FBI Warns of Phishing Attacks Impersonating US City, County Officials

Local government permitting is a low‑risk, high‑frequency transaction that cybercriminals have turned into a lucrative phishing vector. By scraping publicly available zoning applications, attackers can personalize emails with real permit numbers, property addresses, and application dates, making the fraud appear legitimate. The use of non‑government email domains—often subtle variations like @usa.com—adds a veneer of authenticity while bypassing basic spam filters. This approach reflects a broader shift toward data‑driven social engineering, where attackers leverage open‑source information to increase conversion rates.

The financial demands in these schemes are deliberately varied to evade detection. Wire transfers, peer‑to‑peer platforms, and cryptocurrency payments each offer different advantages: wires provide speed, P2P services obscure the recipient’s identity, and crypto enables near‑instant, cross‑border transfers with limited traceability. Coupled with urgent language—"pay now to avoid permit delays"—the tactics create pressure that lowers victims’ scrutiny. Recent FBI alerts also note the rise of AI‑generated deepfake audio used in voice‑phishing, indicating that the impersonation threat is expanding beyond email to more immersive channels.

Mitigation hinges on verification and education. Organizations should implement email authentication protocols (DMARC, SPF, DKIM) and train staff to scrutinize sender domains, especially when invoices are attached. A simple phone call to the issuing agency can confirm fee legitimacy. Reporting to the IC3 not only aids law‑enforcement investigations but also contributes to broader threat intelligence that can protect other entities. As impersonation attacks proliferate, both public and private sectors must prioritize robust identity verification and continuous awareness programs to safeguard critical civic processes.