Full Report
A government impersonation scam is targeting property owners with fake planning and zoning permit invoices, and authorized wire transfers are clearing behavioral controls. Here's how the scheme works and why beneficiary account intelligence is the signal that catches it.
Analysis Summary
# Incident Report: Campaign "Diligent Planner" - Government Impersonation Scam
## Executive Summary
A sophisticated social engineering campaign, identified as "Diligent Planner," is targeting property owners by impersonating municipal planning and zoning departments. Attackers leverage public records to send highly credible, fraudulent invoices for permit fees, successfully bypassing traditional behavioral fraud controls by tricking victims into authorizing wire transfers to US-based money mule accounts. The operation is global in scale, utilizing foreign operators and domestic financial infrastructure to exfiltrate hundreds of millions of dollars.
## Incident Details
- **Discovery Date:** September 2025 (Initial tracking by CYBERA)
- **Incident Date:** Ongoing; FBI alert issued March 9, 2026
- **Affected Organization:** Various Municipal Planning/Zoning Departments (Impersonated); Individual Property Owners (Victims)
- **Sector:** Government (Public Sector Impersonation) / Financial Services
- **Geography:** United States (Targets and Mule Accounts); Nigeria (Operator Origin)
## Timeline of Events
### Initial Access
- **Date/Time:** September 2025 – Present
- **Vector:** Phishing/Business Email Compromise (BEC) techniques.
- **Details:** Attackers use public permit records to identify property owners with active applications. They send emails from free webmail services with local-part addresses mimicking government entities (e.g., [CityName]@[webmail].com).
### Lateral Movement
- **Details:** Not applicable in a traditional network sense; movement occurs through "social lateral movement" where the attacker inserts themselves into an existing legitimate business process (the permit application) to influence the victim.
### Data Exfiltration/Impact
- **Details:** Financial theft via authorized wire transfers, P2P transfers, and cryptocurrency. Victims are pressured with short deadlines to prevent "application failure."
### Detection & Response
- **Discovery:** Identified by CYBERA through direct engagement with scam operations and subsequent mapping of the "Diligent Planner" ring.
- **Response Actions:** FBI IC3 issued a Public Service Announcement (PSA260309) on March 9, 2026. CYBERA/Recorded Future began cataloging verified beneficiary (mule) accounts for financial institution screening.
## Attack Methodology
- **Initial Access:** Reconnaissance of public government records and targeted phishing.
- **Persistence:** Not technical persistence on a host, but operational persistence via rotating "disposable sender identities" on free webmail domains.
- **Defense Evasion:** Use of US-based VPN exits and hosting to mask Nigerian origin; use of legitimate customer-authorized transfers to bypass behavioral "out-of-pattern" fraud checks.
- **Discovery:** Gathering specific property and permit details from publicly available zoning databases.
- **Lateral Movement:** Shifting from wire transfers to instant P2P rails and virtual-account structures to accelerate money movement.
- **Exfiltration:** Funds transferred to US-based "mule" accounts, often concentrated in specific beneficiary banks, before being moved further downstream.
- **Impact:** Financial loss and potential delays in legitimate government permitting processes.
## Impact Assessment
- **Financial:** Total government impersonation losses reported at ~$798 million in 2025; specific "Diligent Planner" ring linked to at least 53 verified mule accounts across 23 campaigns.
- **Data Breach:** Exposure of property owner contact info and permit status (via public records).
- **Operational:** Disruption of municipal zoning workflows and financial loss for property developers.
- **Reputational:** Eroded trust in municipal digital communications and electronic invoicing.
## Indicators of Compromise
- **Network Indicators:**
- Email headers linked to Nigerian ISPs.
- Usage of US-based VPN and hosting provider exits.
- **Behavioral Indicators:**
- High-pressure language regarding "permit expiration" or "application failure."
- Requests for wire transfer receipts/confirmation screenshots.
- Use of webmail services (Gmail, Outlook, etc.) for official government correspondence.
- **Mule Infrastructure:**
- 53 verified accounts across 23 campaigns.
- Heavy concentration (55%) in two specific beneficiary banks.
- Frequent use of virtual-account structures.
## Response Actions
- **Containment:** FBI public awareness alerts to property owners.
- **Eradication:** Identification and blacklisting of verified mule accounts by financial institutions.
- **Recovery:** Direct engagement with scammers by threat intelligence teams to map infrastructure and prevent future transfers.
## Lessons Learned
- **Behavioral Gaps:** Traditional fraud detection that focuses only on "sender behavior" is insufficient for authorized payment scams.
- **Public Record Risks:** Attackers are efficiently weaponizing open-source intelligence (OSINT) from government portals.
- **Beneficiary Signal:** The most reliable signal for stopping these scams is the intelligence on the *destination* (beneficiary) account, not the sender's login activity.
## Recommendations
- **Beneficiary Screening:** Implement real-time screening of outbound payments against verified money mule databases.
- **Process Verification:** Government agencies should implement out-of-band verification (e.g., phone calls or official portals) for all fee payments.
- **Email Security:** Use DMARC and advanced email filtering to flag government impersonation attempts originating from non-governmental domains.
- **Public Education:** Municipalities should warn applicants that they will never request payment via P2P apps or cryptocurrency.