RaySecur’s Chief Security Officer Will Plummer analyzes trends from the known dangerous mail incidents in 2020.
The United States Postal Inspection Service (USPIS) Dangerous Mail Investigations Unit responds to 10 dangerous mail incidents every day, on average. Most are undisclosed by law enforcement.
In 2020, several hundred mail-borne threat incidents became public knowledge. This report presents an analysis of the publicly-known dangerous mail incidents in 2020, within the broader context of official USPIS and ATF historical statistics.
More than 8,700 incidents involving suspicious items sent in the mail were reported in 2019, including powders, liquids, and suspect or unattended packages.
These figures come from the most recently published data of both the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) and United States Postal Inspection Service (USPIS).
Suspect mail items analyzed
by USPIS forensics lab.
On average this corresponds to approximately 25 suspicious and potentially dangerous incidents per day. In addition to individual incidents, USPIS reports over 125,000 suspicious mail items processed through federal forensics labs in the same year.
While official government data sources provide a historical view of both the prevalence and magnitude of dangerous mail threats, the publication of official statistics typically lags actual incidents by 6-12 months. The objective of this report is to summarize key statistics from official data sources to frame the problem, while also providing accurate and timely information on recent and evolving threats.
2020 was a record year for suspicious and dangerous mail incidents in the news. The year began with a spate of letter bombs sent to banks and key political figures in the Netherlands. Following the spread of the Covid-19 pandemic in the spring, the US saw a wave of unidentified seeds mailed from China. In May, following a series of layoffs, Subway’s corporate headquarters was shut down due to a letter containing white powder.
Incidents reported by
USPIS and ATF.
Controversy surrounding mail-in ballots in the 2020 U.S. presidential elections permeated political news coverage through most of the summer months, and the poison ricin was mailed to the White House in September.
Based on the aggregate data compiled from the public-domain sources in 2020, 95% of dangerous mail attacks involved letters or parcels small enough to fit in a curbside drop box – highlighting the vulnerabilities posed by small items with an unknown chain of custody. Of these threats, white powders were the most prevalent; found in 38% of dangerous mail items.
Beyond the statistics, the dangerous mail incidents covered in this report span entire organization shutdowns to home evacuations. Whether a hoax or real, these threats force losses in revenue, time, and the sense of security, and highlight the often-unnecessary exposure to risks. Legitimate mail attacks sent innocent bystanders and first responders to hospitals for exposure to threats such as fentanyl, ricin, and explosive devices. When viewed individually, these threats appear as one-off incidents. Combined, they depict an evolving threat picture that requires attention, planning, and security measures.
U.S. Government Data: Historical Context
The primary sources of official data on dangerous mail attacks and hoaxes are the United States Postal Inspection Service (USPIS) and the United States Bomb Data Center (USBDC) managed by the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF).
These two agencies catalog incidents differently, and the methodology for reporting even within the same agency may vary from year-to-year.
Complicating matters further, many of these events do not make it into the news cycle.
Nonetheless, these sources serve as an indicator for the prevalence of mail threats and the magnitude of their impacts across the United States.
Federal agents dedicated to USPIS Dangerous Mail Investigations Unit.
Suspicious mail incidents reported by USPIS per day, on average.
The USPIS Dangerous Mail Investigations Units consist of over 400 federal agents responsible for responding to incidents involving mailings including suspicious and hazardous substances, including chemical, biological, radiological, and explosive items.
Although official 2020 numbers have yet to be released from the United States Postal Inspection Service, over 125,000 suspicious mail items were sent for forensics analysis in the previous year, with inspectors responding to over 3,289 incidents involving suspicious items, powders, or liquids sent in the mail .
Similarly, the United States Bomb Data Center reported 5,482 suspicious or unattended package incidents in 2019, consistent with the average over the past 5 years. Of these, approximately 1,202 incidents involved letters or parcels and another 910 incidents were not categorized.
In addition, 715 explosion incidents, of which 251 were classified as bombings, occurred in 2019, resulting in 78 injuries and 16 fatalities .
