For years, we have learned to scrutinize emails promising unexpected refunds, SMS messages urging us to update accounts, and WhatsApp notifications arriving with excessive urgency. Phishing has been firmly linked to the digital realm—associated with questionable links or counterfeit websites pretending to be legitimate banking platforms. However, this notion is becoming outdated. The same deceptive tactics can now cross the threshold of our homes and arrive in our mailboxes disguised as official communications.
The core difference lies not in the mechanism but in the context. Rather than waiting for a click on a link from a mobile phone, attackers are now exploiting the lingering trust we place in tangible, physical communications. This introduces new risks, as paper correspondence can evoke a sense of legitimacy that emails may not generate anymore. The essence remains unchanged: impersonation aimed at extracting sensitive information from us.
Paper Phishing: The Old Hoax in a New Envelope
A recent incident shared by Inés Zuriaga del Castillo on LinkedIn reports receiving a physical letter at home, allegedly from Ledger, the well-known hardware wallet manufacturer. The envelope contained an official-looking letterhead along with a request to scan a QR code, supposedly to update the device and send the recovery phrase. A glaring red flag: that recovery phrase should never be shared.
On the left, the case of a false letter sent in Ledger’s name. On the right, a fraudulent communication detected by Social Security.
Ledger has since issued warnings about similar scams on its support page. They describe fraudulent letters masquerading as “security check” notices, urging users to scan QR codes to enter their secret recovery phrases for supposed security upgrades. Their guidance is clear: avoid scanning these codes, do not visit any associated links, and never share your 24-word recovery phrase as it could allow attackers to take control of your wallet.
This issue extends beyond cryptocurrency. Social Security in Spain has also detected fraudulent mail targeting pension and benefit recipients, requesting personal documentation such as identification or bank statements. Their ruse claims that data was lost due to a “hacker attack” and that this information is instantly necessary to process a payment increase. They reiterate that no entity should ever request sensitive documentation via email, marking it a quintessential red flag.
These examples, while targeting distinct demographics, share a similar structure. The Ledger case hinges on a wallet and recovery phrase, while the Social Security scam plays upon the urgency of financial benefits. Though they vary in language and impersonated organizations, their objective remains consistent: create a trustworthy message compelling enough for victims to act before verifying.
In the case of Ledger, the lure revolves around a wallet and a recovery phrase that should never leave the user’s control.
A pressing question arises: how do these letters reach specific addresses? Personal data breaches can occur across companies, suppliers, or administrations, despite users practicing good security habits such as using strong passwords and two-step verification. The AEPD reported receiving 2,765 notifications of personal data breaches in 2025, most of which involved ransomware and other severe intrusions.
Moreover, stolen data isn’t merely a one-time commodity. As discussed in Xataka, personal documentation, like the Spanish DNI, can be found on illegal markets for about 15 euros. This insight demonstrates that once personal information circulates uncontrolled, it can be exploited in various scams over time.
An essential rule applies to both digital and paper phishing: the more an urgent communication implores us to act quickly, the slower we should respond. Should a letter request sensitive data, alarm bells should ring. Avoid scanning QR codes on a whim, using the provided email, or calling numbers listed as a single point of contact. Instead, verify independently through official channels or the organization’s website. While this may be less convenient, it is essential to avoid falling into the trap.
Ultimately, the format is nearly irrelevant. Be it an email, an SMS, a WhatsApp message, or a physical letter, the intent is what’s critical: eliciting enough trust to convince us to provide information that could be used against us later. Such cases serve as important reminders that security begins not when we detect a fake website but earlier, at the moment we choose to question a communication just because it appears legitimate.
Images | Xataka with Grok | Inés Zuriaga del Castillo
In Xataka | How often should we change ALL our passwords according to three cybersecurity experts