Bob Robertson wasn’t getting much mail and he had no idea why. Turns out, an identity thief had forwarded it to Florida.
It wasn’t hard-the crook just filled out a form on the Postal Service’s website.
“This just seems like it’s too easy,” said Robertson, of North Whitehall Township, Pennsylvania.
The Postal Service tries to prevent its address-change system from being used for fraud, or at least tip people off to it pretty quickly. But that didn’t happen. Robertson had to tell them it was happening.
He lost only a little bit of money-about $100 in rebates he was waiting for-but lost a lot of his time. He’s still figuring out what mail he missed and had to arrange to pay bills he didn’t get. He also had to set up added security on his accounts, since those bills presumably ended up in the scammer’s hands.
The trouble really started in August, though he only realized that in retrospect. That month, there were suspicious charges on one of his credit cards. In October, another bank called asking whether he had just applied for a card. He checked his credit reports and found there were three unsuccessful attempts to open cards on Sept. 16-the same day the fraudulent address change was submitted online.
The thief likely did that to cover their tracks, so Robertson would not get mail from any accounts opened in his name.
“I would just consider myself lucky,” Robertson said. “It’s been a giant inconvenience, but fortunately, financially, so far it hasn’t really kind of materialized in any significant way.”
Address-change requests can be submitted online, in person or by mail. There were 37 million last year. Postal Service spokeswoman Karen Mazurkiewicz told me the “margin of potential compromise is small.” She said the Postal Service “attempts to balance customer convenience with protection of the mail and is constantly evaluating the processes being used.”
What happened to Robertson has happened to others. I found media reports from Cincinnati, Chicago, Cleveland, Florida and California about similar instances. Some people’s identities were stolen when information on redirected mail was used to open accounts.
The Postal Service has known for a long time about the potential for the address-change system to be used for fraud. A 2008 inspector general audit said the service “should improve controls to ensure proper authorization and validation” of change requests. It said failing to address weaknesses “could contribute to identity theft.”
The audit said nothing was done to verify the identity of people making “hard copy” requests in person or via mail. It also found that some forms weren’t signed, or had names and signatures that did not match. The Postal Service agreed to check for signatures in the future.
It tries to validate address changes. For online requests, a $1 fee must be paid with a credit or debit card. The name and address on the card must match the name and one of the addresses on the change form. That system passed a test during the 2008 audit by rejecting orders submitted using credit cards with different names and addresses.
Verification letters are sent for all requests, to the old address. Anyone getting a letter who hadn’t changed their address would be alerted of potential fraud.
Those safeguards, though, didn’t protect Robertson. He told me he did not get a notice.
“I cannot say that he did receive one, but he should have,” Mazurkiewicz said. “It is very rare that he did not.”
To thwart the credit card verification, the identity thief would have had to charge the fee to one of Robertson’s cards, or to a card opened fraudulently in his name without his knowledge. Neither appears to have occurred.
It took a while for Robertson to realize he was missing mail. He suspected something was amiss but didn’t know exactly what was going on.
Some days, he and his wife received nothing. What they didn’t recognize was the only mail being delivered was addressed to his wife, or to both him and his wife. Nothing sent in his name alone was arriving.
He found out what was happening in a conversation with his mail carrier on Oct. 19.
As she dropped off the mail that day, she told him she hadn’t brought a package because it was being forwarded to his Florida address.
“I have no idea what you’re talking about,” Robertson told her.
“All your mail’s going to Florida,” the carrier responded.
She informed him of the change of address, so he went to the post office and got the change form. It showed his mail was being redirected to Miami until Nov. 30. The post office immediately stopped that.
It must do more to stop this system from being used for fraud. Everyone who files a request should be required to provide photo identification. Some people may find that offensive or inconvenient. And yes, the best identity thieves might use fake IDs. But it would be a start toward tightening the process.
If you notice your mail volume decreasing, don’t ignore it. Look for patterns such as mail only coming to one person in your household. If you get a notice confirming your address has been changed, contact your post office. Don’t assume any mail you get from the Postal Service is junk.
You also can protect yourself by limiting the amount of sensitive information, such as bank and credit card statements, delivered by mail. You can access many statements online.