TL;DR The Marin County permit phishing scam is a reminder that cybercriminals often use publicly available information to make fraudulent emails appear legitimate. Businesses involved in construction, permitting, and development projects should verify payment requests and understand how public records can be used in targeted scams.
Marin County recently warned permit applicants about a phishing campaign targeting individuals and businesses involved in planning and building projects.
According to the Community Development Agency, applicants received fraudulent emails appearing to come from Community Development Director Sarah Jones. The emails claimed recipients owed administrative fees and included fake invoices requesting payment.
While the scam itself is concerning, the bigger lesson for businesses is how attackers likely identified their targets in the first place.
The Marin County permit phishing scam demonstrates how public information can be used to build highly convincing attacks.
What Happened in Marin County?
The Marin County Community Development Agency alerted applicants that scammers were sending emails impersonating County officials.
The fraudulent messages claimed permit applicants owed additional fees and included invoices designed to appear legitimate.
The County emphasized that payment requests are only issued through approved channels such as:
- ProjectDox notifications
- County website application prompts
- Permit Fee Payment forms
- Personal check payment processes
The County specifically warned that it will never request payment through wire transfers, Zelle, Venmo, PayPal, or similar payment applications.
The fact that applicants contacted the County before sending money likely prevented financial losses.
Why Permit Applicants Are Attractive Targets
Construction projects create ideal conditions for payment fraud.
Most projects involve:
- Multiple vendors
- Architects and engineers
- Property owners
- Contractors and subcontractors
- Frequent invoices
- Tight project deadlines
When people are already expecting permit fees and project-related payments, a fraudulent invoice can appear routine.
This is one reason construction companies remain frequent targets for business email compromise and vendor impersonation attacks.
Read more in Why Bay Area Construction Companies Are Losing Money to Invoice & Permit Fraud.
How Criminals Use Public Records
The most interesting aspect of the Marin County permit phishing scam is not the fake invoice itself.
It is how attackers may have identified permit applicants.
Many public agencies publish information related to:
- Building permits
- Planning applications
- Public meeting agendas
- Property ownership records
- Contractor information
- Project details
This information serves an important public purpose. It promotes transparency and accountability.
Unfortunately, it can also provide cybercriminals with valuable intelligence.
What Is OSINT?
OSINT stands for Open Source Intelligence.
In cybersecurity, OSINT refers to information gathered from publicly available sources.
Attackers commonly use:
- Government websites
- Public records databases
- Company websites
- Social media platforms
- Professional networking sites
- News articles
They use this information to create targeted phishing campaigns that appear more believable than generic spam messages.
Why These Attacks Work
Most people know how to identify an obviously suspicious email.
Targeted attacks are different.
A permit applicant who recently submitted plans to a government agency may not be surprised to receive:
- An invoice
- A permit update
- A payment request
- A request for additional documentation
The context already exists.
The attacker simply inserts themselves into a process the victim is expecting.
That is what makes these scams so effective.
Did you Know?
According to Verizon’s 2025 Data Breach Investigations Report, human involvement continues to play a role in the majority of security incidents, including phishing and credential-based attacks. Source: Verizon DBIR.
How Businesses Can Protect Themselves
The goal is not to avoid public records. That is rarely practical.
Instead, businesses should establish verification procedures.
Verify Unexpected Payment Requests
If payment instructions change unexpectedly, verify them using a known phone number or trusted contact.
Never rely solely on information contained within the email itself.
Train Accounting and Administrative Staff
Accounting teams are often the final line of defense.
Employees should know how to recognize:
- Vendor impersonation
- Payment diversion attempts
- Fake invoices
- Urgent payment requests
Use Multifactor Authentication
Even when scams involve invoices, attackers often seek access to email accounts first.
MFA can significantly reduce the likelihood of account compromise.
Review Publicly Available Information
Businesses should periodically review what information about projects, contacts, and employees is publicly available online.
While transparency is important, excessive exposure can increase risk.
What This Means for Bay Area Businesses
The Marin County permit phishing scam is part of a larger trend.
Cybercriminals are increasingly moving away from generic mass-email campaigns and toward highly targeted attacks based on real-world information.
Construction companies, property managers, architects, engineering firms, law firms, and local businesses involved in development projects should assume that publicly available information may eventually be used against them.
The best defense is a combination of employee awareness, verification procedures, and strong cybersecurity controls.
Read more in Alameda Fake City Invoice Scam Shows How Payment Fraud Is Targeting Local Businesses.
You may also find these articles helpful:
- What Happens After a Construction Company Gets Hit with Business Email Compromise?
- Building Cyber Resilience in an Unstable World
- Permit Fraud Cybersecurity: Phishing Scams Targeting Novato Businesses
Frequently Asked Questions
What is the Marin County permit phishing scam?
The Marin County permit phishing scam involved fraudulent emails impersonating County officials and requesting payment of fake permit-related fees.
What is OSINT?
OSINT, or Open Source Intelligence, refers to information collected from publicly available sources such as websites, public records, social media, and government databases.
Why are construction companies targeted by phishing attacks?
Construction companies frequently process invoices, payments, permits, and vendor communications, making fraudulent requests appear more legitimate.
How can businesses verify payment requests?
Organizations should confirm payment requests through trusted phone numbers, known contacts, or established payment procedures before sending funds.
Can public records increase cybersecurity risk?
Yes. While public records serve an important purpose, attackers can use them to identify potential victims and create highly targeted phishing campaigns.
About Professional Computer Concepts
Professional Computer Concepts (PCC) is a trusted Managed IT and Cybersecurity provider serving the Bay Area for over 20 years. We help small and midsize businesses simplify their IT, strengthen security, and modernize operations.
Explore our services:
Managed IT Services | Cybersecurity | Cloud Solutions
From PCC’s Desk
Most phishing attacks are not random. They are researched, planned, and tailored to the victim. The Marin County permit phishing scam shows how easily public information can be turned into a convincing attack. Businesses that establish verification procedures and maintain strong cybersecurity practices are far less likely to become the next victim.
If you’d like help evaluating your organization’s cybersecurity posture, let’s talk.