How to protect your mail from identity theft in Australia

Your letterbox is often the weakest point in your identity security. Bank statements, credit card offers, ATO assessment notices, Medicare correspondence, superannuation statements and replacement payment cards all arrive in a box at the end of your driveway that almost anyone can open. In Australia, identity theft costs victims an average of several thousand dollars to resolve and typically takes months to recover from fully. Mail theft is one of the simplest and most common entry points.

This guide explains how physical mail creates identity theft risk, how to reduce that risk without stopping all correspondence, and what to do if you suspect your mail has already been intercepted. It covers both short-term hardening steps and the longer-term approach of removing sensitive mail from your residential letterbox entirely.

1. Understand how mail creates identity theft risk

Not all mail carries the same risk. A pizza delivery menu stolen from your letterbox is a minor nuisance. An undelivered replacement credit card or an ATO assessment notice with your tax file number on it is a different matter. The mail items that create the greatest identity theft exposure are:

• Replacement payment cards. Banks send new debit and credit cards by ordinary post. A replacement card sitting in an unattended letterbox can be activated by a thief using details from other stolen correspondence before you notice it has not arrived.
• Pre-approved credit offers. These arrive unsolicited and often contain enough identifying information for a fraudster to attempt an application in your name. Some arrive with your name and address already printed on a partially completed form.
• ATO correspondence. Assessment notices include your tax file number, residential address and in some cases financial figures from your return. Tax file number theft is one of the most common precursors to identity fraud in Australia.
• Medicare and government agency letters. These include your Medicare number and, for some correspondence types, your Individual Healthcare Identifier. Both have value to identity thieves.
• Superannuation statements. Annual fund statements include your account number, your TFN as held by the fund, and your current balance. A balance figure combined with fund and contact details is sufficient for some fraudulent rollover attempts.
• Bank and credit union statements. Account numbers, BSBs and transaction history provide the foundation for impersonating you with a financial institution's customer service team.
• Telecommunications bills and contracts. These include your name, address, and account details. Telecommunications fraud -- including SIM swap attacks -- often begins with a stolen account statement.

2. Signs your mail has been intercepted

Mail theft is rarely obvious. Unlike a break-in, there is no visible damage. The signs tend to be indirect and easy to dismiss until a pattern becomes clear:

• Expected correspondence stops arriving. If you are used to receiving monthly statements and they stop, or if a card you know was dispatched never appears, that is a signal worth following up promptly.
• You receive notices of accounts opened in your name that you did not open. Credit applications, utility connections or telecommunications accounts you do not recognise appearing on your credit file are a strong indicator.
• Debt collectors contact you about accounts you have no knowledge of.
• You cannot log into myGov or an ATO account and find that contact details or bank account numbers for your tax refund have been changed without your knowledge.
• You receive a notice from the ATO that a tax return has already been lodged for a year you have not yet lodged, or that a refund was paid to a bank account you do not recognise.
• A financial institution calls to verify a recent application you did not make.

If you notice any of these signs, treat them as an active incident rather than a coincidence. The response steps are in section 7 below.

3. Harden your physical letterbox

A locked letterbox is the first and simplest defence. Most residential letterboxes in Australia are unlocked by default. A keyed lock that covers the delivery slot prevents opportunistic theft and slows deliberate theft enough that many thieves will move on rather than force it. Steps to harden your physical letterbox:

1. Replace an open or unlocked letterbox with a locked model. These are widely available at hardware stores and cost between $80 and $200 depending on capacity and material. Choose a model with a full-width insertion slot large enough for standard A4 envelopes.
2. If you rent and cannot replace the letterbox, ask your property manager to install a locked model. In most states, a tenant can reasonably request a security improvement of this kind.
3. Check mail daily when you are at home, or at the same time each morning. Mail sitting in a letterbox for several days is more likely to be noticed and extracted.
4. If you will be away for more than a few days, arrange for a trusted person to collect your mail, or lodge a Hold Mail request with Australia Post at auspost.com.au for the duration of your absence. Australia Post's Hold Mail service holds mail at a specified post office for collection for periods of up to two months.
5. Consider a letterbox mounted at or near your front door rather than at the street boundary. Street-boundary letterboxes are easier to access unobserved than a box adjacent to a doorbell or security camera.

