Stolen Social Security Numbers Can Sell for Millions!
The Social Security Administration (SSA) diligently modifies the cost of living adjustment (COLA) every year. Social Security checks get this inflation adjustment so that beneficiaries can still retain purchasing power.
For ~70 million beneficiaries, that monthly check could see a 9.6% bump in 2023.[*] Retirees, widows, and survivors receiving Social Security benefits anticipate this change.
And so do scammers.
But just how profitable is the crime of pilfering Social Security numbers (SSNs)? And what can you do to protect yourself from Social Security scammers?
How Can Social Security Identity Theft Occur?
A string of illegal websites known as the SSNDOB Marketplace was generating over $19 million in revenue before the FBI and Internal Revenue Service (IRS) shut them down in July 2022.[*]
SSNDOB was selling stolen personal information including names, dates of birth, Social Security numbers (SSNs), and credit card numbers that belonged to ~24 million individuals in the United States.
Here are nine ways that identity thieves can steal people’s SSNs — and, subsequently, also steal their government benefits and money.
1. Data breaches
A data breach is a security violation that exposes confidential or sensitive information to unauthorized personnel. Hackers target enterprises to access, steal, share, or otherwise corrupt consumer data for financial gain.
According to Spirion research, 65% of all sensitive data breaches in the United States involve stolen SSNs.[*]
In June 2022, Shields Health Care Group revealed that a data breach had compromised the personal information of about two million people in the United States [*]. The stolen data included names, SSNs, birth dates, phone numbers, and billing information.
2. Phishing and smishing
Phishing is a type of social engineering attack designed to obtain personally identifiable information (PII) through spam emails. These spoofed emails may purport to be from trustworthy organizations — like the IRS or your bank.
Once fraudsters establish trust, they can trick victims into disclosing bank account numbers, debit card details, or other financial information.
Most phishing emails contain malicious links that lead to scam websites, or trigger malware downloads onto devices. Smishing is similar to phishing but uses text messages instead of email.
📚 Related: Phishing Email Examples: 20 Emails That Don’t Look Like It →
3. Stolen wallets or Social Security cards
Robberies and pickpocketing offer perfect opportunities for criminals to steal your identity. If you pat your pockets only to realize that your wallet is gone, you might need to act fast to avoid becoming a victim of identity theft.
Once thieves have your stolen Social Security card, they can use your identity to open bank accounts, apply for loans, or even steal your tax refunds.
📚 Related: What Can Someone Do With Your Social Security Number? →
4. Dumpster diving
In April 2022, police arrested two people after raiding a motel room in Peachtree City, Georgia.[*] Adam Pennington and Stephanie Howard are suspected of committing identity fraud with documents that they stole from mailboxes and dumpsters.
Once fraudsters have information like your Social Security number, they can use it to create fake documents, including driver’s licenses or passports.
5. Redirecting your mail with change-of-address forms
A change-of-address scam involves changing a person’s postal address with the United States Postal Service (USPS).
Criminals can do this simply by filling out a PS Form 3575 because the USPS does not require additional proof of identity for mail-in change-of-address applications.
In 2022, Richard Losey was one of 44,000 people in the United States who fell victim to a change-of-address scam.[*]
It took the USPS over two weeks to stop forwarding Losey’s mail after he reported the fraud. By then, the criminals had stolen his tax documents, credit card statements, and medical reimbursement checks.
“All you have to do essentially is get somebody’s name, their home address and then you can go in there and just do a change-of-address to send all their mail to yourself.” said Johnson and Wales University’s director of information security, Nicholas Tella.
6. ATM skimming
Skimming refers to the use of recording devices that steal PINs and card information. With this scam, criminals plant a disguised “skimmer” — like a camera or card reader — on an ATM or payment terminal.
Once a person uses the machine, the skimming device steals the PIN and card number of your debit or credit card. Shimmers — paper-thin skimmers — can even wirelessly offload your stolen chip data to criminals.
