VA Login, ID.me, and Identity Theft Scams Targeting Senior Veterans

Almost every VA benefit a senior veteran receives now flows through a digital identity — a VA.gov account, a Login.gov account, or an ID.me account. Scammers know this. They have built an entire industry around stealing those credentials, redirecting direct deposits, and hijacking benefit payments before the veteran notices. In November 2025, an Oceanside Marine veteran in San Diego County lost nearly $35,000 to a scam that began with a single phone call. In December 2025, a Tulsa woman was sentenced in federal court for stealing the identity of a disabled Army veteran. These are not rare incidents. They are a daily occurrence with a predictable pattern.

Already been targeted? If you think someone has stolen your VA login, changed your direct deposit, or accessed your VA account, call the VA Benefits Hotline at 1-800-827-1000 right now, then call your bank. Read our First 24 Hours After Being Scammed Emergency Guide for the full recovery sequence.

Not sure what a term means? Our Scam & Cybersecurity Glossary explains 77 common scam and cybersecurity terms in plain English, including phishing, smishing, vishing, MFA, and credential harvesting.

How VA Login Theft Actually Works

A VA login theft is a chain. The scammer needs to get from “I have nothing” to “I have your VA account, your direct deposit, and your monthly payment.” Almost every successful theft follows the same five steps.

1. Initial contact. A phishing email, a smishing text, a vishing call, a fake VA.gov pop-up, or a fake search-result ad. The message claims your account needs verification, your benefits are pending, or there is a security issue you must resolve.
2. Credential harvesting. The veteran is sent to a fake login page that looks exactly like VA.gov, Login.gov, or ID.me. Whatever the veteran types into that page is captured by the scammer.
3. Account takeover. The scammer logs into the real VA.gov account using the stolen credentials. If multi-factor authentication is enabled and the veteran approves a fake “verification code” the scammer also wins. If MFA is not enabled, the scammer wins immediately.
4. Direct deposit change. Inside the VA account, the scammer changes the direct deposit destination to an account or prepaid debit card the scammer controls. The next monthly payment lands in the wrong account.
5. Cash-out. The scammer moves the money out of the receiving account within hours — often through cryptocurrency, money mules, or wire transfers to international accounts. Recovery becomes very difficult.

Once you understand the chain, you understand where to break it. The strongest break is at step 2: never type your VA.gov, Login.gov, or ID.me password into any page you reached from a link in an email, text, search ad, or pop-up. Always type the address into your browser by hand.

The Most Common VA Login Phishing Tactics

1. The “Account Verification” Email

A professional-looking email arrives, appearing to come from VA.gov, ID.me, or Login.gov. The subject line is alarming: “URGENT: Your benefits account requires verification within 24 hours.” The body of the message claims that a recent login attempt was suspicious, that benefits will be suspended, or that a new federal policy requires re-verification. A button or link leads to a fake login page.

The real VA does not threaten to suspend benefits over a 24-hour verification window. Real account-security messages from VA.gov do not include login buttons — they direct you to log in by going to VA.gov directly.

2. The Smishing Text

A short text claims: “VA: Your benefits payment is on hold. Confirm your identity here: [shortened link].” Shortened links hide the real destination. The link points to a fake login page, sometimes hosted on a domain that includes “va” or “veterans” in the URL but is not actually VA.gov.

VA does send legitimate text messages, but those messages will never ask you to log in through a link in the text itself.

3. The Vishing Phone Call

Caller ID may show “U.S. Department of Veterans Affairs” or a VA hotline number — both of which can be easily spoofed. The caller claims to be from the VA, the VA OIG, the Treasury Department, or “the federal payment integrity office.” They say your account has been flagged for fraud and they need to “verify your identity” by reading back your Social Security number, your VA file number, your date of birth, and the security questions on your VA.gov account.

The real VA already has this information. Anyone asking you to read it back over an unsolicited phone call is a scammer, regardless of what their caller ID shows. Hang up. Call the VA Benefits Hotline at 1-800-827-1000 directly to confirm whether the VA is actually trying to reach you.

4. The Fake Search Ad

A senior veteran searches Google for “VA.gov login” or “ID.me sign in.” At the top of the results sits a sponsored ad. The ad looks official, includes a VA-style URL, and leads to a near-perfect clone of the real login page. Whatever the veteran types is captured.

Sponsored search ads have been weaponized this way for years. The defense is simple: type VA.gov into your browser by hand. Do not click search ads for government websites.

5. The Fake VA Pop-Up

A pop-up appears while the veteran is browsing the web. It claims to be from the VA, the Treasury, or “Federal Security.” It urges the veteran to call a phone number or click a button to “secure” their account. Calling the number connects the veteran to a vishing operator who walks them through the same identity-harvest script.

No legitimate government agency communicates through a pop-up on a third-party website. Close the browser tab and ignore the message. If you are worried, open a new browser window and go to VA.gov directly.

The Payment Redirect Attack

Once a scammer has access to a VA.gov account, the single most damaging action is changing the direct deposit destination. The VA pays compensation, pension, and other benefits by direct deposit to the bank account on file. If the destination changes the day before the monthly payment runs, the next benefit goes to the scammer.

