FBI Reveals Shocking New Cyberattack Targeting American Local Governments

The email looked perfectly legitimate: an urgent request for payment from the county clerk’s office, complete with official seals and a familiar municipal email signature. For a small business owner processing a stack of invoices, clicking the link seemed like just another administrative task. That single click, however, opened a digital backdoor, draining credentials and funds. This scenario is now playing out across the country, according to a new alert from the Federal Bureau of Investigation. The agency warns that a sophisticated phishing campaign is specifically impersonating officials from U.S. cities and counties, targeting businesses and individuals who regularly interact with local government.

Internal documents show the FBI’s Internet Crime Complaint Center (IC3) issued a formal warning on March 9, 2026, detailing the ongoing threat. The campaign, first reported by cybersecurity news outlet BleepingComputer (@BleepinComputer), involves meticulously crafted emails that appear to come from legitimate municipal domains, often referencing overdue payments, permit applications, or jury duty summonses. The goal is to steal login credentials or deploy ransomware by tricking recipients into clicking malicious links or opening infected attachments. The attackers are leveraging a fundamental trust in local institutions, a layer of government most people engage with directly and frequently.

For tech insiders, the targeting is a grimly logical escalation. After years of focusing on corporate impersonation and generic tax scams, threat actors have identified a soft target: the often-underfunded and complex digital ecosystem of local government, and the public’s inherent trust in it. A vendor expecting a payment from the city’s water department is far less likely to scrutinize an invoice. The impact is twofold: businesses face direct financial theft and potential data breaches, while municipal IT departments, many already stretched thin, must now combat the reputational damage and assist victims who believe they were communicating with a real department.

The rollout of this warning has been anything but smooth, as local governments scramble to disseminate the alert through their own often-outdated communication channels. What happens next involves a race against time. The FBI is urging organizations to implement stringent email filtering and multi-factor authentication, while advising the public to verify any payment request directly via a known, official phone number—not one provided in a suspicious email. The major uncertainty lies in the campaign’s longevity and adaptability. As municipalities patch their defenses and public awareness grows, the attackers are likely to refine their templates and shift targets, continuing a costly game of digital whack-a-mole that exploits the essential, everyday connections between citizens and their local government.

Source: https://x.com/BleepinComputer/status/2031030012493680896