The FBI Warned About Fake Permit Fees. The Harder Question Is Where the Money Goes.
The FBI sounded the alarm. Issuers still can't see it
On March 9, 2026, the FBI's Internet Crime Complaint Center issued a public alert about criminals impersonating city and county officials to collect fraudulent planning and zoning permit fees. The criminals pull publicly available permit records, email property owners who have active applications, and demand payment by wire transfer, peer-to-peer transfer, or cryptocurrency.
Government impersonation schemes like this one were among the fastest-growing categories in the FBI's 2025 Internet Crime Report, with reported losses nearly doubling year over year to roughly $798 million. While the alert raises public awareness, it does little to help issuers screen customers payments against the heightened risk these impersonation scams create.
Why an authorized payment defeats your controls
In this scheme the customer is real, the login is legitimate, and the wire is one the customer chooses to send. Behavioral analysis models are generally built to flag account takeover and out-of-pattern activity, so customer-authorized payments tend to score as low risk and the money moves.
These fraud signals don’t live in the sender's behavior. They live in the destination: the beneficiary (or mule) account that the scammer will use to cash out the stolen funds. That makes this mule account the one signal that often separates a legitimate payment from a scam payment.
Here is how the scheme runs, according to the FBI alert and CYBERA's research:
- Target selection: the actors identify property owners with active planning or zoning applications using public records
- Impersonation: they email those owners while posing as the municipal planning department, citing real permit and property details to establish credibility with the target
- The invoice: they send an official-looking invoice for an approval or processing fee
- The pressure: they demand a wire on a short deadline and warn that the application will fail if it is missed
- The confirmation: they ask for the wire receipt to confirm the payment landed
What direct engagement reveals that scoring cannot
CYBERA's research on one active ring, which it has monitored since September 2025 under the internal name Diligent Planner, shows what that destination signal looks like in practice. Rather than estimating risk, CYBERA's analysts engage the scam operations directly and collect the exact accounts the criminals ask victims to wire money to.
Across this single operation, that approach produced 53 verified mule accounts spanning 23 separate email campaigns, with roughly 55 percent of the accounts concentrated in just two beneficiary banks. These are confirmed accounts pulled from the criminals themselves, not probabilistic matches, which can be the difference between an account you can act on and a score you have to second-guess.
One operation, built to scale
The ring is not a series of unrelated scams. CYBERA mapped it into a single connected cluster of banks, accounts, emails, phone numbers, and impersonated government bodies, starting from one beneficiary bank and expanding outward until the structure of the operation became visible.
Three patterns make it repeatable:
- Disposable sender identities: the actors use a free webmail service that lets them bury a city, county, or state name in the local part of the address while the real domain stays fixed, which makes rotating sender identities cheap and fast
- Domestic accounts, foreign operators: the mule accounts are US-based so the money looks local, while email headers tie much of the activity to a Nigerian internet provider alongside US hosting and likely VPN exits
- Fast-moving rails: close to half of the accounts show virtual-account structures common to a specific payment-processing platform, which support rapid account creation, compartmentalized flows, and quick downstream movement of funds
CYBERA also observed the ring moving down-market toward smaller regional institutions, and shifting away from wires toward instant peer-to-peer rails, with card-based requests a likely next step. The activity began in 2025 and accelerated through 2026, matching the trend in the FBI's reporting.
Screen the destination with verified mule intelligence
This is the problem Recorded Future® Money Mule Intelligence is built to solve. Money Mule Intelligence is an add-on capability to Recorded Future that provides verified intelligence on the bank accounts actively being used to cash out scammed funds.
Because the accounts are confirmed through direct engagement rather than scored, fraud and compliance teams get the increased confidence to act and the evidence to document the decision. Teams screen outbound payments, new beneficiaries, and account change requests against the verified list before money leaves the institution.
Like Recorded Future’s Payment Fraud solution, these confirmed lists enable financial institutions to act on external signals that behavioral monitoring alone can miss. External threat intelligence has been critical for fraud prevention programs to move “left of boom”. The value of these signals only increases as scams continue to grow in terms of volume and sophistication.
Where the fraud lives, and how to act on it
Knowing your customers are being targeted by a specific scam campaign is a useful warning, but defending against this difficult-to-detect threat requires quality intelligence on the traceable infrastructure and methods scammers are consistently leveraging. See how Money Mule Intelligence fits into your payment and beneficiary screening workflows: request a demo.
CYBERA research by Claudio Staub and Dan Hoffman.
Related Resources
Explore expert insights, reports, and tools to strengthen your cybersecurity strategy.