Informed Delivery, a free service of the U.S. Postal Service (USPS), emails a person scanned images of the outer envelopes of their coming day’s mail. Although it sounds convenient, scammers can also take advantage of the system and commit identity theft, among other fraud schemes, according to tech watchdog KrebsOnSecurity.
On Nov. 6, the U.S. Secret Service issued an internal alert to law enforcement partners across the nation, KrebsOnSecurity reported. The alert warned about the phenomenon of scammers abusing the Informed Delivery service.
In the alert, the Secret Service recounted a recent incident concerning arrests in Michigan in September, where seven people allegedly stole credit cards from residents’ mailboxes. The scammers had first signed up as their victims for the Informed Delivery service, and so they knew when to anticipate the mail at their victims’ residences. They then used the credit cards to purchase various items from department stores, resulting in $396,000 of fraudulent charges.
The Informed Delivery system has some 13 million users registered, USPS spokesman Albert Ruiz told Dallas News.
In early 2018, USPS began to slightly increase its security, by letting the household know via mail whenever anyone registers that household’s address to the Informed Delivery service.
“However, it appears that ID thieves have figured out ways to hijack identities and order new credit cards in victims’ names before the USPS can send their notification—possibly by waiting until the cards are already approved and ordered before signing up for Informed Delivery in the victim’s name,” KrebsOnSecurity reported.
Dave Lieber, a columnist for the Dallas News, said that USPS had introduced its service too soon.
“The post office rolled this out too soon,” he told Fox News. “They should have added two-step cellphone verification before they rolled it out.”
Chris Torraca, 58, from Grapevine, Texas, became a victim and shared his story with the Dallas News. Torraca says the thief likely bought his information after a hack occurred three years ago at the federal government’s employee database—Torraca is a retired federal bank regulator.
Torraca received a letter about his so-called new bank account, and a confirmation letter from USPS about his Informed Delivery—even though he never signed up. But it was too late when he received the USPS notice—the thief had already gotten what they wanted. That’s because the thief knew, via Informed Delivery, what day certain mail would arrive.
KrebsOnSecurity discussed various methods related to trying to overcome such a security breach. The methods include:
-Registering an account with Informed Delivery to “beat” the thieves
-Emailing the eSafe Team at USPS at [email protected] to request an opt-out of Informed Delivery
-Requesting to opt out by emailing customer service at [email protected]
However, the discussions showed that each method still appeared to leave loopholes.
For now, Torraca intends to keep a physical lock on his mailbox.
