PROVO — We’ve been hearing a lot about the growing problem of porch pirates stealing packages.
In fact, a recent analysis of State Farm data ranks Salt Lake City second in the nation for the most stolen packages during the holidays. Now, cyber security experts warn thieves are using a new tool from the U.S. Postal Service to get a leg up on stealing mail and identities.
How informed delivery works
Last year, the postal service rolled out Informed Delivery, a free service that sends us photos of the day’s mail before it is delivered. Automated machines scan the images as the mail gets sorted before delivery.
Robert Jorgensen is one of the 13 million Americans who use Informed Delivery, and he loves it.
“So, it shows you the letters and then it also will say if there is a package,” Jorgensen described. “It’s a great way to see what is coming to your mail, know what you’re expected. And also, you know whether it’s worth walking out to the mailbox.”
How crooks exploit informed delivery
It turns out the bad guys are signing up for other people’s Informed Delivery accounts so they can monitor mailboxes for valuable mail. They can apply for a credit card in your name and then use the service to find out when the card has been delivered so they can swipe it before you have a chance to get the mail.
Michigan authorities recently arrested seven people accused of using Informed Delivery in their scheme to rack up nearly $400,000 in fraudulent credit card charges. Investigators in Florida said crooks signed up several people in the same Orlando neighborhood for the service to intercept packages and commit identity theft.
The risk from data breaches and social media
“It feels like a really strong violation of, you know, you feel violated and it’s frustrating,” explained Ben Hutchins of Lindon, Utah.
To be clear, Hutchins does not believe identity thieves hijacked his Informed Delivery account. However, someone did open several fraudulent credit cards in his name and came close to draining a bank account.
“I actually am pretty positive that my identity was compromised during the Equifax breach,” said Hutchins. “You have to assume that your information has been stolen. It’s out there somewhere. Most people’s information is out there. It’s a question of when, not if, in terms of having their information being used against them.”
The information leaked from data breaches like Equifax and others can be enough for scammers to sign you up for Informed Delivery.
You do not need a lot to set up an Informed Delivery account: name, address and email. But, you are asked to confirm online that you really are who you say you are.
To do that, you will answer four multiple choice questions that could involve a previous address, a previous job, and old phone number, where you went to school and the like.
Jorgensen, who directs Utah Valley University’s cybersecurity program, said these are knowledge-based authentication (KBA) questions. The flaw with KBA questions is the answers are typically found through data brokers, social media and information leaked in data breaches.
“There are sites that have directory information. There are sites that have credit information. There’s tax records, there’s voting records. All of those sort of things have this information out there and a lot of it is indexed by Google,” Jorgensen explained. “That information is being sold on the dark web and people can use that as well.”
How to protect your mail and identity
So, how can we protect ourselves? Jorgensen says start by beating the bad guys to the punch.
“It’s (Informed Delivery) not hacked and you should sign up for it,” elaborated Jorgensen. “Sign up first. This is one of those situations where the first person who signs up with that name at that address is the one that gets the account registered and controls it.”
Also, sign up your spouse, roommate or any adult in your home so their identities can be protected, too.
If you do not want to use Informed Delivery, another option is to opt out of it entirely with the U.S. Postal Service.
This will block someone else from signing you up.
Another way to help stop thieves is the approach Ben Hutchins has taken. He has frozen his credit.
“I regularly check my credit history now, and I have alerts set up and I’ve got credit freezes,” Hutchins said. “You typically don’t know (if someone is trying to open an account in your name) unless you’ve got some kind of alert setup or you’ve got a credit freeze.”
The USPS does mail out notices to the addresses of people who have enrolled in Informed Delivery. So, if you receive one and you have not signed up, contact the postal service immediately. A thief may have beaten you to the punch.
There is also a low-tech solution. Use a locking mailbox to help keep thieves out of your mail.
The U.S. Postal Service declined KSL’s request for an interview about their Informed Delivery system, but in a written statement the agency explained that creating a fraudulent account is illegal and punishable by law:
"Postal Service customer identities’ are not compromised by using the Informed Delivery feature. Unfortunately, in very few cases, an individual’s identity has already been compromised by a criminal who then has used it to set up an Informed Delivery account.
Customers have two options available to report a potentially fraudulent Informed Delivery account (or to block their address).
a. Report online at https://uspshelp.custhelp.com/app/ask_id. The link can also be accessed from the Informed Delivery email digest (user support) or dashboard (email support).
b. Or call Technical Support at 1-800-344-7779."