Skip to main content

Are Postal Mail-Holds Used for Fraud?

Mailman/blogger Mel Carriere is not an identity thief, though he played one on the Internet. In his spare time, he hacks his own accounts.

Could your mailbox be the death of you?

Could your mailbox be the death of you?

Postal Yin and Yang Out of Balance

There is no doubt Internet technology has opened up a whole new world of possibilities, revolutionizing the way society conducts business. The cyber revolution has revitalized the business of the United States Postal Service as well, opening up new opportunities for revenue generation plus streamlining countless processes. Ten years ago, a postal customer could not schedule a mail pickup, could not see what was going to be in the mailbox that day, track a package in real-time, or input a change of address order from home. Most mail-related tasks still required the drudgery of filling out a form at the post office.

The online overhaul of the past few years has made life and work easier for both postal customers and employees. However, as we have seen with the explosion of Internet technology in countless other industries, the supernova of positive change creates a sinister shadow. The good and the bad orbit each other in a Yin and Yang figure that is not a symbol of balance but more the image of a wheel threatening to go off the rails. For every technological benefit that clever, benevolent minds can implement, some equally clever but malevolent, twisted brain will figure out how to use it toward an evil end.

Financial institutions get hacked, social media giants get hacked, everybody gets hacked these days. Bank account passwords, social security numbers, etc., are laid bare there before the evil eyes of thieves, who run with an innocent stranger's identity to skim funds or take out loans. In the past, this illicit procurement of personal information did not require a sophisticated knowledge of computer programming. Every letter carrier has stood before a neighborhood delivery and collection unit rendered into a useless metal box, its gaping, demolished door flapping back and forth in the breeze, a testament to the fact that identity theft only takes a crowbar and the brute force to use it. But now, with the automation of age-old postal processes, the tools to pry open the vast vault of personal data have grown more sophisticated and more effective.

This article deals primarily with the time-honored institution of the mail-hold or vacation hold as it is often known. Postal customers on their way out of town for a few days will fill out a hold request to keep their unretrieved mail from the hands of thieves or even unreliable family members. But by automating the vacation hold process to make it easier for mail recipients, has the Postal Service unwittingly boosted business for those very mail thieves it was intended to protect against?

Mail theft doesn't require a crowbar anymore

Mail theft doesn't require a crowbar anymore

Small Margin of Potential Compromise?

The current outbreak of mail-hold abuse is not the first instance where cagey criminals have subverted a postal process for nefarious purposes. The automation of the US mail has automated the pilferage of postal products in lockstep, with every new phone app and website feature to roll off the line. Mail forwarding is one such glaring example. In my own experience as a letter carrier, I have had several instances of customers complaining that their mail is being forwarded to somebody they don't know without their permission. Of course, the postal service sends out a verification letter to confirm the forward, but more often than not, these are tossed aside as junk from an unknown origin. Typically, by the time the victimized customer realizes their mail is a no-show, they are already missing several sensitive items.

37,000,000 change of address requests are filed every year. Postal spokesperson Karen Mazurkiewicz, inundated by complaints about fraudulent forwards, referred to this vast data repository in claiming that the crime constitutes a small margin of potential compromise. The fact that I have already encountered it on a few occasions, however, indicates that the problem is more common than Postal Service spokespeople are willing to admit.

Another fertile breeding ground for fraud is Informed Delivery, a process implemented a few years ago to allow postal customers to see in advance what mail will be arriving that day via an email that displays images of letters and packages. Seems like a nifty and useful function that enables one to run home and retrieve the stimulus check before the bad guys beat you to the box, but it also has an unforeseen downside.

An alert disseminated by the Secret Service warned of how thieves take advantage of Informed Delivery for ill-gotten gain. " . . . The internal alert—sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide—references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Website." By enrolling for Informed Delivery at addresses that do not receive the service, these resourceful criminals were able to eliminate the guesswork and footwork of hitting every mailbox on the block. Instead, they could pinpoint their focus on residences seen on the app to be receiving credit cards or other financially sensitive instruments. In so doing, these crooks managed to rack up 400,000 dollars of fraudulent charges on their victims' accounts.

