Highlights
• The EPA has warned businesses to be on the lookout for an increasingly common Notice of Violation scam
• Recipients of suspect notices should contact the EPA's enforcement office to verify authenticity, and should not take any action outlined in the letter, including submitting payment, until they have done so
• Businesses can and should take proactive steps to protect themselves from this kind of business email compromise
The U.S. Environmental Protection Agency’s (EPA) Office of Inspector General (OIG) has issued a fraud alert stating that businesses have been receiving falsified Notice of Violation letters through the mail or via email demanding payment for alleged environmental violations. The EPA reiterated the warning on its enforcement webpage.
According to the OIG, “The letters allege that the target business violated an environmental regulation such as the Clean Air Act. They indicate that the business owes thousands of dollars in fines and should respond by phone or email.” According to the OIG, “The letters allege that the target business violated an environmental regulation such as the Clean Air Act. They indicate that the business owes thousands of dollars in fines and should respond by phone or email.” The OIG said the email address provided – invoice(at symbol)epa.services – is not associated with the EPA, noting that, “Official U.S. government organizations use the ‘.gov’ domain name; for example, ‘epa.gov.’”
It is best to thoroughly review any Notice of Violation letter received and to contact the EPA's enforcement office directly to verify authenticity. The EPA further clarifies that recipients of notices they believe are false should email OECA_communications@epa.gov with an electronic version of the letter and should not take any action outlined in the letter, including submitting payment.
The OIG offers the following tips on how organizations can protect themselves from this kind of business email compromise:
- Create organizational policies for receiving new payment instructions, including a multistep process to verify new payment instructions
- Employ email security systems that can detect phishing attempts, domain spoofing, and other cyber threats, and use two-factor authentication to combat account compromise
- Train staff regularly on cybersecurity best practices and how to recognize phishing emails and require them to report phishing attempts – even seemingly minor ones
We will follow this fraud alert issue and provide additional information as it becomes available.
If you have questions about the legitimacy of any Notice of Violation you receive from EPA, please contact the Barnes & Thornburg attorney with whom you work or Bruce White at 312-214-4584 or bwhite@btlaw.com or Rich Glaze at 404-264-4012 or rglaze@btlaw.com.
© 2024 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is proprietary and the property of Barnes & Thornburg LLP. It may not be reproduced, in any form, without the express written consent of Barnes & Thornburg LLP.
This Barnes & Thornburg LLP publication should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation.
/Passle/6488d4630e7e25c9ac9f834a/SearchServiceImages/2024-07-25-15-58-24-435-66a2762079656c797c188877.jpg)
/Passle/6488d4630e7e25c9ac9f834a/MediaLibrary/Images/2024-07-18-19-15-33-047-669969d52008239f764a11af.png)