In order to provide key stakeholders with timely information, given the fragmented and delayed nature of official reporting, RaySecur actively tracks events in the public-domain, providing up-to-date information in our Threat Data Center.
This information is sourced from local, state, and national media outlets, as well as public records. The remainder of this report highlights key incidents and trends based on this data from 2020.
2020 Threat Statistics
from Public-Domain Sources
The following statistics are compiled from the 200+ dangerous mail incidents that occurred in the United States and were reported in the media in 2020.
These events represent a small fraction of the total, many of which are handled internally, or are reported to law enforcement only but do not make it into the public domain.
White Powder Threats
White powders are the most common threat reported by USPIS and ATF. Other general powders represent an additional 4%.
The majority of white powder incidents turn out to be hoaxes: harmless powders like baking soda or confectionary sugar.
These hoaxes are intended to cause fear and disrupt operations, and many are successful. They also often cause facility evacuations, which can bring substantial publicity.
32% of known threats arrived in a letter envelope, and 63% via parcel — which could be mailed via USPS “blue box.”
A parcel is defined by the USPS as anything up to 0.5 inches thick and up to 10 ounces—the dimensions which USPS allows in its “blue box” postal drop boxes.
Taken together, this means that nearly 95% of all dangerous mail was small enough to fit into a USPS blue box — small is the new scary.
Mail Threat Trends
The following data highlights key statistics summarizing the 200+ publicly-known dangerous mail incidents in 2020.
In 2020 dangerous mail incidents increased across most of the spectrum. Parcels, defined as anything at least 3″ x 6″ x 1/4″ thick , comprised 63% of all threats, with letters making up 32% and the remaining 5% unidentified in the reporting.
These numbers are significant. Nearly 95% of all dangerous mail was small enough to fit into a USPS “blue box” postal drop box. This trend further emphasizes the importance of size and chain of custody in evaluating the risk to the organization.
White powder threats were the most common in 2020, with powders present in 38% of dangerous mail items. Drugs of all types in the mail increased from 7% in 2019 to 28% in 2020 primarily due to the COVID-19 pandemic and the lack of physical contact.
Private businesses and residences received 39% of the dangerous mail threats based on the events reported in the media. Threats targeting government locations rose to 42% from 36% at primarily state and federal locations.
First responders to these dangerous mail attacks involved hazmat 27%, bomb squad 22%, sheriff 19%, FBI 13%, local police 10%, and United States Postal Inspection Service 7%.
About the Data
Most law enforcement agencies, do not publish their logs in a manner conducive to aggregate analysis and the data is often delayed.
Therefore, RaySecur tracks mail-specific threats using open-source data, compiled from national, state, and local media sources. These data are added regularly, to RaySecur’s Threat Data Center.
Accurate, timely, and actionable intelligence is critical to plan and prevent dangerous mail attacks. This report is intended to provide a snapshot of recent mail threats and dangerous mail attacks to enable the security professional to plan and implement mitigation measures accordingly.
These data are analyzed along with events reported by the USPIS and ATF. The ATF operates the United States Bomb Data Center (USBDC), the clearinghouse of record for information on incidents involving arson and the suspected criminal misuse of explosives. The USBDC collects data from U.S. law enforcement, military and public safety agencies, and produces its annual Explosive Incident Report (EIR).
The ATF and EIR are extremely useful for trend analysis, however their data are generally tied to criminal activities and prosecution. Many incidents fail to meet the ATF’s reporting requirements, and are therefore omitted from their reports and left unreported.
RaySecur’s dataset also includes dangerous mail incidents which may not meet ATF reporting requirements.
2020 Dangerous Mail Threat Maps
2020 saw dangerous mail attacks in 48 US states and Washington DC. Use the interactive maps below to explore the incidents.
Threats by State
As expected, the states with the most incidents also have some of the highest population centers.
California and the New England states have historically seen higher numbers than much of the rest of the country.
Due to higher population numbers, increased stress on society, and a higher level of reporting outlets this will likely continue.
