The FBI sounded the alarm. Issuers still can't see it
On March 9, 2026, the FBI's Internet Crime Complaint Center issued a public alert about criminals impersonating city and county officials to collect fraudulent planning and zoning permit fees. The criminals pull publicly available permit records, email property owners who have active applications, and demand payment by wire transfer, peer-to-peer transfer, or cryptocurrency.
Government impersonation schemes like this one were among the fastest-growing categories in the FBI's 2025 Internet Crime Report, with reported losses nearly doubling year over year to roughly $798 million. While the alert raises public awareness, it does little to help issuers screen customers payments against the heightened risk these impersonation scams create.
Why an authorized payment defeats your controls
In this scheme the customer is real, the login is legitimate, and the wire is one the customer chooses to send. Behavioral analysis models are generally built to flag account takeover and out-of-pattern activity, so customer-authorized payments tend to score as low risk and the money moves.
These fraud signals don’t live in the sender's behavior. They live in the destination: the beneficiary (or mule) account that the scammer will use to cash out the stolen funds. That makes this mule account the one signal that often separates a legitimate payment from a scam payment.
Here is how the scheme runs, according to the FBI alert and CYBERA's research:
- Target selection: the actors identify property owners with active planning or zoning applications using public records
- Impersonation: they email those owners while posing as the municipal planning department, citing real permit and property details to establish credibility with the target
- The invoice: they send an official-looking invoice for an approval or processing fee
- The pressure: they demand a wire on a short deadline and warn that the application will fail if it is missed
- The confirmation: they ask for the wire receipt to confirm the payment landed
What direct engagement reveals that scoring cannot
CYBERA's research on one active ring, which it has monitored since September 2025 under the internal name Diligent Planner, shows what that destination signal looks like in practice. Rather than estimating risk, CYBERA's analysts engage the scam operations directly and collect the exact accounts the criminals ask victims to wire money to.
Across this single operation, that approach produced 53 verified mule accounts spanning 23 separate email campaigns, with roughly 55 percent of the accounts concentrated in just two beneficiary banks. These are confirmed accounts pulled from the criminals themselves, not probabilistic matches, which can be the difference between an account you can act on and a score you have to second-guess.

Source: RecordedFuture
Source Link: https://www.recordedfuture.com/blog/fbi-fake-permit-fees