TL;DR—
- The FBI warned about an active invoice fraud scheme in which attackers are:
- Scraping publicly available city and county permitting information,
- Impersonating local officials via emails from almost-official domains, and
- Requesting fraudulent “permitting fees” via irreversible peer-to-peer (P2P) apps, cryptocurrency, and wire transfers.
- While this specific attack restricts itself to US targets with pending permits or zoning requests, it’s an excellent example of how attackers use publicly available information to create uniquely custom phishing lures at scale.
- Employees can avoid falling for this and similar phishing attacks by:
- Treating any unsolicited permit-related payment request as suspicious, and verify through previously known-good communication channels before paying any new or changed fees.
- Following internal payment policies, particularly for change requests and any unorthodox payment instructions (P2P, cryptocurrency, unexpected wire transfer instructions, etc.)
- Check out “One ish, two ish: How to prevent modern phishing” for more about malvertising lures and other social engineering attacks
FBI: Attackers pretend to be county or city officials for invoice scam
The FBI’s Internet Crime Complaint Center (IC3) released a new public service announcement in March 2026, warning of a new phishing campaign targeting individuals and businesses currently working with their local governments for permitting or zoning concerns.
Attackers are scraping public government databases for possible targets and relevant permitting information—including property addresses and case numbers—to make their unsolicited email phish more convincing.
They even use the real names of local city and council officials involved in the process!
Then, attackers attach a PDF “invoice” itemizing new alleged fees and payment instructions using difficult-to-recover methods, including:
- Cryptocurrency
- Peer-to-peer (P2P) payment applications, like CashApp or Venmo
- Wire transfer to accounts not used in previous transactions
While the PDF and phishing email themselves are technically benign, the attack is on the human victim themselves—weaponizing multiple social engineering tactics to convince an employee to move outside of the normal security controls.
Social engineering tactics weaponized by the permit lure
For this campaign, attackers made interesting use of publicly available information during their “reconnaissance” phase.
For example, instead of sending a mass phishing email to a pre-bought list of potential victims off the dark web—hoping that at least some of the victims use the spoofed service or software— thorough threat actors will research online information provided on public directories, social media, or forums.
Based on this research, they’ll create a list of victims that they know all share the exploitable situation—for this campaign, the currently pending permitting projects—and include enough information in the lure to make it seem believable at first glance.
To make this permitting lure even more actionable for victims, attackers:
- Pretended to be (“masqueraded”) the local officials involved in the relevant permitting processes;
- Sent the phish from plausible email accounts, with their usernames following known-good email configurations and sent from related domains (i.e., “usa[.]com”) instead of the correct government accounts that typically end in “[.]gov”.
- Leveraged urgency—specifically threatening “delays or other obstacles in the permitting process” if victims didn’t immediately comply with the fraudulent request.
Employees most at-risk of falling for similar spearphishing campaigns
The types of employees most at-risk to falling for this specific attack (and ones like it) include:
- Individuals or teams actively applying for/renewing planning or zoning permits who may expect fee communications;
- Moneyhandlers with a previous history of paying invoices without checking for accuracy OR using irreversible payment methods outside of normal organizational policies; and
- Staff under time pressure to keep facilities projects moving, such as project coordinators, permit runners, or AP clerks.
How employees can avoid falling for the permit invoice fraud scheme
- Treat any unsolicited emailed request for payment as suspicious—even if it includes correct permit and application data, or otherwise threatens immediate blockers to ongoing projects.
- Use official government portals and previously bookmarked sites for payments.
- If a payment request deviates from official documentation or uses a different portal, then it’s potentially fraudulent!
- Verify any unexpected payment or fee requests with the local agency, using a previous email address or official phone number on the agency website.
- Do not reply to or engage with any materials in the suspicious email!
- Refuse to pay uncorroborated invoices via nonrefundable routes—including new wire transfers, P2P apps, or cryptocurrency—while enforcing a two-person approval policy for government-fee payments.
- Immediately report possible fraudulent invoice requests to the internal security team and the IC3 reporting center.
To learn more about invoice fraud social engineering attacks, check out Fable Security’s free ebook, “One ish, two ish: How to prevent modern phishing”—no email required!
