Fraudsters are using public planning records to target permit applicants

If you're in the middle of applying for a planning or zoning permit, there is some unwelcome news: cyber-criminals have found a way to exploit the bureaucratic tedium of the process against you. A warning from the FBI's Internet Crime Complaint Center (IC3) has alerted the public about an emerging phishing scheme in which fraudsters impersonate city and county planning staff to demand fees from people with active permit applications. According to the IC3, victims across the United States have been targeted by fraudsters using the method. Rather than blasting out generic emails in the hope that they end up in a likely victim's inbox, the fraudsters are discovering in advance who has submitted a permit application (a matter of public record), what their property address is, their case number, and even the names of the officials handling their application. Armed with this information, the scammers send emails timed perfectly to coincide with when the applicant is likely to be genuinely in correspondence with their local authority. The carefully crafted emails appear professional, use the city letterhead and official seals, and discuss details such as planning commission review processes and relevant local ordinances. In other words, they read exactly like the real thing. The targeted victims are then instructed to pay fees via wire transfer, peer-to-peer payment platforms, or cryptocurrency — methods that are deliberately chosen because of the difficulty of reversing the transaction after the payment has been made. Notably, IC3's warns that the fraudulent invoices actively direct their intended victims away from picking up the phone, instructing applicants to request payment instructions via email instead, claiming that this ensures "a reliable audit trail." Many unsuspecting members of the public may find that explanation perfectly reasonable, but - of course - the real reason is that one phone call to the legitimate planning office would immediately expose the fraud. As is so often the case, victims are encouraged to pay promptly, being told that failure to make a timely payment could delay the permit application. The FBI's IC3 offers some simple advice: Do not assume an email is legitimate just because it features the right logos, letterhead, and official names. All of that information is publicly available and easily copied by a scammer. Check the full email address and confirm it matches the official you have actually been corresponding with. If you receive an unexpected invoice, go directly to your city or county's official website and call the phone number listed there — do not trust that the number provided in the email is legitimate. If you believe you have been targeted, you are encouraged to report what you have experienced to the FBI. Never forget, if you ever receive an unexpected payment request via email or text message, always verify through official channels before handing over a penny. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra. Break the Attack Chain with Fortra® Advanced offensive and defensive security solutions. Complete attack chain coverage. Shared threat intel and analytics. Add Fortra® to your arsenal. WHY FORTRA Graham Cluley Cybercrime Researcher and Blogger View Profile RELATED CONTENT PRESS RELEASE 81% of Security Professionals Identify Phishing as the Top Threat in 2024 PRESS RELEASE ConsumerAffairs: Phishing Attempts are Growing Like Wildfire and Becoming Harder to Detect BLOG 5 Common Phishing Lures and How to Spot Them BLOG CISA, FBI Breakdown Most Exploited Vulnerabilities