Incognito Cat

Never Designed to be Secure

Never Designed to be Secure

One of our favorite YouTubers is the LockPickingLawyer. From the channel’s own description, he aims “...to educate consumers about weaknesses and defects in security devices so they can make better security decisions.” And he delivers on that promise over and over again.

The incredible speed at which he defeats all kinds of locks is honestly terrifying. It does not matter whether it is a cheap lock or an expensive one. He can open it in seconds, often by completely bypassing the normal keyway. He definitely proves the old saying: “Locks don’t keep robbers from stealing. Locks keep honest men from making mistakes.”

That same blind trust happens with many other things people assume are secure, or at least not worth attacking. Over the years we have put together our own list of everyday items and systems that we cannot fully trust. They were never designed with real security as the foundation. Most people never think twice about them, yet they often become the easiest way in. So let’s dive in.

Postal Mail

Who still gets real mail these days that isn’t junk? Most of us actually enjoy receiving the occasional magazine, greeting card, or letter from family. There is even that classic story of a postcard sent from vacation that shows up months after the trip is over. That slow, trusted nature is exactly what makes this attack so dangerous.

As reported on social media and by outlets like Bleeping Computer, Ledger and Trezor hardware wallet users have recently received fake physical letters pretending to come from the official support teams. These letters use customer addresses stolen in data breaches and instruct people to scan a QR code and enter their 24-word recovery phrase for a supposed “mandatory” security check.

This is when it hits you: AI can create perfect-looking fraudulent letters just as easily as it creates fake emails. But unlike email, there is almost nothing to raise suspicion. No weird sender address, no failed DMARC check. It is right there in your hand, on real paper with real ink. How could it possibly be fake? Then the deeper fear sets in: what if there are other forgeries in your mailbox? Sadly, there are far more than most people realize.

Fraudulent physical letters have become increasingly common in 2025 and 2026, using the same tactics seen in the crypto wallet scams. These schemes take advantage of the deep trust people place in physical mail to steal personal data and money.

Common Types of Fraudulent Letters

1. Tax and Government Impersonation
Scammers frequently pretend to be the IRS (in the US) or HMRC (in the UK). They send fake notices about tax refunds, unpaid debts, or audits.

2. Banking and Financial Institutions
Fake letters claiming to be from banks like Nationwide, Bank of America, or local credit unions are on the rise.

3. Subscription and Retail Scams
Even big retailers like Amazon are being impersonated through physical mail.

4. Fake Legal Settlements and Class Actions
Scammers use real court cases to create believable settlement letters.

Key Warning Signs

Watch for these common red flags in any unexpected letter:

Legitimate organizations will never ask for your full password, PIN, or 24-word recovery phrase through physical mail, email, or phone. Always verify any unexpected letter by contacting the organization directly using a known good phone number or website address.

There is also the other side of the risk: tampering, interception, and outright theft of your mail. Even though people send far less physical mail than they used to, what still arrives often contains sensitive details like your full name, address, date of birth, account numbers, and more. If a criminal intercepts it, they can use that information for identity theft or to launch further attacks.

In the US, we recommend signing up for Informed Delivery at minimum so you can see previews of what is coming. When possible, we also like using a Private Mailbox for secure delivery and storage in a climate-controlled location.

In the end, we will keep enjoying our cards, letters, and magazines. But we treat anything unexpected or important as a signal to handle it securely - by logging into a known official website or calling customer service using a verified number. We never follow instructions printed in the letter itself.

Telephony

Let’s just say it outright: telephones were never designed to be secure. Neither the devices nor the underlying protocols were built with security in mind. They were created to connect people, route calls, and generate billing. That is all.

Those of us who grew up with or heard stories about Party Lines know the truth. Neighbors used to listen in on each other’s conversations without much effort. Many people today still assume their calls are private simply because the technology looks more modern. In reality, the opposite is true. With so many devices, protocols, and companies involved, the entire system remains vulnerable, as highlighted in reports like “Experts Agree U.S. Communications Networks Remain Vulnerable Following Salt Typhoon Hack.”

The biggest problem is trust in Caller ID. When a familiar number appears, most people drop their guard completely. The FCC is planning to require Know Your Customer (KYC) rules for voice providers to fight robocalls and fraud. However, this does not solve the core issue: bad actors can still easily spoof Caller ID. Combine that with convincing AI-generated voices, and it becomes extremely dangerous.

Our standard approach, especially with any urgent-sounding call, is simple: hang up and call back using a known good number. This once happened with our bank. We received a voicemail from an unknown number claiming to be from their security team. Instead of calling them back, we used the number on the back of our card to reach customer service directly. The call was transferred to the real security department, and the issue was cleared up quickly. The original voicemail had every classic sign of a scam.

The same rule applies to text messages. Your government will not text you about unpaid tolls or for similar urgent matters from another country. Because of this, we generally do not trust phone calls or SMS. We rely only on encrypted messaging apps for important conversations and treat every call and text with high suspicion. Confirming an existing appointment is fine, but any urgent request involving money, legal issues, or personal data is an immediate red flag.

QR Codes

QR codes exploded in popularity during the 2020 pandemic. While they had existed for years, they never saw such widespread everyday use until phone cameras started reading them automatically. They are a fast and convenient way to share links and information, but they contain zero built-in security.

This has given rise to “Quishing” attacks, where scammers place fake QR codes to trick people into visiting malicious sites. Just like the fraudulent letters mentioned earlier, a convincing-looking code can send you to a perfect copy of a real website designed to steal your money, login details, or personal information. It might claim to be for parking payment, restaurant ordering, app downloads, or event check-ins.

Our rule is simple: we only scan QR codes that are part of an active, in-person transaction where we already trust the source. Examples include an Apple Store employee present a QR code generated on the spot to initiate the collection of customer information from the Apple Store app. Random static QR codes posted in public get no trust from us. In those cases, we prefer to type the URL manually or search for the official site ourselves.

Be Wary

It is a sad reality that almost anything useful can be twisted for malicious purposes by bad actors. The best defense is to stay alert and protect yourself. As Edgar Allan Poe wrote in his 1845 story “The System of Doctor Tarr and Professor Fether,” “Believe nothing you hear, and only one half that you see.”

We take it even further: trust nothing and verify everything. Pause before you act, especially when something feels urgent or asks for money, passwords, or personal details. Use known good contact methods. Double-check websites. Confirm with a second trusted source if needed.

Adopting this mindset does not mean living in fear. It simply means staying in control. The more you practice healthy skepticism with everyday “secure” things like mail, phones, and QR codes, the safer and more confident you will feel. Stay sharp out there.

Remember: We may not have anything to hide, but everything to protect.

Never Designed to be Secure

#PhysicalPrivacy #Privacy #Security