Physical Mail and the Overlooked Attack Surface

Cybersecurity investment has never been higher. Organisations are running zero trust architectures, deploying endpoint detection across every device, and monitoring network traffic in real time. Physical mail rarely appears on the threat register for most security teams, yet mail-based attack vectors are active and documented, and tend to be effective in part because they attract less scrutiny than digital channels.

How physical mail creates security exposure

Every piece of business correspondence that arrives at a company address represents a potential point of failure. The risk involves what arrives, where it arrives, who handles it, and what an attacker can do with that information or with the mail itself.

The most straightforward exposure is interception. Mail sent to a company address can be diverted before it arrives, particularly in shared building environments where post is collected communally or left accessible. Verification letters from banks, government agencies, and regulators are high-value targets. These documents contain codes, reference numbers, and authentication credentials that can be used to hijack accounts, redirect corporate communications, or complete fraudulent identity verification processes.

Beyond interception, there is the risk of mail handling at unstaffed or poorly monitored addresses. Companies that list a registered office address they do not physically occupy, a common scenario for remote-first businesses, satellite offices, and newly established entities, often have no reliable process for monitoring incoming correspondence. Sensitive documents can sit uncollected. Deadlines on legal and regulatory notices go unmet. In some cases, a building manager or co-working facility handles the mail in ways that expose document contents to third parties.

Mail as a social engineering tool

Physical mail is also used as a delivery mechanism for social engineering attacks. Fraudulent invoices sent by post tend to receive less scrutiny than their email equivalents in some business environments, which makes them useful as a first-contact vector. A letter appearing to come from a government body, regulator, or legal firm can prompt employees to call a spoofed number, visit a fraudulent website, or disclose information they might otherwise treat with more caution.

Pretexting attacks frequently use physical mail as supporting material. An attacker who has already made initial contact by phone or email can send a follow-up letter on convincing letterhead to a company's registered address, lending apparent legitimacy to a fraudulent request. When that mail is collected by a third party or forwarded without proper scrutiny, the chain of verification can break down.

USB drops represent the hardware variant of this approach. Documented incidents include devices mailed to company offices in branded packaging, with threat group FIN7 using packaging styled to resemble HHS and Amazon deliveries to target US businesses in transportation, insurance, and defence. Recipients who connected the drives gave attackers a foothold for ransomware deployment.

The address exposure problem

Registered business addresses are public record in most jurisdictions. In the US, state-level business registries publish company registered addresses in full, searchable by anyone, and similar transparency requirements exist across most developed economies. This is a feature of corporate transparency law, and it also creates a usable data point for threat actors conducting open-source reconnaissance.

A company's registered address can indicate the location of key personnel, the nature of the facility, and in some cases the identity of building co-tenants. Combined with other open-source data, this information can support targeted physical and social engineering attacks. An attacker who knows where legal correspondence arrives knows where to send fraudulent legal notices and where to attempt interception.

For remote-first companies and distributed teams, the registered address may have no active physical presence behind it. Notices and legal correspondence can arrive at an address where no one is monitoring incoming mail, which creates a different kind of exposure.

Reducing the postal attack surface

The mitigations available here are practical and do not require significant investment. A reasonable starting point is knowing what arrives at each address a business uses, and having a defined process for handling it.

For legal and regulatory correspondence, ensuring that someone with authority reviews incoming mail promptly matters. Deadlines on statutory notices are not extended because mail went unread, and in regulated industries, missed correspondence from a licensing body or regulatory authority can have material consequences.

For companies without a staffed office at their registered address, a managed mail handling service with digital access is worth considering. The best virtual mailbox for security provides a real street address, scans incoming mail, and gives digital access to correspondence without leaving documents in uncontrolled physical handling environments. This can reduce the risk of mail accumulating unread or being handled by building staff with no visibility into what is arriving.

Address segmentation is another option some organisations use. Keeping a separate address for public filings and regulatory correspondence, distinct from any address associated with operational facilities or personnel, limits the intelligence value of what appears in public records.

Employee awareness is also worth extending to physical mail. Staff who apply careful scrutiny to suspicious emails but treat every physical letter as inherently trustworthy represent an inconsistency in the security posture. Training that covers fraudulent invoices, pretexting letters, and unsolicited USB devices fits naturally within existing security awareness programmes.

Closing the gap

The principle of attack surface reduction applies to physical mail alongside exposed APIs and unpatched endpoints. The postal channel has been used for fraud, social engineering, and corporate espionage for a long time, and the techniques involved are not especially sophisticated.

For many organisations, the more pressing question is simply whether physical mail falls within anyone's defined area of responsibility in the security function. Where it does not, establishing basic ownership and process is a practical first step.