Picture this: a retired teacher in Georgia checks her bank account on the first of the month and finds nothing. Her Social Security payment, the one that covers rent and prescriptions, landed in someone else’s account. She never touched her settings. A stranger did it through the my Social Security portal, probably in less time than it takes to brew coffee.
That is not a hypothetical. The Social Security Administration’s Office of the Inspector General told Congress in 2023 that fraudsters had redirected $33.5 million from 20,878 beneficiaries by making unauthorized direct deposit changes through the online portal during the examination period reviewed in that testimony. A separate OIG audit released in September 2025 found that telephone-based deposit changes were also vulnerable before new safeguards took effect in April 2025, meaning the problem stretched across more than one access point.
The good news: there is a free countermeasure most beneficiaries have never heard of. SSA’s “block electronic access” feature, available at socialsecurity.gov/blockaccess, prevents anyone from making online changes to your account until you personally reverse the lock. For the millions of people who rarely adjust their benefits online, it removes the primary attack surface scammers have exploited for over a decade.
How the scam works
SSA first allowed beneficiaries to change direct deposit routing online in January 2013, according to the same OIG testimony. The scheme that followed is not particularly sophisticated. A criminal who gathers enough personal information to pass identity verification, typically a Social Security number, date of birth, and answers to credit-file questions, can log in, swap the bank account on file, and collect the next monthly payment before the real beneficiary notices anything is wrong.
The website was not the only weak spot. Before April 2025, SSA staff could also update direct deposit details over the phone using knowledge-based identity checks drawn from credit files and public records. The September 2025 OIG audit, which examined telephone-based changes made before the new safeguards took effect, confirmed that those checks were not always sufficient and that some beneficiaries never authorized the changes made in their names.
Concerns about this risk predate the online portal itself. As early as 2012, SSA officials were fielding questions from lawmakers about how they would protect beneficiaries as paper checks were phased out, according to congressional testimony on direct deposit risks. Those hearings flagged the core trade-off: electronic payments reduce lost checks and mailing costs, but they create a single point of failure if bank account information can be changed without airtight verification.
The threat is not limited to outside criminals. In July 2025, an SSA employee pleaded guilty to stealing benefits through direct deposit changes, a case prosecuted by the U.S. Attorney’s Office for the Northern District of Georgia. That insider case shows that both external fraudsters and agency staff have exploited the same deposit-change mechanism.
What SSA has done to tighten security
SSA has rolled out several countermeasures since the scale of the problem became public. The agency announced it is expediting legitimate direct deposit changes to a single business day while tightening identity proofing requirements, and it plans to verify bank account ownership through Treasury’s verification service, according to a March 2025 SSA blog post outlining the initiative. As of early 2025, beneficiaries could complete deposit updates through three channels: online via my Social Security, through a bank’s auto-enrollment process, or by generating a one-time code for phone transactions.
Separately, SSA now requires beneficiaries to sign in to my Social Security through Login.gov or ID.me, both of which use multi-factor authentication and more rigorous identity proofing than the older, SSA-managed login system they replaced. That change raises the bar for criminals attempting to access an account with stolen personal data alone, though it does not eliminate the risk entirely if a fraudster can intercept verification codes or compromise a victim’s email.
The block electronic access feature predates these newer reforms and remains the simplest individual safeguard. When activated, it freezes all online activity on the account. No one, including someone who has stolen your login credentials, can view or change benefit information through the portal until you contact SSA to lift the block.
One important caveat: the block applies to online access only. It does not prevent changes made in person at a local SSA office or through other channels. For beneficiaries who manage their affairs primarily in person and rarely touch the website, that limitation is unlikely to matter. But if you rely on the portal to check statements, update your address, or manage Medicare, you will need to weigh the inconvenience of lifting and reapplying the lock against the security benefit.
How to lock your account
Go to socialsecurity.gov/blockaccess. You will verify your identity, then select the option to block electronic access. Once the block is active, no one can log in to your my Social Security account or make changes online. If you later need portal access to file a claim, check a benefit statement, or update your information, you can contact SSA to remove the block and reapply it when you are done.
Beyond locking the account, SSA recommends keeping your contact information current so the agency can reach you if suspicious activity is detected. Checking your bank deposits on or shortly after your scheduled payment date each month is equally important: catching a diversion early gives SSA and your bank the best chance of recovering the funds quickly.
What we still do not know
The $33.5 million figure covers a specific examination period cited in the 2023 OIG testimony. As of June 2026, no post-April 2025 audit data has been published showing whether the new identity proofing rules have reduced the volume of unauthorized online diversions. SSA has also not released public metrics on how many beneficiaries have activated the block electronic access feature or how effective the lock has been at preventing fraud in practice.
The September 2025 OIG audit on telephone-based changes confirmed patterns of diverted payments and improper authorizations but did not break out a comprehensive dollar total lost through the phone channel alone, or whether certain call centers or regions were more heavily targeted. That leaves open questions about whether the fraud was scattered or concentrated in specific operational weak spots.
It is also unclear how quickly victims are made whole. SSA policy allows for reissuance of misdirected payments, but the available oversight materials do not specify average timelines from complaint to restoration. For retirees and disabled workers who depend on monthly benefits for rent, food, and medication, even a short gap can trigger cascading financial stress that dollar-loss statistics do not capture.
Finally, SSA has not committed in available documents to publishing regular statistics on attempted and prevented diversions, false positives, or complaints tied to the tighter controls. Without that transparency, beneficiaries and advocates have no clear benchmark to gauge whether the reforms are substantially reducing risk or simply pushing fraud attempts toward new angles.
Why the two-minute account lock still matters more than any policy reform
SSA’s layered upgrades, from Login.gov and ID.me sign-in requirements to Treasury-backed bank verification, are meaningful steps. But every one of them depends on the agency executing correctly across hundreds of field offices and call centers, and the track record documented by the OIG does not inspire unconditional confidence. The block electronic access feature is different because it puts the decision in your hands, not the agency’s. If you do not need regular online access to your Social Security account, lock it at socialsecurity.gov/blockaccess. It costs nothing and takes roughly two minutes.
If a deposit is missing or routed incorrectly, contact SSA immediately at 1-800-772-1213 and report the issue to the OIG’s fraud hotline at 1-800-269-0271. The sooner you flag a diversion, the better your chances of recovering the money before the trail goes cold. The criminals already know how the system works. The least any beneficiary can do is flip the one switch that shuts them out.
