USPS Audits Continue to Reveal Failures to Protect US Mail

Audits reveal systemic, repeat security failures across USPS facilities and initiatives.
High-tech fixes like eLocks and scanners underperform due to poor deployment and oversight.
Mail theft and check fraud keep rising despite USPS claims of rigorous security efforts.

For years, OrboGraph has tracked a troubling pattern: the United States Postal Service (USPS) conducts audits, the audits reveal serious security failures, recommendations are made — and the problems persist. The latest report from the USPS Office of Inspector General (OIG), released May 6, 2026, is no different. This time, the subject is the Vulnerability Risk Assessment Tool (VRAT) process — and the findings point to a system that is fundamentally broken.

The VRAT is a risk-based model used by the U.S. Postal Inspection Service to identify security deficiencies at postal facilities. Tier 1 (most critical) and Tier 2 (critical) facilities are the highest-priority targets for these assessments. In theory, the VRAT should be a cornerstone of USPS security infrastructure — a systematic way to identify vulnerabilities, assign corrective action, and track resolution.

In practice? The OIG's audit paints a far different picture.

Security,Breach,,System,Hacked,Alert,With,Red,Broken,Padlock,Icon

What the Latest Audit Found

According to the May 2026 OIG Audit Report (No. 25-147-R26), the Postal Inspection Service did not effectively oversee the VRAT process. Specifically, auditors found:

Many surveys were not started or incomplete
Deficiencies remained unresolved
The status of resolved deficiencies was not reported in the system
Not all facility management received required VRAT security training prior to performing surveys
Personnel from both the Postal Inspection Service and USPS duplicated efforts by completing separate VRAT surveys at the same Tier 1 and Tier 2 facilities in the same fiscal year

The OIG issued six recommendations — all agreed to by management — covering survey completion failures, deficiency monitoring, status reporting, training verification, and survey redundancy. The fact that management agreed to all six recommendations is not reassuring. It's a sign that these are known, recurring problems.

Cybernetic,Attack,Security,,Banking,And,Personal,Data.,Protecting,Herself,From

A Pattern of Failure

This is not the first time OrboGraph has reported on USPS security audit failures. The pattern is well-established:

Arrow Keys: A Years-Long Failure

In one of the most striking audit findings we've covered, a CBS News investigation reviewed thousands of pages of USPS audits and found that from 2019 to 2024, auditors checked 84 postal facilities for issues related to securing arrow keys, and found untracked or unsecured arrow keys at 76 of those facilities, spanning 25 states and the District of Columbia. Arrow keys open bulk mailboxes nationwide and have been a primary tool for check thieves.

The USPS's own Inspector General flagged arrow key failures in a 2020 audit. Years later, the same failures were still occurring.

Project Safe Delivery: Promising Results That Didn't Materialize

In response to soaring mail theft, which climbed from fewer than 60,000 complaints in 2018 to more than 250,000 in 2023, the USPS launched Project Safe Delivery in 2023. The initiative included replacing 49,000 antiquated arrow key locks with electronic eLocks. But a December 2024 OIG audit report, Security and Efficiency of the New Carrier Scanners and Electronic Locks, revealed staggering implementation failures:

USPS purchased 49,500 eLocks — but as of mid-2024, 12,270 remained uninstalled
USPS ultimately canceled the second batch of 50,000 eLocks
Of 814 mobile delivery devices (MDD-TRs) assigned to 15 facilities, 163 (approximately 20%) were unaccounted for at the time of site observations
Of those unaccounted devices: 47 were at other facilities, 7 were reported lost or stolen — and 101 were simply missing, with no supporting documentation

Sacramento Based Postal Facilities: 143 Missing Arrow Keys

The Internal Threat for Stolen Mail

The USPS's October 2024 Mitigating Internal Mail Theft report revealed that the threat isn't only external. Auditors found employees concealing stolen mail and packages under personal belongings brought onto the workroom floor, elevated supervisor and manager vacancy rates, no nationwide policy restricting personal items in work areas, no periodic mail theft awareness training, and security cameras that were non-operational due to equipment failures.

What Financial Institutions Can Do

Waiting for the USPS to fix its security infrastructure is not a viable fraud prevention strategy — the audit history makes that clear. Additionally, as we've noted in the past, even its recent efforts do not make relying upon the US Government's impact a wise move.

Financial institutions must rely on the technologies available to them to stop check fraud, plain and simple. The most successful FIs are leveraging a multi-layered, technology framework that works regardless of upstream failures. By combining image forensic AI, transactional analysis, rules engines, and dark web monitoring, FIs can achieve detection rates of 95% or higher—ensuring that even when fraudsters successfully obtain stolen checks, the financial institution is protected.

Cyber Security Data Protection Business Privacy concept

AI Innovation

Understanding Check Fraud

AI and Deep Learning-Based Check Recognition

About Us

Social Media

Resources

Blogs