A new email phishing scam impersonating US city and county officials is tricking homeowners and businesses into forking over fraudulent fees for nonexistent planning and zoning permits, the FBI warns.

The FBI issued a public service announcement on Monday, warning that scammers are targeting homeowners and business owners nationwide by sending fake invoices that appear to be from local officials, requesting payment to finalize permit approvals.

Dozens of planning departments have reported being targeted over the past 12 months, according to a January report by the American Planning Association (APA), ranging from smaller municipalities in states like Colorado, New Jersey, and West Virginia to major metro areas including Las Vegas, Houston, and Miami.

Scammers exploit public permit records

The FBI’s Internet Crime Complaint Center (IC3) alert says the cybercriminals have been “leveraging publicly available permit information to identify potential victims and increase the legitimacy of the scam.”

"Generative AI has made it significantly easier for threat actors to create highly convincing phishing emails that incorporate publicly available information,” says Chance Caldwell, Senior Director of the Phishing Defense Center at Cofense.

“Attackers can use AI to quickly collect open-source data, such as permit requests or zoning filings, and generate spoofed emails that reference details the victim may believe were private or internal,” Caldwell explains.

The counterfeit emails are said to contain legitimate information about the victim’s permit application, such as case numbers, property addresses, and itemized statements, making the scam even more convincing.

Furthermore, the emails often “emphasize urgency, threatening delays or other obstacles in the permitting process if the applicant does not immediately render payment,” the FBI states.

"Timely payment of this fee is necessary to streamline the approval process and ensure that your application is placed on the proper hearing agenda without administrative delays," states one phishing email (shown below) alleging to be from the Minneapolis City Planning Department.

"Once the payment has been confirmed, our office will proceed without delay to advance the approval recommendation," it says.

Caldwell points out that “when this type of targeted messaging is combined with impersonating a trusted authority, such as a government agency, victims may feel pressure to respond quickly to avoid delays or penalties.”

“Requests for unexpected payments or urgent action from government entities should always be verified through a known, legitimate contact method rather than replying directly to the email or using contact details provided within the message," Caldwell says.

Fake invoices use names of real city officials

The fraudulent message will instruct the victim to pay permit-related fees listed on an attached invoice via a “wire transfer, peer-to-peer payment, or cryptocurrency” – a tell-tale sign the email is a scam, the FBI says.

Many of the emails will also include “seemingly official seals, references to municipal and state statutes, and phony signatures” using the names of real officials, the APA said, adding that “several cities also have reported the use of the @usa.com domain.”

The FBI says other common indicators include scammers timing the emails to coincide with ongoing communications between applicants and municipalities about the permitting process.

In one example cited by the APA, a contractor was sent an invoice for a permit they were awaiting approval for to install a digital sign at a local middle school.

The email, appearing to be sent from the name of a legitimate city planner, claimed the contractor’s sign variance was recommended for approval – and that paying the attached $4,800 invoice would prevent delays in final authorization.

Additionally, the emails deter victims from contacting the municipality directly, instead instructing them to communicate only by email to maintain a supposed paper trail for auditing purposes.

What to look out for

The FBI is urging homeowners and business owners involved in a planning or zoning permit application process to be aware of the following:

• Do not assume emails are legitimate – even if they contain city or county letterhead, seals, names of officials, or proper spelling and grammar.
• Double-check the email address and domain name to ensure they match the official you have corresponded with.
• Examine the email address and domain name for extraneous characters or misspellings.
• Check the city or county official website for notices about ongoing impersonation schemes.
• Call the city or county government using the phone number listed on the official website to verify any outstanding fees.

To make an online fraud complaint or report other suspicious activity, you can contact the FBI’s Internet Crime Complaint Center at www.ic3.gov.

---

Unlock more exclusive Cybernews content on YouTube.