The central states have a lower incidence rate, which may be due to lower populations overall and the potential for open-source reporting to garner national media attention.
Threats by City
Similar to the trends by state, cities with the highest number of incident also tended to have larger populations.
Generally, cities with more incidents are business hubs, exhibit a high degree of government influence, or correspond to areas with a high degree of political division.
Mailed threats during the 2020 COVID-19 pandemic were also higher in cities with historic drug problems or areas where the mandatory shut down was contested. These cities showed a higher rate of mail-based threats using tactics such as extortion and racial threats.
2020 saw increases in several threat types that appear tied to the COVID-19 pandemic.
White powder, drugs, and extorsion letters are examples of threat categories that rose significantly from 2019.
Drugs, for example, increased over 30% from the previous year as more drugs were sent through the mail in increasingly smaller quantities to avoid detection.
Mail became the simplest way to move threats since recipients were not leaving their homes.
Three areas saw increases in threats in 2020: government, businesses, and private residences.
Government targets, generally at the local and state level, were targeted primarily with white powder and hoax threats.
Businesses saw the most incidents of extortion and white powder threats. Targets included everything from global business headquarters, triggered by staff layoffs, to minority-owned small businesses receiving racially-motivated threats.
Private residence targets rose, likely, due to increased numbers of high profile targets working from home.
Primary Response Type
Overwhelmingly the primary response to these threats was local police at the county and city level.
Sheriff’s departments are the most common lead on the incident site as they generally have more resources available.
This year saw an increase in USPIS and FBI responses due to the rise in federal offenses in the mail.
Extortion, racial threats, and smuggling across state lines generated the majority of responses from law enforcement or public safety.
The ratio of most common packaging types was 2:1, parcels to letters.
There was not a significant highlighted change from last year to 2020. The threats were primarily delivered by the USPS or hand-delivered to the target in a last-mile style method.
The vast majority (95%) of the threats fell into sizes that do not require a chain of custody, less than half an inch thick and less than 10 ounces.
20+ Mail Bombs & Hoaxes in Netherlands
Two waves of letter bombs across the Netherlands disrupted daily lives and sent first responders into countrywide emergency response. 
Several bombs exploded causing minor injuries and destruction with the remaining bombs recovered in a myriad of locations across several cities.
Targets were found in various locations, including gas stations and banks. The desired outcome seemed to be the extortion of money in the form of Bitcoin .
Authorities have yet to arrest the perpetrator for the 2020 events. This means that the bomber was successfully controlling the spread of DNA.
2015 saw a similar set of attacks that ended with a DNA match of the bomber and his 8-year sentence in federal prison .
- Reuters, Letter bombs explode in ABN Amro, Ricoh offices in Netherlands, no injuries, Feb 12, 2020
- Dutch Review, Letters containing harmful white powder keep showing up around the Netherlands, Nov 20, 2020
- New York Times, Dutch Police Hunt for Mail Bomber Who Demanded Bitcoin Payoff, Feb 20, 2020
Ricin Mailed to U.S. White House
US law enforcement intercepted a package containing ricin addressed to President Trump, according to CNN. Ricin, naturally found in castor beans, is extremely toxic and easily refined into the deadly poison .
A Canadian woman has been detained in connection with a Ricin letter sent to the White House. Ricin is extremely toxic and fairly easily to make.
“The envelope to the White House was caught at the final off-site processing facility where mail is screened before being sent to the White House mailroom, according to a second law enforcement official.
The Postal Service irradiates mail that is addressed to the White House and other federal agencies in the Washington area, and the mail is sorted in a facility that samples the air for suspicious substances” reported the New York Times .
In Milford, CT, Subway Restaurants’ headquarters received a package with a powdery substance in May that was investigated by the local police and the FBI, reported by the NY Post .
The police and Subway executives believe the package could have been sent by a recently laid-off Subway employee, Milford police officer Maralisa Anania told The Post.
