Fake SSA Portal Email Hijacks Your my Social Security Account
Phishing emails impersonating the Social Security Administration trick victims into surrendering my Social Security account credentials, or help attackers register a fraudulent account in the victim's name before the real person does, redirecting benefit payments.
Part of: New Account Takeover
Last reviewed: 8 June 2026
The Social Security Administration's my Social Security portal allows Americans to view earnings records, manage benefits, and control direct-deposit information. Because the portal controls financial data of enormous value to fraudsters, it is a high-priority target for account-takeover attacks.
Scammers send phishing emails that mimic the SSA's design, claiming there is an alert on the victim's account — unusual login activity, an address change that requires confirmation, or a pending benefit payment that must be verified. The link leads to a fake my Social Security login page that captures credentials.
A particularly aggressive variant targets people who have not yet created a my Social Security account. Attackers use data harvested from breaches to register an account in the victim's name first, locking them out and gaining control over benefit information. The SSA encourages every eligible American to create their own account proactively to prevent this.
How this scam works on the Social Security Administration brand
A convincing SSA email arrives citing the recipient's name and partial SSN, warning of a security lock or unverified address requiring immediate action. A Verify Now button leads to a replica ssa.gov login page. Once credentials are entered, the attacker changes the email address and phone number on the account, cutting the victim off.
In the pre-emptive registration variant, attackers use SSN, date of birth, and address from a data breach to create a new my Social Security account before the victim does. They redirect direct-deposit payments to a prepaid card, and the victim only discovers the fraud when an expected benefit payment does not arrive.
Some campaigns add a deepfake-voice follow-up call from an SSA security agent asking the victim to verbally confirm account details to restore access, harvesting additional identity information.
Common red flags
- Email or text from a domain other than ssa.gov or socialsecurity.gov
- Message claims your SSN has been suspended or your account locked requiring immediate login via a link
- Link leads to a URL that is not https://www.ssa.gov
- Message asks you to confirm your full SSN, banking details, or date of birth via the link
- You attempt to log in to my Social Security and find an account already exists that you did not create
- Expected benefit payment does not arrive and your account shows an address or bank change you did not make
- Personalised details in the message such as your name and partial SSN — this information comes from breaches, not the real SSA
How to protect yourself
- Create your my Social Security account at ssa.gov now if you have not already, to prevent pre-emptive registration by fraudsters
- Access ssa.gov only by typing it directly in your browser, never via links in emails or texts
- Enable two-factor authentication on your my Social Security account using the official portal settings
- The SSA contacts you by post for most matters — treat any urgent electronic contact with suspicion
- Check your Social Security statement annually for unfamiliar earnings records that may indicate identity theft
- Place a credit freeze at the major bureaus if your SSN has been exposed in a breach
- Report any unauthorised my Social Security account immediately to the SSA Office of Inspector General
How to report it
- Report SSA impersonation to the SSA Office of Inspector General at oig.ssa.gov or call 1-800-269-0271
- Report identity theft involving your SSN at identitytheft.gov
- File a complaint with the FTC at reportfraud.ftc.gov
- Report phishing emails to [email protected]
- If benefits were redirected, contact SSA directly at 1-800-772-1213
Frequently asked questions
Can someone create a my Social Security account in my name without my knowledge?
Yes, if they have your SSN, date of birth, and address — all obtainable from data breaches. The best defence is to create your own account at ssa.gov first, which prevents a fraudster from registering one in your name.
How does the SSA actually communicate urgent account matters?
The SSA primarily communicates by post. When it does send electronic notifications, they come from ssa.gov addresses and direct you to type ssa.gov in your browser rather than click a link. The SSA never demands immediate action by email or threatens suspension of benefits via an unsolicited text.
I received an email saying my SSN was suspended. Is that possible?
No. Social Security numbers cannot be suspended. This is a well-documented scam tactic. Delete the message and verify your status directly at ssa.gov.