4. Reduce what arrives in your physical letterbox

The most reliable way to prevent mail theft is to reduce the volume of sensitive mail arriving by post in the first place. Most Australian financial institutions, government agencies and service providers now offer electronic delivery for all correspondence. Switching to digital delivery removes the mail theft risk for those senders entirely.

• ATO. Set your myGov account to receive all ATO correspondence digitally. From your myGov home, go to Profile, then Communication preferences, and select digital delivery for all correspondence types. This redirects ATO letters, assessment notices and debt correspondence to your myGov inbox. The ATO will no longer mail them to your residential address.
• Medicare and Services Australia. Set communication preferences in myGov to digital delivery for Medicare and Centrelink correspondence.
• Banks and credit unions. Log into your online banking and navigate to document preferences or statement delivery settings. Switch from paper statements to email or in-app delivery for all accounts. Most Australian banks now default new accounts to digital delivery; if you are still receiving paper statements, it is worth checking whether a setting was changed at some point.
• Superannuation funds. Log into each fund's member portal and switch to electronic delivery for statements, contribution notices and other correspondence. Most funds email members when a new document is available in the portal.
• Utilities. Switch to e-billing with your electricity, gas, water, internet and telephone providers. This is typically a one-click change in your online account settings or a call to customer service.
• Local council. Most councils now offer e-billing for rates notices. Check your council's website or call the rates team to switch your rates correspondence to email delivery.

Working through this list in a single afternoon will substantially reduce your incoming physical mail. Most people find that once digital delivery is set up across their major senders, physical correspondence is reduced to a handful of items per month: the occasional replacement payment card, identity verification documents and items from senders that do not yet offer a digital option.

5. Opt out of unsolicited credit offers

Pre-approved credit offers are sent without your request and arrive at your address based on credit bureau data. To reduce this source of risk:

1. Contact the major credit bureaus operating in Australia -- Equifax at equifax.com.au, Experian at experian.com.au, and illion at illion.com.au -- and request that your name be removed from marketing lists used for pre-approved credit offers. Each bureau has an opt-out process on its website.
2. Register on the Do Not Mail register operated by the Australian Association of National Advertisers. This reduces addressed advertising mail across a range of senders.
3. Place a "No Junk Mail" sticker on your letterbox. This reduces the volume of unaddressed marketing material arriving each week, though it does not affect individually addressed credit offers.

6. Virtual mailbox for sensitive mail

For mail that cannot be delivered electronically, a virtual mailbox removes the residential letterbox as the point of vulnerability entirely. Instead of arriving at your home address, sensitive correspondence arrives at a secure, staffed facility operated by the virtual mailbox provider, is scanned, and is made available as a PDF in a web portal you can access from anywhere.

For identity theft risk, the key advantage is that the mail never sits in an unattended letterbox. It arrives at a monitored facility. You receive an email notification when something arrives and can read the full contents remotely without the physical item ever being exposed at your residential address.

Setting up a HotSnail virtual mailbox as your correspondence address for sensitive senders involves two steps:

1. Sign up at members.hotsnail.com.au/signup and complete identity verification. This involves uploading a copy of your driver licence or passport. Identity verification is required because a HotSnail address is a real postal address that receives legally significant correspondence.
2. Update the correspondence address with each sender you want to redirect. For most people, the priority list is: banks and credit card providers, superannuation funds, the ATO (if you have not already switched to myGov digital delivery), and any other senders of sensitive financial or government documents. Senders that generate high volumes of lower-risk mail -- catalogues, general advertising -- do not need to be redirected.

You can run a virtual mailbox address alongside your residential address rather than replacing it. The most practical approach is to use the virtual mailbox for senders generating sensitive correspondence and keep your residential address for deliveries -- parcels, subscriptions, lower-risk mail. This reduces the identity theft risk at your letterbox without having to change your address with every sender you deal with.

