Identity thieves who steal personal information can use it to open a fraudulent my Social Security account and reroute a beneficiary’s monthly direct deposit to an account they control. The Social Security Administration’s Office of the Inspector General has warned about this scheme for years, and a new OIG audit released September 9, 2025, found that beneficiaries did not always authorize direct-deposit changes made by telephone, leading to payment diversions. Creating a legitimate account first, using a Login.gov or ID.me credential, blocks that attack and takes only a few minutes.
Why a my Social Security account stops direct-deposit theft
The fraud works because SSA allows only one my Social Security account per person. When a thief registers first, they gain the ability to change the beneficiary’s mailing address and direct-deposit routing through the My Profile tab. Once a real beneficiary claims that account slot, no second registration is possible. The SSA Inspector General’s early fraud advisory specifically names this step as the primary defense: creating your legitimate account before a scammer does.
Beneficiaries who want even stronger protection can add two account-level blocks. An eServices block prevents anyone, including the account holder, from viewing or changing personal information online. A Direct Deposit Fraud block goes further: under SSA’s operational policy, any request to change direct deposit on a record carrying that block is treated as unacceptable, giving staff clear grounds to refuse. Both options are described on the agency’s main fraud prevention page, which also explains how to ask SSA to place or remove these safeguards.
The hypothesis that early account creation measurably reduces diversion attempts is logical but currently lacks direct statistical proof. No SSA dataset publicly compares fraud rates for beneficiaries who registered within 30 days of benefit approval against those who waited six months or longer. What the evidence does confirm is that the account itself is a binary lock: if it exists in the beneficiary’s name, the primary online attack vector disappears. In that sense, setting up a my Social Security profile is less about constant use and more about occupying the one slot that a criminal would otherwise try to claim.
OIG audit findings and SSA’s tightened controls
The September 2025 OIG audit found that SSA’s pre-April 14, 2025, telephone practices for direct-deposit changes left gaps that allowed unauthorized diversions by phone. Staff sometimes accepted routing and account changes based on limited identity checks, which sophisticated impostors could circumvent. That finding matters because it shows the threat is not limited to online fraud. Scammers have also exploited telephone channels where identity verification was weaker, particularly when they possessed stolen Social Security numbers and biographical details.
SSA has responded with tighter rules. Online direct-deposit changes made through a personal my Social Security account are now subject to a 30-day hold, according to a March 2025 SSA announcement. During that window, the agency can send notices to the prior address or bank, giving legitimate beneficiaries a chance to spot and report an unauthorized switch. SSA also plans to implement Treasury’s Account Verification Service, which would cross-check new bank account details before processing a switch. Together, the hold period and the planned verification layer add friction that slows or stops fraudulent redirections even if a thief somehow gains access to a legitimate account.
Gaps in the evidence and what beneficiaries should do now
Despite these improvements, important evidence gaps remain. The OIG audit highlights specific diversion incidents and policy weaknesses but does not quantify how many attempts were blocked by existing controls or how often early account creation made a difference. Likewise, SSA has not published comparative fraud rates by channel-online, telephone, or in-person-making it hard for the public to gauge which risks are most acute. Until more detailed data are available, beneficiaries must rely on the structure of SSA’s rules and the documented cases of abuse to guide their choices.
Those rules give individuals several concrete tools. SSA’s Program Operations Manual describes how staff are instructed to treat a record with a Direct Deposit Fraud block: any requested change to banking information is considered an “unacceptable” action and should not be processed under normal procedures. The relevant policy section on direct deposit safeguards underscores that these blocks are meant to be strong brakes, not mere flags. When combined with a preemptively created my Social Security account, they significantly narrow the paths a criminal can use to hijack payments.
Beneficiaries can therefore take a layered approach. First, create and secure a my Social Security account using a strong password and multifactor authentication. Second, consider requesting an eServices block or Direct Deposit Fraud block if you rarely need to change your banking information and are willing to handle future adjustments in person or by mail. Third, monitor bank statements and SSA notices closely, especially after any contact with someone claiming to be from the government. None of these steps is foolproof, and the public record still lacks precise statistics on their combined impact. But the available evidence, policy language, and OIG findings all point in the same direction: occupying your account slot early and adding formal blocks where appropriate are among the most effective defenses currently available against direct-deposit theft.
