Watch Your Inbox for Fake Postal Service Emails

The holiday season tends to be a hyperactive time for hackers, and this year is proving to be no different. While not new or original, the “USPS Mail Hold” scam appears to be gaining steam as holiday travel and package deliveries skyrocket.

The scheme follows the standard formula of phishing. Recipients get a message claiming to be from the United States Postal Service. The message states that mail is being held for the recipient, then invites the recipient to click a link to get more information.

Sample of USPS Mail Hold Phishing Email

If the email arrives in the inbox and the link is clicked, users are directed to a bogus site that downloads a malware payload to the recipient's computer.

How to Spot This Email Scam

This scam is simply a seasonal variant of a similar scam that mimics DocuSign rather than the USPS. The good news is that it isn’t subtle or sophisticated. However, just because it’s hastily conceived and likely to trail off after December doesn’t mean users should become complacent about what arrives in their inboxes.

Here are some red flags to look out for and ensure that you’re not caught unaware:

  • Wrong Address: Instead of being identified as the USPS, the email sender is usually identified as “” or “” The USPS has dedicated email addresses, so it would not send official communications through third-party channels.
  • Wrong Subject: The USPS also relies on standardized conventions for subject lines. Anyone who has received an official message in the past can look for inconsistencies in those conventions. Even those who haven’t should inspect the email’s subject line to make sure that nothing seems off.
  • Wrong Links: These scam emails typically contain several links that legitimately direct you to the USPS. The link that users are encouraged to click, however, leads to a footwear site that is actually a front for hackers. Checking the target address of a link before clicking on it can help recipients determine its legitimacy. But keep in mind the final destination of the link may differ, so time-of-click analysis is a critical component of any email threat protection solution.
  • Wrong Phone Number: Some variants of this scam encourage users to call a phone number in Rhode Island for more information. This number has no connection to the USPS, as mail hold is actually conducted entirely online.

Preventing Present and Future Email Scams

Even an attack that’s easy to spot can be effective. Instead of relying on users to be the first and last line of defense, companies should also implement solutions that are designed to detect and deflect email scams in advance.

The USPS malware could be neutralized simply by disabling VBA macros. That way, the virus payload wouldn’t automatically open on a computer even if every bad link were clicked. This simple step blocks other common email attacks as well. Moreover, if and when scammers try to obscure and obfuscate who an email is sent from, sender verification can block and quarantine impersonated emails or warn users by unmasking the scam, while click analysis can help users verify the age, reputation, and location of the landing page.

All of these protections are included in the SpamStopsHere toolkit. When coupled with user education and awareness, they dismantle simple threats like the USPS scam, along with more sophisticated threats that aren’t so transparent and opportunistic. Protecting your inbox this holiday season and throughout next year takes the right combination of training, tools, and tenacity.

About SpamStopsHere

To find out more about SpamStopsHere, visit our product page, check out our simple pricing and start a FREE 30-Day trial, or contact us anytime via phone (800-458-3348 | 734-426-7500), chat or email. We're always here. 24/7/365.