Protecting your business from mail-borne threats

Oct. 13, 2022

We all know how important it is today to protect a company’s infrastructure against cyberattacks. However, the amount of attention and resources that corporations devote to digital security has sometimes overshadowed a critical aspect of physical security, notably in the company mailroom.

Packages and other pieces of mail have increasingly become tools for various forms of attacks, designed to inflict tremendous physical or digital harm and disruption to individuals and businesses.

During the height of the COVID-19 pandemic in 2020, Dr. Anthony Fauci, director of the U.S. Institute of Allergy and Infectious Diseases, opened a mailed letter that contained a white powder. Though the powder turned out to be harmless, Fauci acknowledged that he almost certainly would have been killed if the envelope had instead contained a lethal substance such as ricin.

The danger continues today. Supreme court justices have recently begun to receive suspicious packages and mail threats at their places of residence.

In February of this year, the Missouri Department of Corrections had to evacuate the central office in Jefferson City after a package containing a white powder was delivered to the building. It turned out that the powder was acetaminophen, best known as the main active ingredient of Tylenol, but the incident greatly disrupted normal operations at the building.

U.S. Senator Rand Paul also received a suspicious package containing white powder last year, as did U.S. Rep. Ilhan Omar. Although white powders are some of the most common mail threats, they are just one of the many suspect and potentially harmful types of threats that can come through the mail.

This isn’t a new problem. Businesses and critical industries have been especially aware of mail-borne threats since the anthrax attacks of 2001. So why is it that in all of the incidents described above, had the powder been deadly, the response would have been too little, too late? In the eyes of aspiring attackers, these security failures signify that many large corporations are likely unprepared for mail threats. And they’re right.

Context on Overlooked Vulnerability

Mail security isn’t just a challenging concept; it’s often completely overlooked by companies who are far more aware of cyberthreats or the danger of an unauthorized individual coming in the front door than they are of threats coming through the back door; i.e., the loading dock and the mailroom.

Here are some things most businesses haven’t considered with regards to physical goods and mail security.

  • First, while cyberthreats are indeed a serious concern for businesses, they don’t cause physical harm to employees. In contrast, the most dangerous types of mail-borne threats are extremely serious and can even be fatal. Explosive devices can detonate when opened or handled. Toxic substances such as ricin, anthrax, or fentanyl can prove fatal if staff members become exposed or the material is released and spread through a building’s HVAC system. Depending on the location, malicious actors might also use the mail to smuggle drugs, as often occurs in prison settings. This has contributed to accidental overdoses in correctional facilities and elsewhere. 
  • Second, even hoaxes, which are far more common than genuine threats, may still be extremely unnerving and disruptive to businesses. For example, back in 2020, Subway’s headquarters received a package containing white powder, resulting in a police, fire, and hazmat response, evacuation of the facility, and significant publicity with potential impacts to the brand. Again, the powder was harmless, but this disrupted the business and required the office to shut down for the day. 

All told, 59% of suspicious mail incidents resulted in disruption and an emergency response in 2021. An incident like that could deal a severe blow to your company’s brand, productivity and morale, not to mention potential harm to employees. 

  • Third, the growing trend for remote or hybrid work has increased the risk. With so many employees working from home in companies that allow employees to have personal deliveries shipped to the workplace, incoming packages could be left unattended for a number of days. 
  • Fourth, failing to address this critical physical security vulnerability impacts cyber security as well. There’s a new vector of attack through the mail in the form of physical hacking devices; for example, a miniature computer like a Raspberry Pi, or even a USB as the FBI recently warnedCybercriminals can send a hacking device through the mail, which can gain access to local wifi networks once onsite, and then connect to it remotely to gain access to company networks, or an employee might unknowingly grant access by plugging in a USB that has been disguised to look like it came from a reputable source.

These types of Trojan horse-style attacks, called phygital attacks or “warshipping,” present a major threat to companies today, since hacking a network with direct access is considerably easier than hacking it remotely.  

With remote and hybrid work, a warshipping hacking device can sit on an employees’ desk collecting data for days or weeks before anyone even notices the intrusion. Or a disgruntled former employee can ship a package to the company with a wrong address so that the package will get returned to the sender, likely after a lengthy processing time, during which the device can do considerable harm while sitting in the building. 

All in all, there are a lot of ways neglecting mail security can hurt your organization. It’s high time for companies to take notice and come up with strategies to respond.

Improving Mail Security

The good news is that the right combination of resources and procedures can significantly improve mail security. Your first step is to develop well-considered mail security policies. Start by creating a policy that prohibits staff from receiving personal mail at work. Once they understand the threat, they’ll be less likely to object.

Also, if you’re reusing packing materials in the mailroom, you should stop immediately. Since warshipping devices can be small enough to fit in between two pieces of cardboard, reusing empty packaging materials can result in an undetected warshipping device staying in your building to do extra damage. 

Next, train your employees about how to identify a suspicious package. Packages containing hazardous materials don’t always look like official pieces of mail. Signs to look for include homemade labels, odors or residues, missing return addresses, and oddly shaped packaging. 

Another effective method for identifying a suspicious package is 3D mail screening. Using a scanner, operators can quickly detect electronic devices as well as hazardous powders or liquids. 

And because these scanners use non-ionizing terahertz rays, or T-rays, they eliminate the risk of harmful X-rays. T-ray scanners are also smaller  than X-ray scanners and don’t require specialized training or certification and are therefore easier to implement across large businesses with many locations. 

Whatever methods you use, work to create standard workflows and response plans for dealing with suspicious or hazardous packages. Once a package shows up in your mailroom, the first step should be to check for the warning signs mentioned above. If a package seems suspicious, you should have a dedicated expert you can appeal to for a closer look. 

And if the package does turn out to be something dangerous, you should have a quick and safe exit plan for employees nearby, as well as a plan to isolate any potential toxic substances so that they do not spread to surrounding areas of your business. 

If there’s one thing that’s clear after reading all this, it should be that overlooking mail vulnerabilities can cost your company dearly. Companies need to pay close attention to emerging threats to respond appropriately.

Mail Security Deserves Attention

In the coming years, mail-based attacks will continue and evolve in sophistication. But with the right procedures and resources, companies can effectively protect themselves and their employees from the most dangerous and deceptive threats. This vigilance will ultimately bring the peace of mind that comes from knowing a business is fully prepared for virtually any hazardous package that enters its doors.

All in all, just as you want to protect against vulnerabilities in your network and computer systems, you should strive to protect against mail threats. These threats can negatively impact business operations, lower morale, and damage your employees’ and clients’ faith in your company.

Will Plummer is a 25-year veteran of the U.S. Army, where he earned a Bronze Star with Valor as a Master Explosive Ordnance Disposal (EOD) technician, and commanded multiple Special Operations units with multiple combat deployments. He has an M.A. from the Naval War College and a B.A. from the University of California-Chico. Currently, Will is the chief security officer for next-generation mail screening technology provider RaySecur. He leads the company’s physical security efforts, overseeing a team of EOD professionals, and managing clients’ threat mitigation efforts.

About the Author

Will Plummer | chief security officer

Will Plummer is a 25-year veteran of the U.S. Army, where he earned a Bronze Star with Valor as a Master Explosive Ordnance Disposal (EOD) technician, and commanded multiple Special Operations units with multiple combat deployments. He has an M.A. from the Naval War College and a B.A. from the University of California-Chico. Currently, Will is the chief security officer for next-generation mail screening technology provider RaySecur. He leads the company’s physical security efforts, overseeing a team of EOD professionals, and managing clients’ threat mitigation efforts.