Government Permit Phishing Campaign Targets Businesses and Property Applicants
Cybercriminals impersonate city and county officials to trick victims into paying fraudulent zoning and permit fees.
The Federal Bureau of Investigation (FBI) has issued a warning about a new phishing campaign in which cybercriminals impersonate U.S. city and county planning officials. These attacks specifically target businesses and individuals who have applied for land-use permits, zoning approvals, or other government planning permissions.
Attackers exploit publicly available information to make their messages appear legitimate. As a result, victims receive highly convincing emails referencing permit numbers, zoning application details, and even property addresses. Because these details match real applications, the messages often bypass suspicion and create a sense of urgency.
In many cases, the fraudulent emails request payment for processing fees or permit-related charges. Victims are instructed to transfer funds through wire payments, peer-to-peer payment platforms, or cryptocurrency. However, these payment requests are entirely fake and lead directly to cybercriminals.
Meanwhile, attackers carefully time their phishing emails to coincide with legitimate government communications. This tactic increases the likelihood that victims will believe the request is genuine and process the payment quickly to avoid delays in their project approvals.
The FBI highlighted several warning signs that may indicate a fraudulent message. For example, phishing emails often originate from non-government domains rather than official municipal addresses. Additionally, some messages contain attachments instructing recipients to contact a separate email address for payment details. Attackers also frequently pressure victims to pay immediately to prevent permit processing delays.
Therefore, organizations and individuals involved in planning or construction projects must verify all payment requests before taking action. Officials recommend confirming the sender’s domain name and contacting the relevant city or county office directly through official channels.
If someone suspects they have been targeted or has already made a payment, the FBI advises reporting the incident to the Internet Crime Complaint Center (IC3). Victims should provide details such as the email address used by the attackers, the date of communication, the payment amount requested, and any financial information shared.
This warning reflects a broader trend in cybercrime where attackers increasingly impersonate trusted authorities. In recent years, criminals have used spoofed government phone numbers, fake recovery services for scam victims, and even AI-generated voice deepfakes to impersonate officials.
As a result, organizations must strengthen verification procedures and train employees to recognize social engineering tactics. Phishing campaigns are becoming more targeted and convincing, which means awareness and verification are now essential defenses against financial fraud.