Phishing Emails and Scams in the Environmental Consulting Industry
By Corey McCormak, GEI Consultants, Inc.Phishing emails and online scams are growing threats across all professional sectors, and environmental consulting is no exception. As firms increasingly rely on digital communication for project coordination, regulatory reporting, and client correspondence, cybercriminals are exploiting these channels to gain unauthorized access to sensitive data and financial systems.
In environmental consulting, phishing attempts often appear as legitimate messages from regulatory agencies such as the NJDEP, EPA, or USACE, requesting permit updates, data submissions, or invoice payments. These messages may include realistic logos, formal language, and links to convincing but fraudulent websites. Once clicked, these links can install malware or prompt users to enter login credentials, exposing confidential project files, client data, and proprietary remediation designs. Recently, an LSRP received an email from a fellow LSRPA BOT member, but the sender’s email address was suspicious and confirmed to be fake — a common phishing tactic to impersonate trusted contacts.
Scammers also target consultants through fake requests for proposals (RFPs), subcontracting solicitations, or purchase orders, often impersonating government clients, utilities, or engineering partners. A recent example is in the category of fake project inquiries (business email scams), was requesting quotes for child care center RAOs received by two LSRPs at the same firm. These contained specific and realistic remediation details, suggesting an attempt to trick environmental professionals or firms into responding or opening attachments/links. The emails were sent to the receiving firm’s IT department determined that it was phishing. These schemes may lead to the unauthorized release of corporate information or fraudulent payments. Given the frequency of email-based communication in project management and permitting, even experienced professionals can fall victim without robust awareness and safeguards. Others may mimic communication from well-known environmental databases or platforms like NJDEP’s DataMiner, E-Submittal, or E-Permitting systems. These messages can appear authentic—using official logos, project identifiers, or references to specific sites—yet contain links to fraudulent websites or attachments laced with malware. Once opened, these can compromise client data, site investigation results, and confidential remediation designs.
Another common tactic is to use domain names that closely resemble real client emails (e.g., replacing a single letter or adding “.co” instead of “.com”) to trick recipients into releasing sensitive information or processing false invoices. Recognizing a phishing scam begins with scrutinizing details. Red flags include unfamiliar sender addresses, unexpected attachments, grammatical errors, and urgent or threatening language demanding immediate action. Hovering over hyperlinks can reveal mismatched URLs, and legitimate agencies will rarely ask for sensitive information via email. When in doubt, employees should independently verify the message by contacting the supposed sender through known, trusted channels before responding or clicking any links.
To mitigate risk, firms should implement multi-factor authentication, conduct regular cybersecurity training, and establish verification protocols for financial transactions and regulatory correspondence. In addition training staff and by fostering a culture of vigilance and cyber hygiene, environmental consulting firms can protect their data integrity, client trust, and operational continuity against the growing sophistication of phishing and digital fraud.