📚 Related: What Can Scammers Do With Your Bank Account Number? →
7. Scam websites
If you enter your SSN on a scam website that isn’t secure, hackers can steal the information and potentially use it for different types of identity theft.
These scam websites often look like real business domains; but if you look more closely, they don’t have security certificates, padlock symbols, or “HTTPS://” in front of the website URLs. Scammers sometimes spoof domain names to look or sound like legitimate websites.
Impersonation scams involve fraudsters pretending to be representatives of real companies or government agencies, like the IRS.
The scammer usually contacts targets about an issue that needs immediate attention, such as a tax return discrepancy. The impersonator then convinces the victim to share PII or transfer money to resolve the issue.
📚 Related: 7 Ways to Spot FEMA Scams and Protect Your Relief Money →
9. Employment scams
In December 2020, Alexandra Mateus Vásquez from New York City fell prey to an employment scam after responding to a job posting on Indeed.[*]
Scammers tricked her into sharing her SSN and then attempted to use it to access unemployment benefits in California.
Of course, there is never an actual job opportunity in these elaborate schemes. Once scammers steal the victim's information or money, they disappear.
📚 Related: How To Identify Job Scams: Watch Out for These Red Flags →
What Can Scammers Do With Your Stolen SSN?
- Take out new lines of credit. Many banks don't require stringent identity confirmation measures for customers to open new lines of credit; you often only need to provide an SSN, name, and address. Scammers can use your stolen PII to obtain new accounts, loans, or credit cards in your name.
- File fraudulent tax returns. Scammers can use your SSN to file a false tax return and collect your tax refunds. Most victims only find out they’ve been defrauded in a tax refund scam after they try to submit their legitimate tax returns.
- Commit Medicare fraud. A fraudster can use your SSN to access medical tests, prescription drugs, and medical care that isn't covered by health insurance. Check to see if you’ve been a victim of medical identity theft.
- Claim other benefits tied to your SSN. With your stolen SSN, scammers can file claims for unemployment, Veterans Affairs (VA) benefits, and even disability compensation. This could stick you with a record for fraudulently using state or federal benefits — impacting your tax obligations and leaving you open to investigation for government fraud.
- Give you a criminal record. A scammer can use your SSN to fabricate identity documents, like a driver’s license or passport. Criminals can use these fraudulent documents, including your stolen SSN, to identify themselves (as you) if they are arrested for a crime.
How Do You Report SSN Fraud?
- File a report with both the police and the FTC
- Call the IRS (if applicable)
- Alert your employer
- Check your credit report
- Activate an extended fraud alert or credit freeze
- Alert all companies where your SSN was used fraudulently
- Claim your “my Social Security” profile
- Review your Social Security statement
- Request a replacement SSN card
- Contact the Social Security fraud hotline
1. File a report with both the police and the Federal Trade Commission (FTC)
When you inform relevant authorities about Social Security identity theft, you can assist them in their investigation and prevent further damage to your credit and reputation.
- Go to www.identitytheft.gov, and follow the instructions to file your report with the FTC.
- Keep the FTC report in a secure place — you’ll need this as evidence when you contact creditors, businesses, and the SSA about the theft.
- Contact your local police department to file a police report. You can use your FTC identity theft report to assist officers with information about all fraudulent activity.
2. Call the IRS (if applicable)
A thief can use your SSN to commit tax identity theft — filing a tax return in your name and claiming a fraudulent refund. If you receive unexpected tax returns or discover any suspicious activity on your tax account like a CP301 notice, contact the IRS right away.
- Contact the IRS at 1-800-908-4490 to tell them someone stole your SSN, and you suspect it has been used to conduct tax fraud.
- Fill out an Identity Theft Affidavit Form 14039 and submit it with your latest tax return.
- Follow the IRS’s instructions and get in touch with a tax professional to handle any complications.
3. Alert your employer
When thieves use stolen SSNs to claim unlawful unemployment benefits, it’s an ordeal for both the employee and the employer.
If you give your employer an early warning, you can help the company deal with attempted unemployment fraud, liability issues, and tax fraud — before it’s too late.
