Con Watch: Watch Out for New Medicare Card Scams

Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.

Medicare has used Social Security numbers as Medicare ID numbers since its inception in 1965, a practice that has put recipients at increased risk of identity theft. And while federal law has prohibited using Social Security numbers as driver’s license numbers since 2005, Medicare resisted this change for many years.

In 2015, Congress finally enacted a law requiring Medicare to start using randomly generated numbers and letters for Medicare identification. This April, Medicare began sending the new cards by regular mail to all 60 million Americans enrolled in Medicare. The process, however, will not be swift. To get a little more information about your own card, you can register online to receive an email alert when your new Medicare card is in the mail.

Between April 2018 and December 31, 2019, Medicare recipients can use either their Social Security number or their new, more secure Medicare ID number. Starting in 2020, only the new Medicare ID numbers will be used.

Many people are confused about the switchover to the new cards, however, and scammers are taking advantage of the confusion. Pretending to be Medicare employees, the scammers call Medicare recipients and tell them they need to register over the phone to get their new card or risk losing benefits. They then ask for victims’ present Medicare ID number — their Social Security number — and use that information to steal their identity.

In another variation of the scam, victims are told they need to pay for the new card with a credit card or electronic bank payment. Remember: There is no charge for the new Medicare card.

If you are a Medicare recipient, you will eventually get your new card in the mail. You don’t need to do or pay anything to get your new card. If you need to update your mailing address, go online to My Social Security Account, a service of the Social Security Administration that allows you to set up a personal online account. Not only can you update your personal information, but you can also view your earnings history and estimates of benefits, manage your benefits, and set up or change direct electronic deposits.

This is a tremendously convenient service, but it also provides a great opportunity for scammers to set up My Social Security Accounts for people who have not already done so themselves and then to direct benefit checks to their own bank accounts. Even though the Social Security Administration, as part of the process for opening a My Social Security Account, requires verification of personal information by asking questions only the Social Security recipient should know, too often this information is available to a determined identity thief.

In order to improve the security of the accounts, the SSA now requires people to use dual-factor authentication to access their accounts. The authentication is a one-time code sent to either the user’s email or cellphone. But still, using an email address for dual-factor authentication may prove problematic because it is not particularly difficult for a sophisticated hacker to gain access to someone’s email account.

Just as the best defense against income tax identity theft is to file your income tax return before an identity thief does so in your name, so the best defense against the fraudulent use of your Social Security Account is for you to set one up first and protect its safety with a strong username and password. For information about signing up for a My Social Security Account, go to https://ssa.gov/myaccount/.

As a general rule, never provide your Social Security number, credit card number, or any other personal information to anyone who calls you on the phone; you can never be sure they are legitimate. Even if your caller ID indicates the call is from Medicare, the IRS, or some other legitimate organization, your caller ID can be tricked through a technique called “spoofing.” Medicare will not call you and ask for personal information. If you get a call that appears legitimate, but they’re asking for personal information, merely hang up and call the company or agency at a number that you independently know is legitimate.

If you have a question about your new Medicare card, you can call Medicare at 1-800-633-4227.