“I know they have had a lot of layoffs lately, so that is in the back of our minds,” Anania said. Subway, which is also concerned about retaliation by a former worker, is not counting anything out, she added.
“A suspicious envelope was received at our mail center yesterday, prompting notification to the authorities per protocol,” a Subway spokesman confirmed. “The investigation by authorities determined there was no risk. The source of the package is currently under investigation.”
Subway, America’s biggest restaurant chain with almost 24,000 locations, has been slashing jobs amid sagging sales that have been plaguing the company since 2015 — the year its longtime spokesman Jared Fogle was arrested.
Mail-in Ballot Controversy
This year’s election was one of the most contested in recent history. The focus on mail-in ballots put enormous pressure on the US Postal Service and exposed a possible weakness in security.
Threats sent to local election departments and polling stations via mail-in ballots are not uncommon. Past incidents include the evacuation of the Douglas County Courthouse in Washington State in the 2019 elections  and a hazmat response to a Boston polling station in 2018 , both due to powders found in mail-in ballots.
In September, police officers responded to a Las Vegas-area Election Department regarding a suspicious substance found on a letter . An employee at the location became aware of the substance and immediately notified superiors who then made the call to 9-1-1.
That same month, a Nebraska man was charged with 38 counts of terroristic threats after delivering a suspicious package to a county election commissioner, with a threatening message written on a voter registration form .
- KHQ6, Douglas County courthouse in Waterville to remain closed Friday, shelter in place lifted, Oct 24, 2019
- Boston Globe, Powdery substance found at Roxbury polling station was baking soda, officials say, Nov 6, 2018
- KTNV, ‘Suspicious substance’ at Clark County Elections Department identified as deodorant, Sep 28, 2020
- NebraskaTV, Grand Island man arrested for suspicious package sent to election office, Sep 25, 2020
Unknown Seeds from China
2020 saw seeds and other cheap items, primarily out of China, delivered to thousands of unsuspecting people all over the world .
These seeds raised concerns from both the Federal and States Department of Agriculture as they represented a legitimate threat if they were an invasive species .
States and local authorities lost countless hours responding to “suspect packages” and alerts sent out across the nation on how to handle the situation.
The US Department of Agriculture says the puzzling packages appear to be part of a “brushing scam” — where folks receive items they never ordered from a seller who then posts false customer reviews to boost sales.
Planting random seeds from unknown sources is a threat to local agriculture and can introduce invasive species that can have unwanted consequences.
Fentanyl & the US Postal Service
2020 proved itself to be the year of fentanyl and international mail. This led to the U.S. Federal government levying sanctions and directing mail carriers to stem the flow across US borders .
Fentanyl, mailed largely from China, essentially made the United States Postal Service (USPS) and Canada Post some of the largest illegal drug distribution networks in North America .
Raw and uncontrolled powdered fentanyl, and other drugs like it, are shipped into the United States and then pressed into pill form and sold through the black market or on the streets.
In response to this influx and the domestic distribution that followed, the USPS reduced the size of mail authorized in the public collection boxes. Items must weigh less than 10 ounces and be no larger than half an inch thick . If these parameters are exceeded, the item is returned to the sender and, if that is not possible, intercepted in shipment and destroyed.
Reductions in curbside drop box size limits will most likely result in an increase in smaller packages containing illicit material, especially fentanyl, in the coming year. With scrutiny intensified on larger and heavier packages, new and inventive ways to hide illicit material are expected over the upcoming months.
In order to meet new size and weight limits, parcels containing illegal substances are expected to contain little metal or other high density items, which have historically been easy to detect with x-ray scanning.
Lightweight and low-density materials in small quantities present a challenge for conventional x-ray screening technologies.
- U.S. Treasury, Treasury Sanctions Chinese National for Shipping Fentanyl to the United States, Aug 25, 2020
- Washington Post, The flow of fentanyl: In the mail, over the border, Aug 23, 2019
- USPS, Postal Bulletin #22529, Sep 26, 2019
Snapshot of 2020 Mail Security Incidents
The events highlighted below include an overview of mail security incidents of 2020 showing the range of dangerous or illegal mail activities from the past year.
