Phishing emails encouraging you to create a my Social Security account are circulating.

What is phishing?

Phishing is the practice of using social engineering techniques over email to trick a recipient into revealing personal information, clicking on a malicious link, or opening a malicious attachment.

How can I detect a phishing email pretending to be Social Security?

  • Most emails from Social Security will come from a “.gov" email address. If an email address does not end in “.gov”, use caution before opening attachments or clicking on pictures or links in the email.
    • In a few instances, we use marketing firms to raise awareness of Social Security’s online services, and this includes creating a my Social Security account. We allow these firms to send email directly to individuals. Any links you find within these emails should always point to a “.gov/” web address. 

  • Links, logos, or pictures in the body of an official Social Security email will always direct you to an official Social Security website. Rather than relying on the way a link looks, please follow these steps to confirm a link’s authenticity:
    • To verify the web address of a link or picture, hover over it with your mouse until a text box appears with the web address. This is the actual address you will be directed to and it should always end in “.gov/” A forward slash should always follow the “.gov” domain.
    • Example - http://www.ssa.gov/myaccount/
    • Links to the official Social Security website will always begin with http://www.socialsecurity.gov/ or https://secure.ssa.gov/.

  • Below are examples of fraudulent websites pretending to direct you to Social Security. Notice the location of the forward slash.
    • https://www.socialsecurity.gov.gmx.de/
    • http://www.socialsecurity.gov.bx.co.rx/setup

What should I do if I’ve received a phishing email pretending to be Social Security?

What are other tips I can use for detecting phishing emails?

  • Verify the sender. Exercise caution when receiving email from a sender you don’t know or haven’t heard from in a long time. Hover over the ‘From’ email address to ensure it matches the displayed email or name of the sender.
  • Look for poor choices in wording, phrasing, or spelling.
  • If an email includes a business name, telephone number, or website link, verify the legitimacy of these items by searching for the official number or website in a search engine.
  • Do not respond to emails requesting personal information. Reputable businesses and public agencies will not ask you for personal information in an email.

Are there other resources I can use to learn more about phishing?

For more information about "phishing," go to OnGuard Online.