Moral of story? Prying eyes are watching you. If you don't have Informed Delivery already, get it before the thieves do so that their one-stop shopping spree does not take place in your mailbox. I have it exactly for that purpose, not so much so I can read the daily-generated message, but to keep unwanted, predatory eyes from peeping inside my mail receptacle.

What's in your mailbox?  You might not know, but if you don't have Informed Delivery, there's a chance that the mail thieves do.

What's in your mailbox? You might not know, but if you don't have Informed Delivery, there's a chance that the mail thieves do.

Law of Postal Information Systems: For Every Positive Action, An Equal and Opposite Criminal Reaction

So we see that for every action of the Postal Service to implement a useful online tool for its customers, there is an equal and opposite reaction in the underworld of the unlawful to exploit its weaknesses. And this brings us around to the Postal mail hold as a source of potential fraud. Is your ability to conveniently fill out your vacation request from home or your phone actually doing the opposite of its intended purpose by allowing larcenous lowlifes to steal your erroneously detained mail?

The anecdotal evidence I have accumulated as a USPS letter carrier makes me guess yes. Just in the past two weeks, I have encountered two false mail holds. In both cases, after a week or so of detaining delivery, the residents came into the Post Office to complain.

One of these instances involved a family member trying to halt his own correspondence, perhaps without knowing that a vacation hold stops mail for the entire household, not just an individual. The second mail hold, however, was generated by a person the homeowner didn't know. This mystery individual, who the head-scratching customer speculated may have been a friend of his roommate, even ordered several packages. I do not know what the ultimate identity of the mystery mail holder turned out to be, but both of these cases made me speculate upon how easily mail holds can be used for illicit purposes.

The first case demonstrates that a vindictive relative could easily use a mail hold as a weapon in an ongoing family feud. A disgruntled son or daughter might be looking to get even with Mom, Dad, or Grandma by holding their mail or even stealing their checks. It would certainly be possible for a person with the same last name as a check's payee to do this, particularly if they were a junior and the first and last names both matched. I am not saying this is what happened here; it was probably just an honest misunderstanding of the mail hold process, but don't tell me other people elsewhere haven't tried.

The second occurrence is more of a conundrum. Why would a legitimate friend of a roommate need to put in a hold to receive mail at his house? Couldn't he just say, "hey buddy do you mind if I have a package sent to your place?" then swing by to pick it up later? This is a common enough practice—people don't want their husbands or wives to see their birthday surprises, so they have them shipped elsewhere. But you don't need to stop your buddy's mail from doing that, which leads me to believe something sketchy was going on. The fact that the resident did not know the mail holder makes me conclude that someone in need of a physical address hijacked this house's mail for a few days, then maybe waited a little too long to pick it up at the post office.

Whatever the case, the incident exemplifies the multitude of ways a mail hold can be used for malfeasance. Don't think that your professional and amateur shysters out there have not thought about and attempted to use them. Although sticky-fingered family members and perhaps the homeless have certainly tried to abuse the mail hold, there is a high probability that identity theft is the leading reason for the tool's exploitation.

On June 24, 2020, in fact, the Postal Inspection Service in Tom's River, New Jersey, reported an investigation into fraudulent mail holds where stolen personal data was used to apply for credit cards. This very recent episode confirms the existence and seriousness of the problem and suggests that it may be the new trend among identity thieves. Could it be that mailbox marauders, deterred by the increasing difficulty of getting a victim's mail forwarded to them, are turning to loopholes in the mail hold as a workaround?

As families peacefully strolled the Tom's River boardwalk, personal data was being pilfered from their mailboxes.

As families peacefully strolled the Tom's River boardwalk, personal data was being pilfered from their mailboxes.