Correction officers sickened by white powder during search.
Two Southeastern Correctional Institution officers were sickened when they were exposed to a white powder during a search of an inmate’s property.
The officers were treated and released about two hours after they reported feeling nauseous, with tingling legs and shortness of breath .
$30,000 in cash intercepted in attempted fraud.
A package containing $30,000 in cash was intercepted before it was sent to a fraudster, thanks to a business owner in Mesquite, TX.
A woman attempted to overnight-mail a magazine to Jamaica, NY.
The magazine contained three hundred $100 bills taped to its pages .
FBI & HAZMAT identify bleach powder on M&Ms.
A UPS package contained M&Ms sent to a private residence. The candies left mild burns on the recipients’ hands. The candy was covered in powdered bleach and addressed to the homeowner.
According to WKRN News 2, a woman was transported to the hospital. HAZMAT worked to identify the substance and the FBI visited the scene .
Church received suspect package after defying Covid restrictions.
Roseville police say no explosives were found in a package mailed to a Roseville church.
The church garnered scorn after hosting services, despite the state’s Covid shelter-in-place policy.
The church’s pastor said the box was sent by Priority Mail and had a return address name label .
CA man tried to ship cocaine inside a jar of peanut butter.
Lodi police arrested a man on charges of transporting a controlled substance after they discovered a suspicious package containing cocaine Tuesday.
Police say a person tried to mail a package to another state containing a jar of peanut butter with two bags of cocaine inside .
Woman hospitalized by letter with suspicious substance.
A woman called 911 after opening a letter with an unknown fine powdery substance. She said it gave her nose a “burning sensation.”
She was taken to the hospital for a precautionary evaluation, and hazmat crews were still working to isolate the substance .
Small package exploded inside Post Office in Venice, CA.
According to the Los Angeles Fire Department (LAFD), the incident–initially reported as a structure fire–was called in from the location of a United States Postal Service (USPS) facility.
After responding to the scene, firefighters learned that a small package had exploded at the facility .
Jail staff member opened white powder mailed by current inmate.
An inmate at the Stark County Jail mailed the letter to a worker there. That worker was off but another worker opened the letter and found white powder inside.
It turned out the substance was bleach. The woman who opened the letter suffered bleach burns. The inmate is now facing a charge of inducing panic .
2021 Emerging Mail Threats
Based on the trends observed in 2020, these are the dangerous mail threats and vulnerabilities to get ahead of in 2021.
The New 'Last Mile Problem'
We have all seen it, especially recently: a stranger pulls up in a personal vehicle, drops a package on your doorstep, and takes a picture with a cell phone.
These last-mile courier services represent new risk. Mail threats delivered by these services are on the rise and expected to continue.
With the increased use of mail to supply everyday items, the strain on carriers has increased. This high demand leads them to find ways to alleviate the stress to their infrastructure, often in the form of third party drivers or delivery carriers. This practice is becoming normalized and may undermine the security of the mail system.
As people and companies become more comfortable with shipments out of rental trucks, delivered by workers in plain clothes, there is an unintentional acceptance of risk.
Regardless of the original shipping company, once they relinquish custody of the package, they introduce added risk. The insertion of a threat into a package becomes a much easier prospect.
Last-mile threats are a ‘new normal’ that must be accounted for both in procedure and in practice. Chain of custody verification is becoming more important and with it, an increased responsibility on the recipient.
At a minimum, screening procedures—beyond visual and tactile inspection—should ensure that the package is authorized. In cases where it is not readily apparent and a chain of custody is broken, procedures should be clear and formalized into policy.
Preventing threats from moving farther into the organization is always the goal, and verifying chain of custody becomes the priority.
Aside from conventional mail threats to an organization’s personnel and infrastructure via CBRNE (chemical, biological, radiological, nuclear, and explosive) mail vulnerabilities also pose a serious risk to IT and cyber assets — known as Warshipping.
