For the past two decades, Liz Birenbaum’s 88-year-old mother, Marge, has received her Social Security check on the second Wednesday of each month. It’s her sole source of income, which pays for her room at a long-term care center, where she landed last October after having a stroke.

When the deposit didn’t arrive in January, they logged into Marge’s Social Security account, where they found some startling clues: the last four digits of a bank account number that didn’t match her own, at a bank they didn’t recognize.

“Someone had gotten in,” said Ms. Birenbaum, of Chappaqua, N.Y. “Then I hit a panic button.”

It quickly became evident that a fraudster had redirected the $2,452 benefit to an unknown Citibank account. Marge, who lives in Minnesota, had never banked there. (Ms. Birenbaum requested to refer to her mother by her first name only to protect her from future fraud.)

Ms. Birenbaum immediately started making calls to set things right. When she finally connected with a Social Security representative from a local office in a Bloomington, Minn., the rep casually mentioned that this happens “all the time.”

“I was stunned,” Ms. Birenbaum said.

Social Security-related scams, overall, are pervasive — fraudsters pose as employees to try to extract both money and valuable identifying details from people in a variety of evolving schemes. But this particular fraud — where criminals use stolen personal information to break into online Social Security accounts or create new ones, and divert benefits elsewhere — has plagued people for a more than a decade.