A Mail-Hold Experiment

It turns out that the ostrich head in the sand approach to cyber security wasn't working so well for the Postal Service. Its small margin of potential mantra wasn't really soothing customers frightened by the specter of identity theft. In response, the organization finally broke down and implemented measures designed to prevent hijacked holds. Eric Zorn, writing in the Chicago Tribune, says that in October 2019, the USPS began " . . . requiring customers to create verified accounts with usernames, passwords and personalized security questions before they can order vacation holds."

Are the new security measures effective? At the risk of putting myself on a permanent mail-hold probation, I decided to go to and try to stop my own mail with a different identity. I used my pen name, not my real one, and a phone number that did not belong to me. It distresses me to report that I succeeded in spite of the new security measures. Furthermore, the process was embarrassingly easy.

I was really hoping I would be wrong. I was really hoping that the Postal Service had nailed this down, done the digital door slam, and doused the enemy at the gates in boiling oil. But alas, they have not.

Now, don't call the cops or the Postal Inspectors. The vacation hold was placed on my own mail for my own address. Technically, I don't think you can get arrested for stealing your own stuff. Maybe I'm wrong about that, but the Postal Service is more than wrong if they think they have prevented mail hold fraud with these bush league security efforts.

To prevent possible exploitation of the mail-hold system, the USPS is now requiring the creation of an account, but I was able to create a new account with ease, at my own address.

To prevent possible exploitation of the mail-hold system, the USPS is now requiring the creation of an account, but I was able to create a new account with ease, at my own address.

Confirmation Code? Can We At Least Require a Confirmation Code?

Of course, I already had a account, so I had to get a new one. By not allowing me to create a duplicate account for my address, I could have been nipped in the bud early, but I cleared this first hurdle without even brushing my toe against the top.

From there, I moved quickly, easily, and shamelessly through the steps, feeling like a criminal mastermind. Then I arrived at the place I thought would be an insurmountable roadblock, a castle moat filled with starving, snapping alligators. Here I was going to come to a screeching halt, be given the old heave-ho, knocked dead in my tracks.

The program prompted me to input my phone number. I paused a moment to consider, before thinking that using my own number would interfere with the validity of the experiment. What if the program recognizes your phone number from your other account and lets you slide through on that basis? I thought about asking a friend if I could borrow his number for the experiment, then stopped myself, thinking he might get weirded out, believing me to be involved in some evil identity-snatching ring, which I was. So I called my oldest son instead.

His is the only phone number on the family plan that doesn't have the same prefix. He is also the only one who at least pretends to be interested in the stuff I am writing about. Still, I was rather surprised that he answered the phone, that in itself is an anomaly that bears investigation. "Hey, I'm writing an article about mail hold fraud," I told him, "and I'm going to use your phone number to set up a bogus account. You're probably going to get a confirmation code. Can you please text that to me?"

Judging by his permissive attitude, I think I could have told him I was going to pull his toenails out with a pair of pliers as an experiment. "Yeah, sure, go ahead," he said.

The reason I was expecting the application to send a confirmation code, Captain Obvious, is that everybody age six and up knows that this is what happens across the width and breadth of the Internet, every time a user tries to access an app on a new device or change a password. Microsoft, Google, Facebook, and all the big, respectable giants do it.

But not the Postal Service. Simply by inputting my son's number, I got through. I cannot guess why the process even required a phone number if it wasn't going to be used for security verification purposes. It was like the Postal software development squad was saying, "Hey, the other guys use a phone number, and it sounds cool; let's do it too," without considering the rationale behind the move. Really, it was as if a bunch of apes was sitting around a dark screen to mimic human TV-watching behavior, without any among them thinking to turn the power button on.

I cleared all the hurdles like Edwin Moses winning Olympic gold, and was able to get through.

I cleared all the hurdles like Edwin Moses winning Olympic gold, and was able to get through.

