COVID-19 quickly and unexpectedly ushered in the hybrid work era, presenting newfound flexibility for workers that came with its own unique corporate security complications. One of the most significant and oft-overlooked risks is the increased potential for mail threats. 

For employees to get back to work safely, the Biden Administration proposed vaccine mandates for U.S. companies, but the Supreme Court denied this, effectively leaving the decisions to the states. Some organizations have been following their own rules and requiring employees to be vaccinated or lose their jobs, like outdoor apparel company Carhartt.

The controversy and divisiveness of these mandates made companies fear that departing employees might send illicit materials in the mail along with their work-provided gear. The standard corporate policy for winding down remote employees includes shipping a return box to ex-employees’ homes so that items can be sent back to headquarters or the closest office location.

Although mandates and mask requirements have been relaxed somewhat recently, this is an opportunity to learn from the mistakes of the past year and better prepare for the next wave of the virus and the controversies that are sure to follow.

Sadly, most companies do not meet the Department of Homeland Security (DHS) guidelines for mail security or have the right technology and standard operating procedures (SOPs) in place. Enterprises must be better prepared with a full-scale mail security program that can adapt to an increasingly porous attack surface.

The underestimated dangers of mail threats

Vaccine mandates were the most recent widespread trigger for mail threat concerns but typify the larger problem. The United States Postal Service (USPS) found that a significant portion of mail threats come from unhappy or disgruntled employees, known as insider threats. Political and social discourse gets more contentious by the day, directly impacting the risk of mail threats.

Remote or hybrid work also creates new potential mail threats. Dangerous materials can be sent to residential addresses disguised as work-related packages that could expose employees and their families. 

Companies need to view mail threats as disruptive and potentially harmful to people and businesses, regardless of whether they are real or hoaxes. Even if the main threat is a hoax, it can lead to business interruption, as seen recently in the Apple HQ shutdown.

Subway Restaurants headquarters in Milford, Connecticut, also received a fake powder threat that led to a shutdown and investigation, which local police and company executives believed to be sent by a recently laid-off employee. 

Beyond physical threats, mail can also be used as a form of corporate espionage or cyber threat called Warshipping. It is a trojan horse-style attack where a bad actor sends a mail package containing a small, rigged Raspberry Pi device capable of scanning WiFi networks and downloading data while the package is unopened and unscreened in a facility. The device is as small as a business card and can be easily concealed within two pieces of cardboard.

IBM’s white hat hacking team, X-force Red, first publicized this kind of attack in 2019, but it has been around for much longer. More conventional “phygital” threats exploiting both physical- and cyber-security vulnerabilities include a USB drive rigged with malware, the most recent being a spate of threats the FBI warned about in January 2022.

Despite the severity, mail threats have historically been overlooked since they are often under-reported. Because of this, most companies do not often support mail security procedures that meet the DHS standard of care.

Yet, the USPIS Dangerous Mail Investigations (DMI) Unit responds to 10 dangerous mail incidents every day, on average. Collectively, the ATF and USPIS have analyzed over 262K suspicious mail items and 6.3K reported mail incidents in its latest reported 2020 data. It’s clear organizations must develop a more rigid mail scanning process to not only better protect against the threat itself but also to limit potential liability resulting from lax security practices.

Developing a resilient mail security standard operating procedure (SOP)

While every business is different, there are fundamentals of a mail security program that every organization should adopt:

●    A mailroom security policy statement: Clearly outlined rules for safely scanning mail.

●    Global mail security and suspicious item screening processes: Document and train internal teams on standardize mail screening process, including the proper handling of items, the use of technology screening tools, and the right chain of command. 

●    Emergency response plan: Outline each action the individual scanning items should take if an illicit substance or dangerous item, real or perceived, is discovered.

●    Scalable mail threat detection: The solution must cover all offices and entry points, not just the headquarters, which is more typical.

●    Establish site-specific rules: The location’s risk profile, facility layout and other unique requirements can impact an SOP. Potential examples of how rules may vary include where incoming mail is being inspected (onsite or separate location), other security measures beyond mail, the activities occurring on site (e.g., manufacturing, management, etc.), and much more.

It’s important to consider the technology used for mail threat detection. Common mail screening technology, like X-ray, does not properly detect the nine types of mail threats identified by the DHS: explosives, illicit items, contraband, powders, liquids, chemicals, biological, radiological, nuclear, and hoaxes, among others. According to RaySecur’s annual report, most threats are small and contain powders or other potential chemical or biological threats or hoaxes which are not detected by X-ray.

One of the most shocking examples of this is when Dr. Fauci chronicled his traumatic incident involving a white powder threat in a NY Times interview. If it can happen to one of the most contentious individuals during the pandemic with all the security and resources available to him, it can happen to any person or organization. 

Enterprises need to consider and implement mail security for all sites, given that the political, economic and social climates are unpredictable and constantly evolving. The concern over mail threats stemming from the vaccine mandates is only the beginning of the increased risk management concerns associated with remote/hybrid work and the potential legal implications of not having a mail security program up to the standards of the Department of Homeland Security (DHS).

This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.