Phishing Scammers Impersonating City, County Officials, Demanding Payment: FBI
The FBI is warning that cybercriminals are posing as city and county officials in phishing emails that urge people who are doing business with local governments to pay fraudulent invoices related to fees for permits.
The agency’s notice, published this week, comes after alerts over the last few months by local governments around the country – from Homewood, Alabama, and Harrisonburg, Virginia, to Hutchinson, Kansas, Forest Lake, Minnesota, and Walnut Creek, California – warning residents in their communities about the scams.
Some of the warnings have come from the state level. Pennsylvania Attorney General Dave Sunday issued an alert on Feb. 19 about a text and email scam stemming from Philadelphia Municipal Court and other government agencies demand payment for unpaid parking tickets.
The American Planning Association (APA) also wrote about the attacks, noting that “this new form of phishing – using public planning data to compose counterfeit emails requesting money – has gone nationwide. In many cases, the phishing emails come within hours or days of public meetings or website postings.”
“Several planners say these emails are increasingly sophisticated, with seemingly official seals, references to municipal and state statutes, and phony signatures,” the APA wrote, noting that residents in larger cities like Las Vegas, Miami, and Houston also have been targeted. “However, there are tells – like odd payment requests, subpar graphic design, and fake email addresses. Several cities also have reported the use of the @usa.com domain.”
Bad Actors Targeting Land-Use Permits
According to the FBI, people and businesses that have active applications for land-use permits are getting emails appearing to come from city and county planning and zoning board officials requesting fees associated with the permits.
“Victims are instructed to pay invoices for fees related to their permits and directed to make payments via wire transfer, peer-to-peer payment, or cryptocurrency,” the agency wrote.
The information in the emails is detailed and accurate and includes such information as property addresses, case numbers, and the names of city and county officials. In addition, the emails use professional language and formatting and include images that are consistent with legitimate government communications for such applications, from review processes to planning commission procedures.
Looking Legitimate
The timing of the emails tend to coincide with other communications with local officials regarding the permitting process and the messages include attached PDF invoices that look legitimate, with an itemized statement of supposed fees. They tell the victims to request payment instructions over email rather than telephone to ensure an audit trail of correspondence.
“This is designed to deter the victim from calling the city or county office to verify the fees,” the FBI wrote. “The emails emphasize urgency, threatening delays or other obstacles in the permitting process if the applicant does not immediately render payment.”
The phishing campaign has been going on for at least 10 months. Minneapolis Planning Director Meg McMahan told APA residents in her city have been receiving the phishing message since May 2025, adding that “it just stuck out to us, because the amount of detail that they had was alarming.”
Planning boards and other local government officials and police departments have responded by issuing alerts.
The Effect of AI
Generative AI has only made cyberthreats – including phishing scams – more effective.
Since OpenAI’s release of its ChatGPT AI chatbot in November 2022, cybersecurity vendors have warned that one of the ways the new technology has helped threat actors is by enabling them to easily create more seemingly legitimate phishing messages, absent of the misspellings and unusual sentence structures in the pre-generative AI era that could tip off such scams.
Hoxhunt co-founder and CEO Pyry Åvist wrote last year that his firm had been testing AI agents that it created between 2023 and 2025 to see how they performed in comparison to Hoxhunt’s elite human red teams. In 2023, AI was 31% less effective than humans. That dropped to 10% the next year, but last year AI was 24% more effective.
“Threat actors have been developing black-hat generative AI tools as well, but in the shadows,” Åvist wrote. “AI-powered phishing-as-a-service kits exist, but they are not yet as widely adopted or as effective for mass campaigns as perhaps believed. This public finding could be considered an inflection point for the threat landscape. AI’s superiority in social engineering will transform cybersecurity risks, attacks, and defenses.”
Phishing on the Rise
He noted Slashnext statistics that found that the total phishing volume since ChatGPT’s introduction had risen by 4,151%. Hoxhunt saw a 49% increase in phishing attacks that bypassed email filters during that time.
The National Consumers League this year reported that in 2025, the number of phishing and spoofing scams jumped year-over-year by more than 85%, with a median loss of $2,060.
