FBI Warns Of National Scam Impacting Marin County

MARIN COUNTY, CA — The FBI is warning the public about an emerging nationwide phishing scam that has reached Marin County, where criminals are impersonating city and county officials to solicit fraudulent payments for local government planning and zoning applications and permits.

This national permitting scam has now landed in Marin County, with residents in neighboring cities — including Mill Valley, Larkspur, Sausalito, Tiburon and Novato — reportedly affected, according to city officials.

The scam targets individuals and businesses who have recently applied for building permits or planning applications. Scammers use the town’s public information portals, which contain property addresses involved in the permitting process, to obtain email addresses. They then email fake invoices instructing victims to wire money and fees purportedly due for application processing.

According to the FBI, criminals leverage publicly available permit information to identify potential victims and increase the legitimacy of the scam. Victims receive unsolicited emails citing their accurate permit information, zoning application numbers, and/or property addresses. They are instructed to pay invoices via wire transfer, peer-to-peer payment, or cryptocurrency, officials said.

While the scammers are becoming more savvy — sometimes using professional language, formatting, and imagery consistent with legitimate government communications — there are common red flags:

• Non-Governmental Domains: Emails use usernames similar to official departments but originate from non-governmental domains, such as "@usa.com."
• Payment Instructions: Attached PDF invoices direct applicants to request payment instructions via email, rather than telephone, designed to deter the victim from calling the office to verify.
• Urgency: Emails emphasize urgency, threatening delays or other obstacles if payment is not immediately rendered.
• Other Tells: Botched graphics, fake email addresses, and bizarre payment requests are frequent giveaways.

"It's no coincidence that an uptick in this sort of thing, and phishing in general, coincides with an uptick in the adoption of generative AI," said Joseph Avanzato, a security operations and forensics team leader for the Varonis cybersecurity firm, in a recent issue of Planning Magazine.

In response, San Anselmo has created a dedicated web page warning people about the phishing scam and now displays a series of pop-ups on its planning page warning of the potential dangers.

The FBI urges the public to take precautions:

• Verify the Domain: Check that the email address, including the domain name, matches the official's email address and does not contain extraneous characters or misspellings.
• Check Official Sites: Look at the city or county's official website for notices about ongoing impersonation schemes.
• Call to Verify: Call the city or county government, using the phone number listed on the official website, to verify outstanding fees. Do not assume emails are legitimate based on letterhead, seals, or names of officials.

FBI data estimated phishing scams cost victims at least $70 million in damage last year, though many incidents go unreported.

If you or someone you know has fallen victim, you can file a complaint at www.ic3.gov. Be sure to include the email address, date of the email, phone number (if provided), the date of any scheduled project hearing, the amount listed in the fraudulent invoice, the requested payment method and any bank account information provided.