- Contact your employer in writing, and notify them about your stolen SSN or PII.
- Request a meeting with your Human Resources (HR) department and supervisor to notify them that your SSN might be at risk.
- Keep records of your communications in a safe place, and make sure that you have evidence proving that you informed your employer of SSN theft.
4. Check your credit report
Most people don’t realize that someone stole their SSN until it’s too late. Getting your credit report can help you detect fraud quickly and limit the damage before a thief racks up thousands of dollars of debt in your name.
- Get a free credit report from one of the three credit reporting bureaus (Equifax, Experian, or TransUnion). You can request a new report from each of the other bureaus every three months via annualcreditreport.com.
- Check your credit history for suspicious activity that might indicate fraud or identity theft, such as unfamiliar credit accounts, loans, or transfers.
- Make a note of all suspected fraudulent activity. Organized notes will help you when you contact individual creditors about the problem.
5. Activate an extended fraud alert or credit freeze
An extended fraud alert stays on your credit report for seven years to indicate to creditors that you’ve been a victim of fraud or identity theft. Creditors must contact you to verify your identity and get your consent for new credit applications.
A credit freeze is an anti-fraud mechanism that stops credit bureaus from sharing your information with certain third parties.
- Call Equifax, Experian, or TransUnion to request a credit freeze or fraud alert on your credit profile.
- Remember you only need to contact one credit reporting agency to place a fraud alert. That bureau must share your request with the other agencies.
- Be aware that an extended fraud alert will stay in place for seven years before it expires, while a credit freeze will remain in force until you contact a credit reporting agency to “thaw” the account.
6. Alert all companies where your SSN was used fraudulently
Contacting companies (and financial institutions) at which scammers used your SSN can stop them from doing further damage to your finances and credit.
- Contact any affected businesses to tell them that your SSN was stolen and that criminals are fraudulently using it to open credit accounts and make purchases.
- Submit a copy of your FTC report and police report as evidence of fraud. This official documentation should make it easier to get refunds from vendors.
- Close any fraudulent online accounts in your name with e-commerce stores, and instruct the businesses to stop all activities related to your PII.
7. Claim your “my Social Security” profile
my Social Security, via the SSA website, is a secure online portal to manage your Social Security benefits. You can use your my Social Security profile to check and protect your Social Security benefits against fraudsters in real time.
- Go to the my Social Security portal, follow the instructions, and register your account.
- Log in to your secure profile, and check for changes to your SSA benefits.
- Report any suspicious activity to the SSA online, or by calling 1-800-772-1213.
8. Review your Social Security statement
Social Security statements indicate your eligibility for Social Security benefits and lifetime earnings. These statements include an earnings record, as well as your Social Security and Medicare payments.
The SSA recommends checking your statement for errors at least once a year so that your future monthly benefits payments are accurate.
- Access the my Social Security portal — this is the fastest way to view your Social Security statement.
- Consider an SSA Statement Request if you can't use the SSA portal. You can complete the paperwork — Form SSA-7004 — and submit the request to your local SSA office. The office will mail your statement in four to six weeks.
- If you notice anything suspicious, report it immediately by calling 1-800-772-1213.
9. Request a replacement Social Security card
If your Social Security card was stolen, you'll need a replacement. This step ensures that you’ve notified the SSA about the theft, and that you'll have a paper trail to assist an investigation.
- Log in to your my Social Security account, and complete the online Social Security card replacement form. You should receive your new card within 10 to 14 business days.
- Apply for a replacement card in person or by mail if you do not have a my Social Security account.
- Gather documentation to prove your age, citizenship, and identity (i.e., your United States birth certificate, hospital record, passport, driver’s license, or state-issued identification card).
10. Contact the Social Security fraud hotline
When you submit a fraud report through the Social Security fraud hotline, the Office of Inspector General (OIG) will review and investigate the alleged fraud.
- Contact the OIG fraud hotline at 1-800-269-0271. You can also submit a fraud report to the OIG via their online submission portal.
