Stop Throwing Away Your Personal Data: Portugal's Police Alert on Package Label Risks

The Portugal National Republican Guard (GNR) has issued a public warning about a simple yet often-overlooked security risk that could expose residents to identity theft and targeted fraud: leaving personal information intact on package labels before discarding the boxes.

In a social media campaign launched on 29 April, the GNR described the practice as a "hidden but avoidable danger," urging citizens across Portugal to remove and destroy shipping labels containing names, addresses, and phone numbers before throwing out cardboard or plastic packaging.

Why This Matters

• Your data is on display: Most delivery labels include your full name, home address, and mobile number—enough for criminals to build credible phishing attacks or identity theft schemes.

• Cybercrime is surging: Portugal saw a 13.4% increase in digital crimes in 2025, with phishing responsible for 25% of attacks.

• Simple prevention works: Tearing or shredding labels takes seconds and eliminates a free data source for fraudsters.

The Risk Behind the Convenience

The GNR's video alert highlights a behavioral blind spot among online shoppers: the rush to open a package and the immediate disposal of the box without a second thought. "Everyone is careful with their personal data online, but we forget that our physical mailboxes are leaking the same information," the force noted.

Shipping labels routinely display the recipient's full legal name, residential address, and telephone contact—sometimes even email addresses or order numbers tied to e-commerce accounts. When these boxes are left in public recycling bins, building entryways, or curbside waste, the labels become accessible to anyone passing by.

Criminals in Portugal and across Europe have increasingly exploited this low-hanging fruit. With a few labels collected from discarded packages, fraudsters can construct highly credible phishing messages, impersonating delivery services like CTT (Correios de Portugal), courier firms, or even government agencies. These scams often demand payment for fake customs fees, request personal data updates, or trick victims into clicking malicious links.

A Broader Wave of Digital Crime

The GNR warning arrives as Portugal grapples with a steep rise in cybercrime and digitally-enabled fraud. According to the 2025 Annual Internal Security Report (RASI), the country recorded 334 additional digital crime cases compared to 2024, marking a 13.4% annual increase. The most significant jump was in informatics forgery, up 29.1%, followed by unauthorized access to systems, which climbed 8.4%.

Phishing—the practice of tricking victims into revealing passwords, bank details, or payment card numbers—accounted for one in four cyberattacks in Portugal last year. A study titled "Digital and Cybersecurity 2025" found that one in four Portuguese residents has already fallen victim to digital fraud, while 52% of respondents consider the risk of identity theft or fraud during online purchases to be high.

Importantly, Portugal does not classify identity theft as a standalone crime in its legal code. Instead, it is treated as a phenomenon encompassing multiple criminal acts: false identity creation on social media, fraudulent loan applications, unauthorized bank transfers, and impersonation for financial gain. This legal ambiguity can make it harder for victims to report incidents or for authorities to track prevalence accurately.

What This Means for Residents

The GNR recommends a straightforward three-step process:

Open your package as usual.

Remove the shipping label entirely from the box or envelope.

Tear the label into pieces or use a permanent marker to obscure all readable text, including barcodes and QR codes, which can encode additional personal data such as tax identification numbers or invoice references.

For households receiving multiple deliveries per week—a growing norm in Portugal's booming e-commerce market—integrating this habit into the unpacking routine is essential. Consider keeping a small shredder near the entryway or designating a bin specifically for label disposal.

Alternative delivery options can also reduce exposure. The CTT Locky service, which uses smart lockers for parcel pickup, allows recipients to avoid home delivery altogether, though users should remain vigilant following a data breach earlier in 2026 that exposed names, phone numbers, emails, and delivery logs for millions of customers.

Some residents opt for post office boxes or request that couriers deliver to workplace addresses, though these strategies may not be practical for all.

Part of a Wider Safety Push

This label-removal campaign is one of several GNR initiatives in 2026 aimed at closing security gaps in everyday life. In March, the force partnered with the Portugal Directorate-General for Consumer Affairs (DGC) on a youth-focused campaign called "Too Good to Be True?"—designed to teach young people how to spot online scams and exercise their consumer rights in digital commerce.

The GNR also ran Operation Spring Break 2026 between 9 March and 12 April, targeting high-risk behavior among school-leavers and reinforcing road safety. A national road inspection plan focused on vulnerable road users ran from 21 to 27 April. Separately, the force issued warnings in March about a spike in fuel theft incidents across multiple regions.

On 3 May, the GNR will mark its 115th anniversary, a milestone that underscores its evolving role from traditional policing to addressing modern threats like digital fraud, data privacy, and cybersecurity awareness.

The Human Factor in Cybersecurity

Security experts consistently point to the human element as the weakest link in the digital defense chain. According to cybersecurity assessments, roughly half of all digital security incidents in Portugal in 2025 exploited human error, whether through clicking on a fake SMS link, entering credentials on a spoofed website, or failing to update software.

Artificial intelligence is now accelerating the sophistication and scale of cyberattacks. Automated phishing campaigns can generate thousands of personalized messages in minutes, drawing on stolen or publicly available data—like the kind found on discarded package labels—to increase their success rate.

Forecasts for 2026 suggest this trend will intensify. The Portuguese Cybersecurity Center and law enforcement agencies expect more frequent, more complex, and more automated attacks, particularly targeting individuals with low digital literacy or those unfamiliar with common fraud tactics.

Practical Steps for Digital Hygiene

Beyond shredding labels, residents can adopt a broader set of protective measures:

• Use unique, complex passwords for each online account and enable two-factor authentication wherever possible.

• Avoid saving payment card details on e-commerce sites; instead, use virtual cards or digital wallets like Apple Pay, Google Pay, or PayPal.

• Verify website security by checking for "https://" and a padlock icon in the browser bar before entering any personal information.

• Never click links in unsolicited emails or SMS messages claiming to be from delivery companies, banks, or government agencies. Instead, visit the official website directly.

• Keep antivirus software and operating systems updated to guard against malware and exploits.

• Use a VPN when accessing public Wi-Fi networks, which are notoriously insecure.

A Small Act with Big Impact

The GNR's message is simple: a few seconds spent destroying a shipping label can prevent weeks or months of distress caused by identity theft, financial fraud, or harassment. In an era when digital and physical security increasingly overlap, even the most mundane household task—throwing out a cardboard box—deserves a moment of caution.

As e-commerce continues to grow and delivery volumes rise, the volume of personal data circulating on discarded packaging will only increase. Making label destruction a reflex is not just good practice—it is a necessary adaptation to a world where information has become both currency and vulnerability.