A Few Solutions From My Tiny Postal Pinhead

But I was in. I had done it. I had successfully pole-vaulted the vaunted small margin of potential. All that was left was to set up my mail hold, which I did for the fourth of July weekend. So unless the Postal Inspectors batter down my door sometime soon or slap the cuffs on my son for using his phone number for malicious purposes, I guess my experiment was a success. Or a failure, depending on how you look at it.

Now I need to throw out the question of what you, as a vulnerable postal customer, can do to avoid getting splattered by this fertile fruit, bursting ripe on the vine for identity picking. The answer is nothing. It is entirely out of your hands and completely at the mercy of the people who control the program. Then again, perhaps you're smarter than me; maybe you have already thought of a way to protect your mail from being hijacked. If so, share it with us, because I am completely stupefied, mystified really, by how easy it was for me to set up a bogus "verified" account. If a model citizen like me could do it, I'm sure an experienced random thief could do it better.

It appears that we, the at-risk public, sit here helplessly exposed, like a rabbit on a rope in a den of wolves. But there are a few easy things the Postal Service could do to decrease the small margin of potential for mail hold fraud. I'm no cyber genius; heck I barely even understand the appropriate texting abbreviations, but some methods occurred to me almost instantly. So I'm sitting here all SMH, wondering why the software development gurus at postal HQ didn't think of them.

First of all, customers could set up their accounts to opt out of mail holds. This could also be done for Informed Delivery and address changes. Maybe opting out should be the default state, so one has to uncheck the "opt out" box before requesting any of these things. As an extra layer of security, changing the "opt out" should demand a verification code via the phone number or email listed on the account. No code, no hold, no exceptions. Additionally, the application should have to recognize a device. If a customer sets up the account by phone but wants to do the hold from a laptop, they have to go through the verification code procedure again. Pain in the ass, but it nails shut some gaping holes in the identify theft defenses.

Of course, the success of these fixes is contingent on allowing only one postal account per customer. This in itself would eliminate a lot of the vulnerabilities, though not all. I couldn't have created my bogus account had this procedure been in place, and it would have shut out most of your entry-level, minor league, not quite ready for prime-time thieves. Someone wants to do an individual forward from a residence on an account that is not registered to them? Tough titty said the kitty. Either they can get the account holder to do it or go stand in line at the PO with a driver's license and some kind of proof of residence in their flighty hands.

If my tiny postal pinhead could think up solutions to the mail-hold fraud problem, I'm sure the programming juggernauts at 1 L'Enfant Plaza could do much better.

If my tiny postal pinhead could think up solutions to the mail-hold fraud problem, I'm sure the programming juggernauts at 1 L'Enfant Plaza could do much better.

Postal Cyber Maginot Line

So I'm sitting here a little smug, me just a grunt mailman thinking of all these things without really straining my little pith-helmet-covered pinhead. I'm sure the programming geniuses at 1 L'enfant Plaza could come up with some much more sophisticated techniques if they really tried.

So let's start trying. You can't hold the rabid identity wolves back with a sign that says small margin of potential. These street-smart old dogs will pee on your sign and then turn to eat you. And you can't just implement half-ass measures and say the problem is fixed. No, you need a full moon effort, a 100 percent gluteus maximus on this problem.

In spite of its cyber vulnerabilities, the Postal Service is consistently voted the most trusted government agency. Let's start justifying that love. The thieves are running roughshod over postal customers, snatching their identities like taking candy from a baby. We're stopping the crowbar crowd by putting up new, impenetrable CBUs, tighter than Fort Knox; now, let's turn our efforts toward plugging the holes in this Maginot Line of cyber defenses. If you don't know what the Maginot Line is, look it up. It didn't work either.


Mel Carriere (author) from Snowbound and down in Northern Colorado on July 19, 2020:

Mills, I'm not so brash to claim that I've never made a misdelivery, but I do try hard not to, and I always work to improve. The difference between us postal types and other delivery services is that we visit all of our customers every day, and that tends to keep us honest. That dump and run Amazon driver might not be at your place again ever again, he might be delivering other neighborhoods tomorrow, so what does he care? On the other hand, a good letter carrier takes ownership of his customers, and they of him. It's a centuries old institution that would be a shame to lose.

