Fraudsters Exploit Public Planning Records to Phish Permit Applicants
What Happened — Criminal groups are harvesting publicly available planning and zoning records to craft highly targeted phishing emails aimed at individuals and businesses applying for permits. The messages reference specific project details, making the lure appear legitimate and prompting victims to disclose personal or payment information.
Why It Matters for TPRM —
- Vendors that assist with permit applications (consultants, architects, land‑use attorneys) become indirect attack vectors.
- Compromise of applicant data can cause financial loss, reputational harm, and regulatory scrutiny for both the applicant and the permitting authority.
- The abuse of open‑government data expands the attack surface, highlighting the need for broader supply‑chain vigilance.
Who Is Affected — Government planning departments, professional services firms (consulting, architecture, engineering), and any organization that processes or submits permit applications.
Recommended Actions —
- Review contracts with third‑party vendors that handle permit filings for phishing‑resilience controls.
- Deploy robust email authentication (DMARC, SPF, DKIM) and conduct targeted security awareness training on record‑based social engineering.
- Perform a data‑flow audit to identify where public record data is combined with PII and apply encryption or tokenization where appropriate.
Technical Notes — Attack vector: PHISHING using harvested public planning records. No CVE is involved. Exfiltrated data may include names, addresses, project identifiers, and payment details. Source: Graham Cluley – Fortra Blog