Protecting yourself

Guard the last 4 digits of your Social Security number – they may be all ID thieves need

Karen Haywood Queen

A recent phone call I received about a financial account tested my “pay-dar” – my internal warning system for scammers out to make me pay by stealing my personal information – and taught me a new lesson about how to protect my Social Security number.

The caller identified himself as an employee at a bank where my husband and I have a mutual fund. He said he had a question about a recent transaction. Caller ID showed the name of my bank, so when he asked for my date of birth and the last four digits of my Social Security number, I started to rattle them off. But then I hesitated.

I happened to have been working on a story about identity theft, and the call set off alarm bells. I knew that fraudsters could spoof a phone number – making it appear they’re calling from a recognizable number. I also knew not to give my personal information out unless I had made the call.

I asked the caller to give me a number where I could call him back. He did, and he also gave me a case number to reference. I hung up and checked my bank statement. The phone number he gave was not listed, so I called the number on the statement and told the person who answered about the situation, including the case number my caller gave me.

Turns out the call was legitimate. A transaction regarding automatic deposits that I’d thought was completed four days earlier by phone wasn’t, in fact, done. The agent on the phone helped me finish the transaction and all was fine. It took about five minutes longer than if I had just given out my information to the caller.

Was I overly cautious or rightly concerned? The latter, says Steven Weisman, of Amherst, Massachusetts, author of “Identity Theft Alert” and writer of the blog Scamicide.

He says I was wise to withhold information from the caller and instead call a phone number I knew was connected to the account.

“Your caller ID can be spoofed so it can be made to appear legitimate,” Weisman says. “My rule of thumb is anytime anyone calls you on the phone or sends you an email and requests information, you shouldn’t give it because you can’t be sure.”

Last four can reveal more

One of the things that had made me question my suspicion was the fact that the caller had asked for my date of birth and only the last four digits of my Social Security number – not all nine digits.

My sense of security was misplaced, Weisman says.

“For most of us, the first two sets of digits deal primarily with where you were born and when you born,” he says.

He pointed me to a 2009 study by researchers at Carnegie Mellon University that showed that predicting the first five digits of a person’s Social Security number is fairly easy.

Before 2011, Social Security number assignments were based on the ZIP code of the mailing address shown on the SSN application. So, for example, the Social Security Number of someone in Virginia requesting a SSN begins with 225. The second set of numbers in a SSN is the Group Number and it ranges from 01 to 99.

Using data available from online social networks, government sources and commercial data, the Carnegie Mellon researchers found they could identify in a single attempt the first five digits for 44 percent of deceased people born between 1988 and 2003. The researchers’ percentage of success identifying all nine digits slipped to 8.5 percent in 1,000 attempts, but fraudsters have computer programs to simplify the task.

The Social Security Administration switched to random number assignment in 2011, but if a fraudster knows where your SSN was requested (which could be where you were born, the location of your first job, etc.) and the last four of your Social Security number, he’s in business.*

“If someone asks for the last four digits, you’re basically turning over the keys,” says Weisman. “If it’s a sophisticated criminal, that’s all they need.”

I gave myself a little pat on the back for ignoring the constant prompting from Facebook to complete my profile by adding where I am from.

My takeaway from the whole event: Even though this particular caller actually was who he said he was, being cautious is wise. That extra five minutes finding my statement and calling the bank was time well spent.

Getting my identity stolen would have created countless hassles and eaten up a lot more time.

* Correction: The first three numbers of a Social Security number issued prior to 2011 are based on the ZIP code of the mailing address shown on the application for a Social Security number. This blog post originally incorrectly stated that SSN assignments were based on where and when people were born. See corrections policy.

See related: 13 ways to make sure your identity is stolen, 10 warning signs of identity theft

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, we ask that you do not disclose confidential or personal information such as your bank account numbers, social security numbers, etc. Keep in mind that anything you post may be disclosed, published, transmitted or reused.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

  • P

    Someone called me at my part time job about a student loan. They claimed the loan had gone into collections and they were trying to collect debt. They verified my name and year of birth and rattled on about where they were calling from and even the loan name which was very unfamiliar to me (and I also do not remember what it was exactly) so I told them it was the wrong person. She then asked me to verify the address she had on file which I confirmed was definitely not me. She asked if I had ever lived there and I confirmed that I had never lived there. Then she asked if I had ever had my identity stolen to which I responded that now I was worried it did get stolen! So she asked me if I could verify the last 4 digits of my SSN. Which I did and she confirmed it was not me, she even disclosed the last 4 digits of whoever she was really calling for. So, was this a scammer?! What should I do now since I already gave them the last 4 of my social?

  • kelly85

    The author overlooked an important point about when SSNs were often historically assigned. If you’re over 30 or so, there’s a good chance you DIDN’T get your number at or shortly after birth like what is typical now. Until the late 1980s children did not need SSNs to be claimed as a dependent, and therefore one often did not obtain their SSN until it was needed for some purpose. In fact, those over 45 or so may well remember when they began working and got their SSN at that point.

    • I wasn’t born in the USA — I’m a naturalized citizen — and I’m over 45.

      • kelly85

        Obviously in a case like yours you wouldn’t get a SSN until you moved to the U.S. – but you’re right about my point applying to those born in the U.S.

  • Jose Zelaya

    What if I was born out of the country? Would I be in danger if I gave them the last four digits of my social?

  • gregronomy

    This story is written to get your heart rate up. Read the Social Security Admin’s explanation of SSN’s, you’ll rest easier.

  • Ed Gehringer

    Most braindead people are Dems. LOL