An IG report has raised concerns about the security of the Postal Service’s social media and digital channel presence, including that the agency “was not effectively monitoring for the unauthorized use of its organizational information . . . which could result in customers being misled into thinking they are on a legitimate site, leading to reputational damage, loss of consumer trust, or potential fraud against the customer.”
Auditors said that they “identified multiple fraudulent or deceptive websites and social media accounts purporting to be Postal Service sites, as well as Postal Service-branded goods and services for sale online without authorization. This occurred because management was only monitoring for unauthorized use of the domain name and because the process for monitoring for other intellectual property infringement was time-consuming and inefficient.”
USPS also did not sufficiently enforce requirements for approval before official accounts were created, it said, resulting in unapproved accounts for 15 post offices, nine departments, three sales teams, and “multiple employees using their social media accounts in an official capacity” without approval.
Further, the USPS “did not follow best practices to restrict the use of work email addresses for creating accounts on external sites. Specifically, we identified 3,439 Postal Service email addresses on the dark web that were involved in known data breaches of non-Postal Service systems such as retail, gaming, and dating sites. Creating personal accounts with work email addresses increases the risk that threat actors could use this information to hijack accounts, steal data, and commit fraud,” it said.
It said that USPS management generally agreed with its recommendations.