A widely used U.S. government email notification system, GovDelivery, was recently exploited to distribute fraudulent emails to residents, according to reports confirmed by the state of Indiana. Official communications from Indiana authorities on Tuesday disclosed that misleading messages, falsely suggesting recipients had unpaid toll dues, were circulated from a seemingly legitimate government email address.
The Indiana Office of Technology indicated that these unauthorized communications originated from a hacked contractor account. While the state currently has no evidence indicating a compromise of its own internal systems, officials have not entirely dismissed the possibility of an earlier security breach.
The problematic emails were sent from an official Indiana state email used by its Emergency Operations Center, a governmental department normally responsible for disseminating urgent public notices during natural disasters and other emergencies.
Recipients who received these fraudulent messages were misled to believe they owed unpaid toll charges incurred in Texas, with the emails further suggesting potential penalties or holds on vehicle registrations for non-payment. The deceptive messages included links appearing to point to the legitimate GovDelivery platform, but in reality, these redirected individuals to fraudulent websites mimicking the Texas Department of Transportation’s tolling service, TxTag.
On these impostor websites, victims were prompted to disclose sensitive personal and financial details including names, phone numbers, home addresses, and credit card information. As of Tuesday morning, these malicious websites have reportedly been taken offline.
The compromised account linked to these fraudulent messages was traced back to Granicus, a prominent contractor known for providing technological services to governmental entities. The Indiana state contract with Granicus had concluded in December 2024, but the state authorities claim the contractor failed to terminate the state’s account promptly.
Granicus spokesperson Sharon Rushen confirmed that the deceptive emails had originated from their GovDelivery service via a compromised user account, emphasizing that Granicus’s own systems remained secure and were not directly breached. Although the company possesses the capability to determine exactly how many recipients received these malicious emails, it has yet to release details regarding the scope of the incident publicly.
This incident is part of a broader trend of fraudulent toll-related messages, which the U.S. Federal Trade Commission has repeatedly warned about in recent months. Cybercriminals increasingly target official public communication channels like GovDelivery, hoping users will be more likely to open and trust email notifications that appear to originate from government sources.
Indiana authorities confirmed they are actively cooperating with Granicus and other relevant entities to halt further dissemination of these malicious emails and prevent similar occurrences in the future.
