How to stay safe against this mail scam

Last year, the United States Postal Service (USPS) deployed a service called Informed Delivery.

Here's how it works: Informed Delivery allows you to preview your mail digitally online using black-and-white images of your letter-size mail. These images are processed by the USPS sorting facilities that will be provided each morning.

To be clear, the images are scans from outside, from the label side of your mail and not from the actual content. Notifications and images will only be sent on days when the mail is processed and delivered to your home.

But now, even criminals exploit this convenience to steal your hard earned money. Read on and learn more about this alarming pattern.

Illuminated delivery scam

The security website, KrebsOnSecurity, announced that a new internal alert had recently been issued by the US Secret Service for the benefit of its law enforcement partners warning that 39, a new criminal scheme was going around the city.

It turns out that crooks are now abusing Informed Delivery to commit identity theft and credit card fraud.

By registering as victims on the USPS website for Informed Delivery, scammers can then identify their mail and steal credit cards from their mailboxes.

Not only that, but the secret service memo also said that criminals use Informed Delivery to identify potential victims of identity theft.

The Michigan Incident

To support the claim that crooks are actually abusing the USPS 'informed delivery function, the Secret Service's memo cites a recent case in Michigan, where seven people were arrested in September for stealing credit cards in mailboxes after being masked as victims on the USPS website.

Using the IDs of their victims, they then enrolled them in Informed Delivery "to identify and intercept the mail, as well as to reinforce their identity fraud schemes."

Through this scheme, the accused were able to steal about $ 400,000 of unauthorized charges on the credit cards they had requested under the name of their victims. They then used stolen credit cards to buy gift cards and other products at retail stores.

This means that informed delivery is only part of a much larger and elaborate system. Scammers probably already have all the sensitive information of their victims (name, address, social security number, etc.), which is enough to request a credit card.

Informed Delivery is just another cog in their credit card fraud system – the last step to intercept the physical credit card itself.

What do we do about it?

Earlier this year, as a result of reports of weaknesses in the informed delivery feature (which allowed scammers to register as a member of any household), the USPS introduced a new system of security to alert all households by physical mail when an employee of the home registers informed delivery.

If your address is entered in the system, a note will be sent to inform you that it is the case. If you do not remember signing up, it's a red flag and you may want to go to the post office personally to arrange everything.

Another new security measure involves a change of address. If you save a change, USPS will not automatically transfer the Informed Delivery service to the new address.

Instead, he will send a letter with a special code linked to the new address, as well as the user name of the person who requested the change. To complete the change, the code must be entered using this account itself.

This is not enough yet

However, despite these new security features, Krebs said the scammers had found a way to hijack the identity of their victims and order new credit cards under their name before the USPS could send their notifications by mail (it's a postal mail, after all).

The scammers probably understood the timing very well – they waited until credit cards were on the way before registering their victims for enlightened delivery.

For example, Krebs quoted a woman from Belle Isle, Florida, who claimed to have received a US $ 2,000 invoice for an unauthorized credit card before receiving the USPS notification stating that a person from her household was living in a home. Was registered at Informed Delivery. Well, the problem? She never signed Informed Delivery in the first place.

This means that the crooks were already receiving images from his mail while the unauthorized credit was on the way, making it a commonplace for picking.

The problem with registrations to the informed delivery

So, what is one of the glaring major weaknesses of informed delivery? Apparently, the way the USPS validates the new accounts. Registration for this feature requires only your name, address, e-mail address, and four generic security questions.

The problem? As with all security issues related to "knowledge-based authentication" (such as "What city were you born in?", "What is your mother's maiden name?", "" What is the name of your pet ", etc.), they can be easily minced or obtained via social engineering and social media services.

Another potential security and privacy loophole is that the USPS now allows advertisers to insert interactive content into their informed delivery emails. This revenue stream allows marketers to match specific advertising campaigns to your scanned email images.

And you know what that means – in addition to the risk of privacy breaches, cybercriminals can also exploit these ads to send malicious links to Informed Delivery subscribers.

Click here to read the full KrebsOnSecurity report.

How to protect yourself

Informed delivery is convenient as it allows you to check your mail before it arrives or when you are away. However, unless the USPS strengthens its validation process, crooks can find ways to exploit it for their misdeeds.

One way to protect yourself is to pre-empt the scammers themselves by signing up for Informed Delivery to claim your address immediately. This means that you will also need to register every adult resident in your address to request his identity. Hopefully this way, your account will be reported whenever someone will subscribe to the service on behalf of your address and you will be able to challenge it immediately.

If you have questions about the Informed Delivery program, you can send an email to [email protected].

Why does the plague of automated calls get worse every year?

If you are like me, you receive many spam calls every day. So, in fact, that you have the impression of receiving more spam than calls from your friends or family. It can be so frustrating to sit at a table or work and your phone starts ringing. It's just a robot that is trying to sell you insurance. In fact, they get worse every year and you can take some steps to limit their numbers. I'll show you how.

Tap or click to see how to protect yourself from automated calls.