How To Spot & Protect Yourself From Mail-Borne Threats

Close-up of hands with mail

MP recently caught up with Will Plummer, Chief Security Officer at RaySecur. Plummer joined RaySecur after retiring with 25 years under his belt in the Army’s Explosive Ordnance Disposal (EOD) field. Most of his career, including now with RaySecur, has been focused on security and more directly threat mitigation planning, its facilitation, or the execution phase. 

MP: What’s RaySecur? 

WP: RaySecur is a Boston-based tech company that is disrupting the ability to “see inside” of everyday items using safe radio waves and artificial intelligence (AI). Think X-ray-like vision but without any harmful X-rays. Our flagship product, MailSecur, is a desktop scanner that looks much like a copier or printer but allows anyone to hold an item on the scanning deck and see what’s inside in real-time and 3D.  

Our imaging systems address a critical and obvious gap in physical security – specifically mail, packages, and other deliveries moving in and out of buildings. Today all corporate and government facilities implement multiple layers of security and access controls for people entering a facility. The same is true of digital traffic, including data and email, which is scanned for cyber threats. Yet physical items, including mail and packages, are delivered right to their intended recipients without any security scanning in most cases, and that’s a huge risk.

In addition to cutting-edge scanning technologies, we have a team of former military threat experts and federal agents that makes implementing these systems seamless by supporting our customers to develop enterprise-wide security procedures and providing 24/7 remote second opinions when suspect items are identified. Today our systems are deployed across the globe with customers ranging from some of the world’s biggest companies to governments and even heads of state to secure their facilities and keep their people safe.

Mail-borne threats are generally thought of as being sent to well-known public figures. Are mail-borne threats to everyday people and businesses common? 

Unfortunately, yes, it’s common for both Individuals and companies to receive mail-borne threats.  Every day, we see a low-profile person or facility receive a mailed threat. White powder letters, for example, successfully affect change—whether it’s a lawyer who represents a locally controversial individual or the recent example of a powder letter delivered to Senator Rand Paul’s home. Because of the anthrax letters of 2001, and ricin targeting every President since 2003, a small amount of benign powder mandates the same response as a real threat.  

Companies and corporations have it worse as they are harder to protect: the company and the individuals within it are both possible targets. In today’s world, small companies are dipping into highly publicized arenas and unfortunately are therefore often seen as controversial. If something progressive is being done, you can bet there is someone upset about it. A great example is the Unabomber. Ted Kaczynski, with a Ph.D. in mathematics, saw technology as the downfall of society. His answer was to mail bombs to his targets, who were mostly unknown to the public, between 1978 and 1995, until his capture in 1996.

What are some of the most common mail-borne threats and how can someone spot them without a RaySecur or another type of scanner?

Hoaxes meant to incite fear are up there, numbers-wise, as are threatening or intimidating letters. Historically, there are some common traits that mail threats share which can be useful for flagging potentially suspect items. They may have odd markings and spelling mistakes on the package or letter. Excess postage is another common indicator because they want to ensure that it is going to be delivered. Aggressive notes on the outside, bold block writing to disguise the author, and cancelation marks from locations other than the return address are additional indications of a suspicious item.  

Illegal items such as drugs are frequent in occurrence as well. Identifying features are there intentionally to make the package stand out. Markings that help the person looking for it in a pile of other packages also make it easier for screening. Out of place return addresses or locations that don’t exist within the organization. It depends on the organization on how hard they look. But drugs, for example, are shipped every day.  

Despite these external indications, mail threats continue to remain a big problem because many do not exhibit these characteristics and go undetected by even the most sophisticated security screening systems today. The white powder letter received by Dr. Anthony Fauci as head of the U.S. Coronavirus Task Force, despite receiving round the clock Secret Service protection, is just one example of how these threats continue to evade even the most advanced security teams today.

What’re three mail-borne threat statistics you can share?

According to the U.S. Postal Inspection Service, on average, two dozen incidents occur each day affecting everyone from the private individual to global corporations. These are only what is responded to or reported. Overall, we in the security space have no idea how many legitimate mail threats are out there because most go unreported.

95% of suspect packages in the mail were small, and many of those were small enough to fit inside the blue collection boxes—less than half an inch thick and weighing less than 10 ounces. 

42% of those threats were white powders, mandating a hazmat response. Planning for those events with contamination control and a focus on keeping people safe is the key to success.  

What should someone do if they’re suspicious of an envelope or package?

The biggest task besides the obvious physical security aspect is to gather information. Most often, missed information drives false positives which cost time and hurt brand PR. Simply getting accurate info from the “To” and “From,” along with a picture of the package can reduce many of the evacuations and calls out for first responders. This information gives the security team a chance to do some research and figure out what the situation is.  

What’re some of the main threats that are emerging in 2021?

White powder threats have skyrocketed in 2021 and are even tied closely to distinct events. For instance, since January 6th at the Capitol, all involved have picked a side. This leaves courthouses, judges, and lawyers caught in the middle. It’s just a cheap and effective way to shut down a facility and get attention.

Intimidation and racial threats have risen as well in 2021. People are reacting with a lot of hate toward those they don’t agree with. Political leaders are getting death threats at their homes as well as in their offices in higher numbers. The NAACP is always a target, but locations like the DuSable African American History Museum, Jewish Community Centers, and Asian-owned businesses have been inundated with hate mail loaded with racist language.

What’s the new last mile problem, why is it important, and how can people protect themselves?

The last mile threat exists because of the way the world of logistics has evolved. Outsourcing the delivery from the distribution center to the final point of delivery lowers cost, increases overall throughput, and decreases time for each required delivery. However, the byproduct is that a delivery person may not be affiliated with any known, trustworthy shipping company. Every day, these delivery contractors drop packages onto front porches from their personal vehicle, often at the end of the day. 

As these delivery methods become more of the norm, we are allowing possible threats deeper into our rings of security. Consumers pick up and accept items from their front porch or a delivery driver, assuming it is legitimate. That can cause problems. A person intending harm can simply prey upon those feelings of trust.

Protecting yourself from last-mile threats means being proactive on security. Know your expected deliveries, verify who people are and what company they work for before allowing them to leave, and bring a healthy dose of skepticism to these situations. Last-mile threats prey on human nature. With that understanding, acting a little more rigid and with harder responses makes you less likely to be a target.

How common are mail-based scams, what’re some ways they can be spotted, and what should you do if you think you’re being scammed?

Very common and unfortunately, as the world leans more toward online shopping, they are making a comeback. Fantastic examples are the seeds from China that were a worldwide phenomenon in 2020 and Canada’s rash of white powder and extorsion attempts earlier this year for bitcoin. These happen worldwide and they are only as good as the individual that invented them.

Spotting them is sometimes a difficult task, but with a little research it’s pretty easy to find out the whole story. First, if it’s too good to be true it’s most likely not real. If it’s a threat of some sort, look for official addresses or agencies. Second, if you still want to look into it, do step two and research it online.  You are most likely not the first person to see this and with that it’s been reported. If there is still concern, report it. If funds have been exchanged, check your cards and your credit report. Most of these scams are just trying to get to your digital footprint through other means.  

Is there anything else you would like to share?

Simply stated, regardless of whether it’s home or office mail: screen it. Even the most minimal screening efforts can significantly increase security. Looking for threats means you are paying attention to the process. This is where most of the threats are caught. Second, with the increase of insider threats, actively announcing screening efforts and alerting employees just increases overall security. 

Learn more by reading RaySecur’s Dangerous Mail Report.