Three early warning signs indicate a payment redirect may have happened:

• A monthly VA payment is missing or arrives in the wrong amount.
• A bank or prepaid-card statement shows an account you do not recognize tied to your VA benefits.
• A confirmation letter or email arrives from the VA describing a change to your direct deposit that you did not authorize.

If you see any of these signs, contact VA immediately at 1-800-827-1000. The faster you act, the higher the chance VA can stop the next payment and the FBI’s Recovery Asset Team can attempt to freeze a recent transfer.

Senior-Safe Login Checklist

Print this checklist and tape it near the device the veteran uses to log into VA accounts. Every item prevents a category of attack.

1. Type VA.gov, Login.gov, or ID.me into the browser by hand. Never click a login link from an email, text, search ad, or pop-up.
2. Enable multi-factor authentication (MFA). Use the authenticator app option if available, not SMS, because SIM-swap attacks can intercept SMS codes.
3. Use a strong, unique password for VA.gov, Login.gov, and ID.me — not the same password used anywhere else.
4. Never share your password with anyone, including a “VA agent” on the phone. The VA does not ask for your password. Ever.
5. Never read back security-question answers over the phone to an unsolicited caller.
6. Check your direct deposit destination monthly. Log in, confirm the last four of the account number, confirm the routing number.
7. Watch for unfamiliar VA emails, letters, or texts about changes to your account. Real changes to your direct deposit, address, or phone number trigger a confirmation. If you receive a confirmation for a change you did not make, that is a red flag.
8. Use a recent, updated browser on a device that runs current security updates. Many phishing attacks rely on outdated software.
9. If you live alone, designate a trusted family member as a co-reviewer once a month. Two pairs of eyes catch what one misses.

Multi-Factor Authentication: What It Is and Why It Matters

Multi-factor authentication (MFA), sometimes called two-factor authentication or 2FA, is the single most effective defense against VA login theft. With MFA enabled, even a scammer who has your password cannot log in without a second code that only you have.

MFA codes come in three main forms:

• Authenticator app codes (Google Authenticator, Microsoft Authenticator, or similar). These rotate every 30 seconds and are the most secure option.
• SMS text codes. Less secure because SIM-swap attacks can hijack a phone number, but better than no MFA.
• Hardware security keys. Most secure, but the most complex to set up. Optional unless you have specific reasons to use one.

Login.gov and ID.me both support MFA. If you have not enabled it on your VA.gov-linked account, do so today. The setup takes about five minutes and is described inside your Login.gov or ID.me security settings.

What To Do in the First Hour After Suspected VA Login Theft

If you believe a scammer has obtained your VA login, your direct deposit information, or your full Social Security number, the first sixty minutes matter. Run this list in order:

1. Call your bank. Have them flag your account, freeze pending transfers, and set up enhanced verification on any future changes.
2. Call the VA Benefits Hotline at 1-800-827-1000. Report the suspected compromise. Ask the VA to flag your account, hold pending direct deposit changes, and review recent activity.
3. Change your password on VA.gov, Login.gov, and ID.me. Use a long, unique passphrase.
4. Enable MFA on any account where it is not already on. If MFA was already on and the scammer still got through, you may have approved a fake verification code — disable that MFA method and switch to an authenticator app.
5. Save screenshots of every suspicious email, text, or web page. These are evidence.
6. File an IC3 complaint at ic3.gov.
7. Report to VSAFE at 833-38V-SAFE (833-388-7233) or vsafe.gov.
8. Consider a credit freeze at all three credit bureaus (Equifax, Experian, TransUnion). Freezes are free and block new accounts from being opened in your name.
9. Notify a trusted family member or caregiver. They can help monitor accounts in the days that follow.

For Families and Caregivers

If you assist an aging parent or grandparent who is a veteran, three quiet habits prevent most VA login theft:

• Once a month, log in together. Confirm the direct deposit destination still matches the bank account you both expect. Confirm there are no new email addresses or phone numbers on the account.
• Ask the bank to add you as a trusted contact. Banks can call you if they see an unusual transfer or an unexpected change.
• Talk openly about phishing. Shame is the most effective tool scammers have. A veteran who knows the family will not judge them is far more likely to ask for help before money moves.

Related Pages

• Senior Veterans Scam Protection Hub — start here for an overview of all veteran-targeted scams.
• VA Benefits Scams: Claims Predators & PACT Act Fraud — fee scams, pension poaching, PACT Act phishing.
• VA Health Care and Medicare Fraud — billing fraud, fake DME, EOB review.
• Government Impersonation Scams Against Seniors — fake IRS, SSA, Medicare, and law enforcement impersonation.
• First 24 Hours After Being Scammed Emergency Guide — the full recovery sequence if money has already moved.

Help Us Protect Other Senior Veterans

Have you or someone you love been targeted by a scam aimed at veterans? Sharing your experience can save another veteran or surviving spouse from the same trap. We publish stories anonymously and remove any details that could identify you. Share your story here.

If you are unsure where to report a scam, our Report an Online Scam page lists the correct federal, state, and VA-specific reporting channels in one place.

Not sure what a term means? Our Scam & Cybersecurity Glossary explains common scam and cybersecurity terms in plain English.