Cybercriminals are exploiting GovDelivery, a widely used email notification platform for U.S. federal and state agencies, to distribute sophisticated toll-payment scams. The breach involves compromised government credentials, allowing attackers to send fraudulent messages directly from official domains to unsuspecting residents.
Indiana State Agencies Targeted in Toll Scam
The state of Indiana officially confirmed that fraudulent emails regarding “unpaid tolls” have been circulating under the guise of state agency communications. These messages include malicious links designed to redirect recipients to phishing sites. The Indiana Office of Technology is currently coordinating with Granicus, the parent company behind GovDelivery, to halt the unauthorized communications.
State officials disclosed that a contractor’s account was compromised, leading to the breach. While Indiana maintains that core state systems remain secure, they have not dismissed the possibility of earlier, undetected intrusions. Notably, the state claimed its contract with Granicus ended in December 2024, yet the company allegedly failed to decommission the state’s account.
Granicus Responds to System-Wide Compromise
Granicus spokesperson Sharon Rushen acknowledged the malicious activity originating from Indiana’s government domain but clarified that the company’s internal infrastructure was not directly breached. “We are aware of the recent malicious emails sent via GovDelivery,” Rushen stated. While Granicus possesses the technical capability to quantify the number of impacted individuals, they have yet to release specific figures.
The company further admitted to an “uptick in targeted social engineering” against its customers, aimed at leveraging the trust associated with government-backed email systems to facilitate phishing campaigns.
The Anatomy of a Toll Phishing Attack
The Federal Trade Commission has previously warned of the rising prevalence of toll-related scams. By utilizing official government communication channels, attackers increase the likelihood that victims will trust and interact with the malicious content.
Evidence reviewed shows that one scam email originated from an Indiana Emergency Operations Center account. It falsely claimed the recipient owed tolls in Texas, threatening penalties or vehicle registration holds. The included link, which appeared to be a legitimate govdelivery.com address, redirected users to a malicious site mimicking the Texas Department of Transport’s TxTag service. The fraudulent site aggressively harvested personal data, including names, home addresses, and credit card information.
Broader Impact Across Local Governments
The issue extends beyond Indiana. Doña Ana County, New Mexico, recently confirmed that its news portal, managed by Granicus, was also compromised. Kent English, the county’s IT director, characterized the event as a “system-wide issue” impacting multiple government clients.
In the case of Doña Ana County, attackers used the govdelivery.com infrastructure to impersonate a professional services firm, sending emails that demanded immediate payments. As of Tuesday morning, several of the identified phishing domains appeared to have been taken offline.