7. Specific steps for payment card security

Replacement payment cards are among the highest-value targets in residential letterboxes. Several steps reduce the risk:

• Ask your bank to deliver replacement cards to a branch for in-person collection rather than by post. Most Australian banks offer branch collection as an alternative to postal delivery. Request this proactively before your card's expiry date rather than waiting for a replacement to be dispatched.
• Use your virtual mailbox address as the card delivery address. Replacement cards sent to a virtual mailbox are received securely and held. If a card arrives that you were not expecting, it is a signal that an account may have been compromised -- before the thief has had an opportunity to activate it.
• Set up fraud alerts or SMS notifications on all payment accounts so you are notified immediately of any activation or transaction on a card you were not expecting to be active.

8. Responding to mail theft or identity fraud

If you believe your mail has been stolen or that your identity has been used fraudulently, a fast response limits the damage. The longer fraudulent activity continues, the harder it is to reverse.

1. Check your credit file immediately. Request a free credit report from each of the three Australian credit bureaus: Equifax at equifax.com.au, Experian at experian.com.au, and illion at illion.com.au. Look for enquiries, accounts or defaults you do not recognise. Under the Privacy Act, you are entitled to a free credit report at any time if you suspect identity fraud.
2. Apply for a credit ban. Under Australian privacy legislation, you can apply to each of the credit bureaus to place a ban on your credit file. A ban prevents credit providers from accessing your file to assess new applications, which blocks a fraudster from opening new accounts in your name while the ban is active. A ban initially lasts 21 days and can be renewed.
3. Contact IDCARE. IDCARE is the Australian and New Zealand national identity and cyber support service. Their case managers provide free, specialist support for identity theft victims, including step-by-step recovery guidance. Reach them at idcare.org or on 1800 595 160, weekdays 8am to 5pm AEST.
4. Report to police. Lodge a report with your state or territory police or via the Australian Cyber Security Centre's ReportCyber portal at cyber.gov.au. Mail theft is a criminal offence under Commonwealth postal offences provisions and equivalent state legislation. A police report number is necessary when disputing fraudulent activity with financial institutions and government agencies.
5. Notify your banks and financial institutions. Call the fraud lines for each institution associated with accounts that may have been compromised. Request a fraud investigation and ask whether any new accounts, cards or changes to existing accounts have occurred without your authorisation.
6. Notify the ATO. If you suspect your tax file number has been compromised, call the ATO on 13 28 61 and ask to speak with the identity crime team. The ATO can place a marker on your TFN that triggers additional verification for any activity associated with it.
7. Change passwords and enable multi-factor authentication. If mail theft has exposed account numbers or personal information sufficient for a fraudster to contact your bank's customer service, it may also have exposed enough information to attempt password resets on digital accounts. Change passwords for banking, email, myGov and the ATO's online services, and enable multi-factor authentication on each. Consider using an authenticator app rather than SMS-based two-factor authentication, as SMS can be intercepted via a SIM swap attack.

Mail security checklist

1. Install a locked letterbox or arrange a Hold Mail request if you will be away for more than a few days.
2. Switch the ATO to digital correspondence delivery via myGov communication preferences.
3. Switch Medicare and Centrelink to digital delivery via myGov.
4. Switch all bank and credit union statements to electronic delivery via each institution's online banking portal.
5. Switch all superannuation funds to electronic delivery via each fund's member portal.
6. Switch electricity, gas, water, internet and telephone accounts to e-billing.
7. Switch council rates to email delivery.
8. Opt out of pre-approved credit offers via Equifax, Experian and illion marketing opt-outs.
9. Ask your bank to deliver replacement cards to a branch or to a virtual mailbox address.
10. Set up a HotSnail virtual mailbox for any remaining sensitive physical correspondence.
11. Check your credit file with each of the three Australian bureaus at least once a year.
12. If you suspect theft or fraud: act immediately -- credit ban, IDCARE contact, police report, bank notification, ATO notification.

Mail theft is low-effort and low-risk for the perpetrator but can be very high-value when the right items are in the letterbox. A locked letterbox and a shift to digital delivery for key senders removes most of the risk at minimal cost. For correspondence that must still arrive by post, a virtual mailbox moves that mail out of an unattended residential letterbox and into a monitored, staffed facility. The combination -- physical hardening plus routing sensitive mail to a secure address -- substantially reduces your exposure without requiring you to stop receiving post entirely.

For a complete guide to updating your address across all Australian institutions, see our Australian address change checklist. For sole traders who want to keep their home address off the ASIC register and other public business records, see our guide on protecting your home address in business records.