In early 2023, while monitoring Telegram fraud markets, I discovered two U.S. Treasury checks — each worth over $200,000 —
This case isn't an outlier — it's a blueprint. And it points to a systemic vulnerability that financial institutions could easily underestimate: a physical
While banks and regulators have rightly focused on preventing digital breaches, a quieter but equally dangerous channel of identity compromise has been allowed to persist: the mailbox.
Since mid-2021, I've monitored fraudsters who have targeted U.S. Postal Service letter carriers for their "arrow keys" — universal keys that unlock thousands of collection boxes and mail units. These keys grant access to enormous volumes of mail, where criminals search for paper checks and the rich personal and business data they contain.
Stolen checks are not just tools for account takeover — they're raw material for the production of stolen and synthetic identities, business impersonation and tax refund fraud. In just three months of 2024, we catalogued over $485 million in stolen Treasury checks posted for sale online. Behind each check is a name, address, routing number and, often, the basis for a full identity theft profile.
Financial institutions — and especially their fraud and compliance teams — cannot afford to treat this as merely a check fraud problem. It is an upstream identity compromise with downstream impact across every product line: personal checking, SMB accounts, digital lending, even tax prep partnerships.
We recently conducted a state-level analysis of Fincen suspicious activity report data from January to November 2024, comparing check fraud reports to identity theft incidents in subsequent months. The correlation was both strong and statistically significant. More stolen or altered checks reliably predicted more identity theft.
To further validate the link, we examined 1,947 identities tied to Treasury checks posted for sale on Telegram between May 2024 and May 2025. When cross-checked against account application data from our partner institutions, 60 out of every 1,000 appeared in high-risk applications — nearly twice the baseline identity theft rate. Most targeted financial institutions directly.
This is not a coincidence. It's a signal — and banks must begin treating it that way.
First, fraud teams should treat check theft as an early warning system. Monitoring whether an applicant's information has appeared in known fraud markets can prevent the account opening fraud that follows.
Second, identity verification tools must evolve. Even robust identity-verification standards can be defeated when real identities are used. High-precision machine learning models can detect anomalies that static verification misses — without adding unnecessary friction.
Federal Trade Commission data shows scam losses for adults 60+ have skyrocketed, with banks under pressure to strengthen protections.
Third, banks should reassess their SMB onboarding processes. As I've observed in my recent research, fraudsters are reinstating dormant LLCs with fake ownership details, then using them to apply for business products. Conventional checks — EIN validation, website presence, Secretary of State records — are no longer sufficient. Historical business snapshots and reinstatement patterns can reveal when a legitimate-looking business is actually a puppet.
Finally, banks must engage policymakers. While USPS has begun addressing its arrow key problem and Treasury continues moving toward digital payments instead of issuing checks, neither system is built for real-time fraud feedback. Financial institutions, fraud intelligence providers, and public agencies must collaborate to track how physical data theft translates into digital fraud — before the tax season, not after.
In 2024, the IRS received 167.1 million individual income tax returns and issued 105 million refunds. About 20% of those — roughly 21 million — were sent by paper check.
Let's say just 5% of those checks were intercepted. That's more than 1 million compromised envelopes. If even 6% of those individuals later experience identity theft — a rate consistent with what I've observed — that means more than 63,000 Americans would be affected annually. That's the equivalent of a midsize corporate data breach occurring every year, in slow-motion, out in the open.
And that number only counts Treasury checks. It doesn't include the thousands of personal and business checks sent through the mail each day — payments to vendors, landlords, utility companies and more. These, too, are being stolen and weaponized for fraud: opening new accounts, applying for credit, filing for benefits and more.
Unlike digital breaches, where regulators mandate disclosure and remediation, there is no accountability for mail theft-driven identity fraud. Victims don't receive alerts or credit monitoring. Institutions aren't required to notify consumers when their check or identity has appeared in criminal marketplaces.
Until that changes, banks are left to absorb the risk — and clean up the mess.
This is not just a government failure. It is a blind spot in the private sector's fraud defenses, and it is costing us dearly.
The mailbox has become a breach vector. Financial institutions need to start treating it that way.