- Indicate that your SSN was stolen and might be at risk. Provide as much information as possible, including your reports from the police and FTC.
- Remember that federal regulations prevent law enforcement agencies, including the OIG, from sharing information about investigations.
When Should You Freeze or Lock Your SSN?
When you know someone untrustworthy has obtained your Social Security information, one of the most effective safeguards is to put an SSN lock in place. Here are some situations in which you should consider locking your SSN:
- You notice early signs of identity theft. For example, you might notice changes to your credit score, unexpected bills, contact from the IRS, or change-of-address confirmation letters.
- Strange inquiries or loans on your credit report. If your credit report has unfamiliar charges and applications for credit, this is a big red flag. You may be the victim of identity theft and should freeze your SSN immediately.
- Someone took out benefits in your name. Social Security benefit claims that you don’t recognize may be a sign that scammers are using your SSN.
- A scammer filed a tax return in your name. Fraudulent tax return filings in your name mean someone has stolen your PII. You need to be on guard against other forms of identity fraud.
Contact the SSA to block electronic access
- Do this by calling the SSA at 1-800-772-1213 (toll free), or the Teletypewriter (TTY) number at 1-800-325-0778.
- Once you request a block, nobody can access your Social Security record — not even you. It will be impossible for anybody to view or edit any information on the record until you contact the SSA to remove the block.
Use E-Verify to freeze or lock your SSN
This action helps prevent scammers from using your SSN to commit employment fraud with E-Verify-registered employers.
- Log in to your myE-Verify account. If you don’t already have an account, select “Create Account” and register your profile.
- Enter your SSN and date of birth to freeze your SSN.
- Select three challenge questions and enter answers. Any time new employers need to verify your employment authorization, you can answer the three challenge questions to verify your identity.
Remember that when you set up this self-lock feature, you are always in control and will need to verify your information.
If your employer tries to enter your locked SSN in E-Verify, it will cause an E-Verify mismatch — or a Tentative Nonconfirmation (TNC).
When Can You Request a New SSN?
As a last resort against SSN fraud, you can apply for a new Social Security number from the SSA. However, the SSA only issues new SSNs for five specific situations:
- You are the victim of ongoing financial or identity fraud and have proof that you’ve exhausted all other avenues to resolve the problem.
- You face threats of personal harm. For example, someone uses your SSN to track you down, harass you, and intends to cause you harm. If you can provide police reports to support these claims, you can get a new SSN.
- You have a religious or cultural objection to any sequence of numbers in your SSN.
- You have issues with sequential numbers assigned to the same family. Family members with similar names and SSNs can sometimes encounter problems with their tax records and legal statuses.
- You have the same SSN as someone else. This scenario is rare, but if the SSA accidentally assigns the same SSN to multiple people, it will issue you a new, unique SSN.
What To Do If Thieves Keep Targeting Your SSN
If you’re in a situation in which someone is repeatedly using your SSN, you need to contact the SSA to stop the fraud. Here are some ways to get in touch with the SSA:
- Call them at 1-800-772-1213 (toll-free number) or 1-800-325-0778 (TTY number).
- Send them an email using the SSA online contact form.
- Locate your nearest SSA office and make an appointment.
- Send written requests to this address: Social Security Administration, Office of Public Inquiries and Communications Support, 1100 West High Rise, 6401 Security Blvd., Baltimore, MD 21235.
The Choice To Share (or Not To Share) Your SSN Is Yours
Your SSN is one of your most important personal identifiers — whether it’s for employment or government benefits. For this reason, identity thieves are motivated to dupe you into unwittingly sharing your SSN.
In the event that you do need to share your personal data for verification, do not hesitate to ask the person requesting it these questions:
- Why do you need this information?
- Can I use a different form of identification?
- How are you going to use it?
- How are you going to keep it safe?
- What happens if I decide not to share my SSN with you?
Protect your SSN as much as possible and learn to discern the telltale signs of a scam call. For added security, consider signing up for Aura’s all-in-one identity theft solution.