Cybercriminals Use Empty Houses to Steal Mail

The threat landscape is shifting as cybercriminals increasingly exploit physical vulnerabilities, not just digital ones. A particularly concerning trend involves the use of vacant homes as infrastructure for mail theft, enabling large-scale identity and financial fraud. This method, detailed in tutorials circulating on fraud forums, bypasses traditional cybersecurity tools by abusing legitimate services and real-world logistics.

Analysts have observed a step-by-step guide that teaches threat actors how to establish so-called drop addresses. The process begins with searching real estate platforms like Zillow or Rightmove for recently listed rental properties, which are likely to be unoccupied. Older listings that have lingered on the market are also targeted for their long-term vacancy, making them reliable locations. In some cases, criminals even perform minor upkeep on abandoned houses to avoid suspicion while using the address to receive sensitive correspondence.

Once a suitable property is identified, attackers leverage digital postal services for surveillance. Using tools like the USPS Informed Delivery service, they can remotely preview incoming mail destined for that address. This allows them to identify high-value items such as credit cards, bank statements, or verification letters without ever setting foot on the property, turning mail delivery into an intelligence-gathering operation.

If the service is already registered to the legitimate resident, the tutorial outlines methods to hijack control. This often involves submitting fraudulent Change of Address (COA) or Premium Forwarding requests. While these services have verification steps, such as a small fee linked to a billing address, criminals exploit perceived weaknesses. They use fabricated or stolen identity data to bypass these checks, effectively redirecting a victim’s mail without their knowledge. This shifts the operation from passive monitoring to active interception.

The final phase focuses on establishing persistence. Attackers use fake identities, sometimes built with fabricated Credit Privacy Numbers (CPNs), to open private mailbox services. This enables them to forward all mail from the drop address to a secure location they control. This move is critical, as it transitions the scheme from opportunistic theft to a sustained fraud pipeline. The intercepted mail can then fuel account takeovers, new credit applications, and refund scams, bridging the gap between digital fraud and physical-world credibility.

This represents a hybrid fraud model that blends open-source intelligence, service abuse, and sometimes on-the-ground accomplices to collect mail. It reflects a broader surge in mail-related crime. Data indicates reports of mail theft from receptacles surged by 139% between 2019 and 2023, with schemes linked to hundreds of millions in check fraud. Similarly, fraudulent change-of-address requests have risen sharply.

The technique is not without its challenges for the criminals. Financial institutions are increasingly flagging virtual and frequently reused addresses. This forces threat actors to constantly seek new, “clean” residential addresses not yet associated with fraud. Nevertheless, the model’s effectiveness lies in its low-tech, coordinated abuse of systems that fall outside conventional security perimeters, such as real estate websites and national postal services.

This is not an isolated tutorial but part of a growing ecosystem. Underground markets offer both free and paid guides on establishing drop addresses, indicating significant demand. For organizations, this evolution underscores that fraud detection must now extend beyond digital signals. Effective defense requires correlating data across domains, including anomalous address usage patterns, mail forwarding activity, and inconsistencies in identity documents, to spot these blended attacks before they result in substantial financial loss.