I really appreciate you dropping in and taking the time to read.

Pat Mills from East Chicago, Indiana on July 18, 2020:

With an account like this, I don't wonder that some people are tentative about doing anything on the internet. Even without cyber concerns, I still deal with an inept delivery service from time to time. I recently had the experience that this parcel carrier delivered packages to both my work and my home on the same day, In both cases, the carrier delivered the parcel to the wrong address. Since I live in the city where I work, I suspect the same knucklehead was responsible for both errors. In both cases, the driver just dumped the packages and left. In your case, I hope the USPS can counter the moves of the fraudsters as best they can. Thanks for this and all your insights regarding your employer.

Mel Carriere (author) from Snowbound and down in Northern Colorado on July 15, 2020:

Linda, unfortunately these criminals prey on people no matter where they live. I hope you are staying safe up there and keeping the crooks out of your mailbox. I appreciate you dropping in.

Linda Crampton from British Columbia, Canada on July 14, 2020:

This is an interesting article, Mel. Thank you for sharing the information and the details of your experiment. The results of the experiment are quite concerning. You've made me wonder about the situation where I live.

Eric Dierker from Spring Valley, CA. U.S.A. on July 14, 2020:

Hmm, how did my wife know that and not me? Oh well, nothing new.

Mel Carriere (author) from Snowbound and down in Northern Colorado on July 14, 2020:

No Eric, probably your little mail cutie is on vacation or she's got the Covid and they're splitting up her route. I have to go do bits and pieces of other routes every day too, and I get that same question out there that you just asked. I hope it gets better for you but it could be the new normal.

Mel Carriere (author) from Snowbound and down in Northern Colorado on July 14, 2020:

Thank you Road Monkey. The problem is not so much lack of money as lack of testing, which could be because of lack of money when you think about it. Whenever they roll out a new feature, they need to get a roomful of ex-cons together to try and hack it, then fix the weak points. But the bureaucratic inertia of this place will never allow that to happen. I appreciate you dropping in.

Eric Dierker from Spring Valley, CA. U.S.A. on July 14, 2020:

I wonder what the deal is that my mail is now delivered around 7pm. Do they have a hold on it until they can X-Ray it? What is a 4 hour hold all about?

Mel Carriere (author) from Snowbound and down in Northern Colorado on July 14, 2020:

John, I was shocked by how easy it was, and embarrassed too. I work for this company, and this is a serious black eye. I appreciate you dropping in.

Mel Carriere (author) from Snowbound and down in Northern Colorado on July 14, 2020:

Pamela, you might want to set up one of those accounts just to keep the crooks from seeing what is in your mailbox. I hope you are doing well and your mail stays safe too. Thanks for dropping in.

Mel Carriere (author) from Snowbound and down in Northern Colorado on July 14, 2020:

Bill, if we could just redirect the ingenuity of these enterprising crooks into something good they could still make lots of money without preying upon us. But maybe the thrill of crime is a drug to these people. I appreciate you dropping in.

Mel Carriere (author) from Snowbound and down in Northern Colorado on July 14, 2020:

Thank you Davika, yes these people are everywhere and serious measures are needed to stop them. I appreciate you dropping in.

RoadMonkey on July 13, 2020:

I would bet money, or the lack of it, is at the bottom of this half-hearted response by the postal service. Crowbars should not be of much use in the UK, as post is delivered direct to the customer's door and posted through a lettterbox. Most people do not have a mailbox at the end of their drive. But for all I know, we may have some equally poor online services. I certainly hope not. They should be asking you to act as a consultant.

