By L. Burke Files
We seem to be very conscious of e-mail security, but are often oblivious to the security of the "snail mail" we receive at our homes and offices. Recently, in our role as consultants in the due diligence arena, we were asked a series of questions relating to personal and corporate snail mail security. The answers bear repeating for a wider audience.
Q. What type of mail security do we need?
A. Each company will have its own requirements. If your company regularly handles payments through the mail with a significant volume of payments arriving via postal mail or courier, a lock box service is often a sensible investment, both for security and efficiency.
For smaller companies, I strongly recommend that all mail go to a post office box, not a private mailbox. Post office boxes are securely constructed and often continuously monitored by CCTV. However, private mailboxes (e.g., from the UPS Store) offer a street address for delivery of packages via courier, and may be more practical but not as secure as private mailbox. Private mailboxes should be securely constructed of heavy gauge steel and accessible only to employees of the mailbox company.
Q. How can one segregate mail streams?
A. Mail drops and drawers can be used to segregate the mail according the wishes and needs of the company. However it's segregated, mail in significant volume should be picked up by a trusted employee or delivered by postal services in bulk, ending up in a secure location. If that location is at a company facility, it should be segregated from the remainder of that facility. Mail may be received, but should never be kept or even exposed, at a loading dock.
Once in the secure location, the mail can be delivered to the proper department. The mail can be pre-coded by agreement, such as adding to the address of certain locations or functions by adding additional addressing information such as Station A, Building 14, or to the attention of a specific employee. These codes should not interfere with regular postal addressing.
Q. How should junk mail be dealt with?
A. All physical mail should be treated as one would treat e-mail. It should be kept free from the prying eyes and the letter openers of others. Junk mail often originates from companies offering credit cards or financial services. If such mail winds up in the wrong hands, it can lead to identity theft. Yes, even junk mail has value!
Unsecured mail streams are vulnerable to industrial espionage without opening up a single envelope or parcel and with nearly zero risk of detection. Think of the unopened mail as the cleaner version of dumpster diving, but without the leftover food bits. You just need to look at the envelope to make conclusions about the company and the receiver. For example, an envelope containing a credit card will never have any identification on the envelope other that a post office box address. But, with a minor amount of research, you can link the address to the credit card issuer.
Mail stream analysis can also reveal the identity of a company's clients, the nature of the relationship, the names and addresses of key suppliers, etc. It is also possible to decode a Pittney Bowes franking stamp to identify the sender and the physical address where the franked item originated.
Now imagine what about what you can learn about a company if one you can open their mail!
Q. How can I tell if the mail has been tampered with?
A. Look for smudged ink, as many letters are now printed with jet ink printers. The inks will bleed if the paper is treated with chemicals or water (steam) to pen open the envelope and read the contents. Also examine the corners of the envelope for small tears. They may indicate that a tool was inserted to either spool the contents for removal from the envelope or that a small scope was inserted to read the document while still in the envelope.
Many correspondents will tape over the corners of an envelope to prevent tampering. However, someone who tampers with an untaped envelope may also tape it to conceal the tampering. For high security mailings, wax seals may be employed to prevent tampering and authenticate the sender as well as security envelops and tamper evident tape and seals. But yet, that too draws attention…
Q. How can I be more proactive to discover mail stream tampering?
A. Have a letter sent to you, at the address of your choice, on a regular basis. Record the number of days it takes to arrive. If you see an increase in the numbers of days it takes for the test letter to arrive, on a consistent basis, this may indicate tampering or the monitoring of your mail stream, as the mailed items must be diverted for at least a few hours for fiddling purposes. Diversion may result in the mailed items missing the cutoff times for sorting and delivery for a day or more.
Some other ideas:
- Include in your own correspondence a small sheet of rice paper inside the envelope. Rice paper turns to goo when it gets moist, such as in from steam when trying open steam open a glued envelope.
- Add chemical dots to the paper and envelope that react to the different types of solvents used such as some of the dry cleaning solvents.
- Use inks that react to heat, such as lemon juice that turns brown when heated.
- Consider sending to yourself regularly a package that contains a mobile tracking device such as a cell phone, thus allowing you to follow your package from the time of mailing to the time of delivery.
As always, specific recommendations for action depend upon specific fact patterns. If competitors of your business can gain a competitive advantage through surveillance of your snail mail, you'll want to act proactively to prevent such surveillance.
Copyright © 2012 by L. Burke Files. Reprinted by permission from the February 2012 issue of the Aegis Journal.
Burke Files is a long-time friend and business associate. He is an international expert on due diligence and the author of Due Diligence for the Financial Professional. Burke also serves as editor of the Aegis Journal. In his 20-year career, Burke has investigated frauds ranging from tens of thousands of dollars to over 800 million dollars. As a fraud recovery expert, Burke has presented at conferences sponsored by the Association of Certified Fraud Examiners, Association of Financial Professionals, Offshore Alert, and East/West Security. Burke is also the principal of Tarsus Trust Company, a licensed trust company in Nevis, British West Indies. You may reach him c/o Financial Examinations & Evaluations, Inc., P.O. Box 27346, Tempe, AZ 85285. Tel.: +1 (480) 838-1728. Fax: +1(480) 491-9439.