The Online Identity Verification Process
One of our most important responsibilities is protecting your investment and personal information. Social Security takes this responsibility very seriously, and we have a robust cybersecurity program in place to help us succeed. Our security process follows federal guidelines that includes additional security measures so we can be sure that you are who you say you are when you conduct online business with us.
To protect the privacy of your identity and your information, we use an identity verification process.
- Requires you to sign in with a username and password;
- Offers extra security; and
- Complies with federal laws, regulations, and guidelines.
In addition to your username and password, you can choose either your cell phone or email address as your second identification method when you sign in to or register for my Social Security. Two forms of identification when signing in will help better protect your account from unauthorized use and potential identity fraud.
Each time you sign in to your account, you will complete two steps:
- Enter your username and password.
- Enter the security code we send by text message or email, depending on your choice (cell phone provider text message and data rates may apply).
If you choose to receive your one-time security code through email, you can add NO-REPLY@ssa.gov to your contact list to make sure it does not go into your spam or junk folder.
For additional tips to help you stay safe and secure online please visit the Federal Trade Commission's OnGuard Online.
If You Cannot Or Do Not Want To Create An Account Online
If you are unable or unwilling to create an online account, you may still create an account in person by visiting your local Social Security office.
If You Want Extra Security
We offer you the choice to add extra security when you create an online account. In the past, we told you Social Security would never ask for your credit card number or other financial information. We have changed our policy for this one service. Now, we may ask you for the last eight digits of your Visa, Mastercard, or Discover credit card, or some other financial information. Once you give us this additional information, we will send you a letter in the mail in five to 10 business days. You will need this letter to complete the voluntary process to add extra security.
You can upgrade to extra security at any time. Adding extra security does not change the way that you sign in to your account. You must still sign in with your username, password, and a unique security code we will provide each time you sign in.
Internet Phishing Alert
Internet scam artists use clever “phishing” schemes to defraud millions of people each year. Phishing is the practice of using social engineering techniques over email to trick a recipient into revealing personal information, clicking on a malicious link, or opening a malicious attachment.
How can I detect a phishing email pretending to be Social Security?
- Most emails from Social Security will come from a “.gov" email address. If an email address does not end in “.gov”, use caution before opening attachments or clicking on pictures or links in the email. Currently, Social Security sends emails from firstname.lastname@example.org, email@example.com, ThankYou@ssa.gov, DoNotReply@ssa.gov, and echosign.com.
- In a few instances, we use marketing firms to raise awareness of Social Security’s online services, and this includes creating a my Social Security account. We allow these firms to send email directly to individuals. Any links you find within these emails should always point to a “.gov/” web address.
- Links, logos, or pictures in the body of an official Social Security email will always direct you to an official Social Security website. Rather than relying on the way a link looks, please follow these steps to confirm a link’s authenticity:
- To verify the web address of a link or picture, hover over it with your mouse until a text box appears with the web address. This is the actual address you will be directed to and it should always include “.gov/” A forward slash should always follow the “.gov” domain.
- Example - https://www.ssa.gov/myaccount/
- Links to the official Social Security website will always begin with https://www.ssa.gov/ or https://secure.ssa.gov/.
- Below are examples of fraudulent websites pretending to direct you to Social Security. Notice the location of the forward slash.
What should I do if I’ve received a phishing email pretending to be from Social Security?
- If you are not certain that an e-mail you received came from Social Security or one of our marketing firms, DO NOT respond to the email or click on any links contained in the email message.
- Report the incident by forwarding the suspicious email to the U.S. Computer Emergency Readiness Team (US-CERT) at firstname.lastname@example.org. (http://www.us-nocert.gov/nav/report_phishing.html).
What are other tips I can use for detecting phishing emails?
- Verify the sender. Exercise caution when receiving email from a sender you don’t know or haven’t heard from in a long time. Hover over the ‘From’ email address to ensure it matches the displayed email or name of the sender.
- Look for poor choices in wording, phrasing, or spelling.
- If an email includes a business name, telephone number, or website link, verify the legitimacy of these items by searching for the official number or website in a search engine.
- Do not respond to emails requesting personal information. Reputable businesses and public agencies will not ask you for personal information in an email.
Are there other resources I can use to learn more about phishing?
To avoid security problems, please keep your web browser up to date. For more information about "phishing," go to OnGuard Online.