John Hansen from Australia (Gondwana Land) on July 13, 2020:

There is much cause for concern here. I guess nothing is sacred as far as identity theft and mail theft Is concerned. I am shocked by your experiment and how easy it was cheat the security system. Thank you for sharing,

Pamela Oglesby from Sunny Florida on July 13, 2020:

I have never had an USPS account to hold my mail and I guess it is fortunate that i have never had any mail stolen. This was a very interesing article, Mel.

Bill Holland from Olympia, WA on July 13, 2020:

It's amazing to me that there are people among us who do nothing else than dream up ways to beat a system and steal money and valuables from it. What a bizarre way to live a life, stealing from others.


Carry on, my friend!

Devika Primić from Dubrovnik, Croatia on July 13, 2020:

I am sure you would get those types tampering in the mail. However, I do get mail and so far haven't had anyone do that. Certain things do apply and certain people think they can get away with that. A code in order would prevent it.

Mel Carriere (author) from Snowbound and down in Northern Colorado on July 12, 2020:

You're a real fossil writing those letters of yours. You belong in a museum. My route is full of old farts, maintaining the pulse of the postal service with their silly letters. If the air conditioner is giving you the chills go walk around the swap meet for a bit, you'll get over it.

Eric Dierker from Spring Valley, CA. U.S.A. on July 12, 2020:

Mel, I still write letters and have the occasional odd thing that requires an original signature. So the close pin works well around here.

Speaking of heat -- the swap meet is apparently essential in 100 degree heat? Go figure.

Mel Carriere (author) from Snowbound and down in Northern Colorado on July 12, 2020:

Eric, one of the things that worried me when I hit the Publish button was that this article might fall into the wrong hands, like those of mischievous 10 year olds. Good thing yours has solid family values. But this is info that needs to get out, to embarrass the postal powers that be.

Yeah, mail theft virtual and physical carries eternal consequences. There is no return to sender from mail hell. Good thing you discouraged that sketchy with a little tough love. Maybe you scared him straight, and he is now a preacher man like you.

Speaking of bad guys sneaking up on me while I am reading, some dude a few weeks ago, dirty and shirtless, walked up to me in my mail truck and asked if I had any meth. Fancy that, a 230 pound 56 year old meth head. I told him I was fresh out. I keep the doors locked.

Keep it chill over there in the Sprung Valley.

Eric Dierker from Spring Valley, CA. U.S.A. on July 12, 2020:

I had a mail thief once. After our chat he moved down the street, ok he limped down the street.

For some reason messing with mail is one of those really really bad Karma deals. God carts you off to a mail hell. Even before it is delivered it is quite personal to me. Yes I know that is weird with grocery store flyers.

All of this seems rather to intricate for me. I would just sneak up on that fancy jeep deal while the letter carriere was engrossed in a book and steal his vehicle. Of course he could leave. Didn't it work well with stage coaches for 50 years?

Is there a "spam" blocker for the Mail?

This article is a bit scary as it became obvious that my ten year old could beat this system.

Mel Carriere (author) from Snowbound and down in Northern Colorado on July 12, 2020:

Learn Things, I have learned that just because you have a USPS account doesn't prevent someone else from doing another one for your house. The Post Office doesn't send you a confirmation for account setup, they only do that for a mail forward, but most people just ignore them. My advice is not to ignore mail from the Post Office. Anyhow, a confirmation letter for account setup would be another really good idea.

Yeah, I really don't get it when people leave their outgoing mail exposed on a clothespin, hanging in the air for everybody to grab. It hearkens to an era when people were more trusting because they could be, but as we see with this check washing, that time is long past.

I really appreciate you dropping by.

LT Wright from California on July 12, 2020:

I have a USPS account for mail holds and missing mail. It hadn't occurred to me that anyone could set up an account by using my address, and I don't ever recall getting a letter to inform me that an online account had been set up. Ideally, they should send a code by mail. An online account should only be activated when the customer enters that code.

Also, I just learned about check washing recently. Thieves look through personal mailboxes and if something looks like a personal check, they'll steal it and alter it. To lessen the risk, checks should either be mailed directly at the post office or in a secure locked mailbox.