Skip to main content

New scam targets businesses with fake EPA violation notice

How to spot these new phishing scams and what to do about them

At least one business in Minnesota has reported a new phishing scam that claims to be from the U.S. Environmental Protection Agency demanding thousands of dollars to settle an environmental penalty.

According to the EPA’s Office of Inspector General, the scam is becoming increasingly common and arises when businesses receive the fake letters notifying them of a serious violation either through the U.S. mail or via email. The tone of the letters is urgent, demanding payment within five working days.

While the letters include an EPA logo and go so far as to cite specific federal regulations and a case number, the letters are also rife with spelling and grammatical errors, and they demand that the businesses respond via an email address — invoice@epa.services — that is not associated with the EPA.  

According to Cory Boeck, the MPCA’s land and air compliance section manager, nothing similar has yet appeared with the MPCA’s name and logo on it, but he anticipates that future scams may impersonate the state agency.  

Boeck notes that any legitimate notices of violation from the MPCA will not assess penalties at the same time and that they won’t come out of the blue. “A regulated party would have previous contact with us before receiving a notice of violation,” he said.

Guard against phishing scams

Phishing scams are sophisticated attacks that build a sense of trust between the scammer and the recipient and that rely on the recipient’s carelessness in verifying who they’re talking to. They can be difficult to spot at first glance but typically feature:

  • Typos or grammatical errors
  • Urgent requests for money or personal information
  • Directions to open a link or attachment

In almost all instances, phishing attacks include spoof email addresses or links designed to look like actual email addresses or links.

To guard against phishing scams, cybersecurity experts recommend:

  • Taking the time to verify the domain name of the email address in a suspicious email or letter. EPA email addresses, for instance, end in @epa.gov while email addresses for the MPCA and other state agencies end in @state.mn.us.
  • Checking the URL before clicking on links. Links in emails and on websites are easily spoofed, but their URLs can usually be revealed by hovering the cursor over the link.
  • Contacting the supposed sender directly via the contact information listed on their website (and not via the contact information in the suspicious letter) if any doubts remain about the authenticity of an email or letter.
  • Never sending payments to unverified sources, no matter how urgent the letter or email makes it seem.

The EPA’s Office of Inspector General has issued a fraud alert for the notice of violation scam and urges any business or individual who receives suspicious letters to contact the EPA’s enforcement office to verify the letter’s authenticity. Victims of fraud should contact the Office of Inspector General at 888-546-8740 or OIG.Hotline@epa.gov

Share this