Hybrid Fraud: when an unoccupied address becomes the gateway to your data

In recent years, fraud has ceased to be just a matter of viruses, phishing or network intrusions: it is moving to the real world. Malicious actors have learned to exploit legitimate services and physical infrastructure elements to build scam chains that are cheap to operate, scalable and difficult to detect if they are analyzed from a single lens. It is no longer enough to protect servers and passwords: the attack surface includes houses, mailboxes and processes designed for citizen comfort.

A revealing example that researchers and intelligence companies have identified in cyberthreats is the strategy based on empty residential addresses - the so-called "drop addresses" - that fraudsters use to intercept valuable correspondence. In general, the methodology takes advantage of public information (real estate listings, ads, moving dates), digital postal services that allow to see or redirect shipments, and false documentation or data purchased to complete verifications. The result is a workflow that mixes intelligence from open sources with physical world manipulation to obtain persistent access to cards, cards or notifications containing credentials or useful codes for subsequent fraud.

The actors are looking for addresses that offer low rotation of occupants or are temporarily unemployed: properties recently announced in real estate portals or long-standing housing on the market can become targets. This "recognition" phase takes advantage of the abundance of data available online rather than sophisticated digital intrusion tools. The sophistication here is not in malware, but in the coordination between digital channels and physical operations.

Once the address is identified, the abusers use digitized postal services that offer prior views of the mail or facilitate the forwarding of shipments. Services such as Informed Delivery allow the holder to see, from his account, digital images of incoming cards and package tracking; this makes the mail a source of intelligence: if the attacker is able to activate those services on the target address, you can know in advance when sensitive correspondence comes and plan for collection or reshipment. How this service works is available on the official United States postal service website: USPS Informed Delivery.

The continuous escalation towards access involves, in many cases, requesting direction changes or activating permanent forwarding services. These mechanisms are designed for people who move and usually include controls (a small online payment, verification linked to the address or physical identification presentation). However, when verification is based on information that can be manufactured or purchased, or on processes that are applied inconsistently, abuse vectors arise. A poorly authorized shipment turns an occasional intervention into a permanent open door to the correspondence flow.

The transition to persistence is completed when the services of lockers or mailboxes controlled by false identities, fraudulent printed documents or personal data acquired in illicit markets are used. This reduces the need to return to the physical home and allows the actor to maintain continuous access to bills, extracts or security notifications that serve to kidnap bank accounts, open credit lines on behalf of the victim or complete checks that require a code by mail. In short, the control of a physical direction may be the piece that connects a digital fraud with its culmination in the real world.

The operations described above often incorporate an additional human layer: third parties who, in exchange for a small sum, collect correspondence or maintain the appearance of occupation of a property in order not to attract attention in the neighborhood. This use of "postal mules" not only disperses responsibility, but makes it more difficult to track down the organizers, who can remain hidden after networks and anonymous payments.

These methods are not mere hypotheses: official data and reports show an increase in mail theft and in scams linked to readdresses. The U.S. Postal Inspection Service has documented significant increases in correspondence theft in recent years and has related these facts to significant amounts of financial fraud associated with intercepted checks and documents; its report on trends and strategies analyses these dynamics in detail: U.S. Postal Inspection Service - Mail Theft Strategy. In addition, the Federal Trade Commission (FTC) provides practical resources on how identity theft occurs and what measures victims can take: FTC - Information on identity theft.

The circulation of guides and "tutorials" in clandestine forums and messaging channels has facilitated the replication of these tactics. Platforms where playbooks are exchanged, stolen credentials and false documentation services allow less expert tacticists to run larger-scale campaigns. For security organizations this implies a different challenge: relevant risk signals appear in heterogeneous domains - real estate listings, postal applications, mailbox providers, illicit market forums - and must be correlated to detect suspicious patterns.

What can citizens and businesses do to reduce exposure? On the individual level, the most secure option is to minimize the dependence on physical mail for sensitive communications: to opt for electronic statements and notifications where possible, and to use lock-in or secure delivery services. Registering services like Informed Delivery under your own control and reviewing address change or reshipment notifications can help detect early handling. It is equally important to report immediately any signs of unauthorized theft or reshipment to the competent postal authorities; in the United States, the U.S. Postal Inspection Service offers ways to report correspondence theft: Report mail theft - USPS Inspection Service.

For companies and financial institutions, the response requires expanding the traditional view of cybersecurity. It is no longer enough to monitor access to online accounts: it is necessary to incorporate external signals such as recent address changes, unusual use of postal readdresses, virtual mailbox creation patterns or recurrence of addresses that appear in fraud-related requests. Correlation events between domains - financial infrastructure, mail records, public housing data and intelligence sources on illicit markets - is key to detecting hybrid attacks.

It is also appropriate to improve identity checks associated with postal and locker services, to introduce additional checks for management changes affecting financial accounts, and to provide early warning channels between postal providers and fraud-prone entities. Cooperation between sectors - couriers, banks, real estate platforms and security companies - would significantly increase the detection and mitigation capacity of such operations.

The main lesson is that risk is no longer limited to technical exploits: criminal networks are building fraud flows by combining open data, procedures designed for comfort and actors of the physical world. Protecting us requires rethinking defense as a cross-cutting effort that includes digital and material, and sharing signals between organizations so that a change of direction or a suspicious box does not go unnoticed.