Recent testing by IBM has highlighted a practice known as “warshipping” where miniature electronic devices are hidden in small packages and envelopes to enable remote access to secure WIFI networks once inside the building.
These threats bridge the gap between physical security and cybersecurity and are designed to exploit one of the easiest means of entry into buildings – access through the mail. With no shortage of introduction methods, it is up to the ingenuity of the attacker.
One example of this practice is shipping an item to an individual on parental leave. Such an item may sit unopened inside an office for months without raising alarm. The only limiting factor of these devices is the battery power required to keep them operating.
USPS Collection Boxes
In direct response to recent pressures regarding mail-borne threats, the US Postal Service reduced the acceptable size of mail deposited in blue collection boxes.
Acknowledging that the majority of mail hazards are deposited in USPS collection boxes, this change will affect future threats in several ways. Obviously, mail items will become smaller and more compact.
As a result, more small packages are needed to move the same amount of contraband, driving the need for ever-more sophisticated detection capabilities. The overall effect is an increased requirement for technology that can detect at lower levels than previously required.
The size change is intended to reduce threats from packages from unknown and possibly nefarious chains of custody. Previously accepted sizes, approximately 4”x8”x12” are now reduced to 1/8 the size.
The maximum allowable weight is now only 10 ounces, roughly 25% less than in previously accepted mail.
According to the new requirements, “Customers who need to mail packages with postage stamps that are larger than one-half inch thick or heavier than 10 ounces must conduct the transaction in person at a Post Office retail counter.”
Mail Used in Scams
With the increase of consumers’ exchange and return shipments, there is an increased risk of mail scams to get Personal Identifiable Information (PII).
Fake text messages, emails, and alerts are common methods to trick people into releasing their PII.
A message is sent to the victim stating there is a package out for delivery and overwhelmingly people respond even when they are not expecting one.
Most often this message has an active link embedded that launches a malicious website which appears legitimate.
The malicious website then performs two actions:
- First, it pushes a virus to the host system and begins installing itself and stealing the PII.
- Second, it pushes the victim for more information by asking leading questions and offering free items.
What’s next? — A Look Ahead
2020 forced significant changes to much of our daily landscape and will continue to do so through 2021.
As we wait for vaccines and watch new strains of the virus propagate, the requirement for social distance will remain.
With that, we can expect a continued and increased reliance on mail and the standoff it gives us from each other.
Home & Home Office
The last year has challenged the office and home life norms and changed forever how goods and services are delivered.
Home offices have become the norm and with that, the historic threats aimed at the corporate offices are hitting living rooms and kitchen tables.
White powder events have risen enough that one in every three events will require a hazmat response of some sort and those numbers can be expected to rise.
They represent a cheap, easily delivered, and reliable way to affect change. They include drugs but most often are intended to scare, harm, or shut down facilities.
Individuals who feel they have no power, have been slighted, or simply want to cause havoc will continue to use this tactic to meet their goals.
Explosive events happened at a higher than normal rate this year and due to the growing social divide can be expected to remain elevated.
A device detonated in a private home where a last-mile IED was delivered to a porch and ultimately carried inside. The victim opened the package and was injured in the blast.
Another detonated inside of a post office and caused a fire to break out and before it reached its destination.
Drugs & Illicit Substances
Drugs in the mail increased and will continue to do so simply because transactions have required separation between the two parties.
The most logical step for illicit activities is to use already available logistical tools to complete the task.
Potent dangerous drugs like fentanyl are easily concealed and represent a number of white powder events.
Large amounts of marijuana will increase in prevalence due to legalization in some states where it is bought and then shipped to states where it is illegal.
About Will Plummer, CSO
Prior to joining RaySecur as Chief Security Officer, Will spent 25 years in the US Army.
- Bronze Star with Valor as a Master Explosive Ordnance Disposal (EOD) Technician
- Commanded multiple Special Operations units with multiple combat deployments
- Trained EOD technicians in all 4 US military branches
- Directed VIP support for the last 8 U.S. Presidents