk until a friend alerted me to the problem. Would it be too much to ask that the SSA online portal for signing up for benefits be secure?

  6. I have had my credit card information stolen and used fraudulently, but fortunately the credit card company was alert and contacted me immediately. I was not required to cover the expenses that had been charged to my card.


    1. That law has helped millions of us. Even so, I worry about what the bad people are doing with my information and when I might find another problem lurking in my future. I have freezes on all my credit reports and double identity check-in on important things like Social Security and investment accounts. Am I in the clear? Nope.