It arrives as a text message. "Unpaid road toll — settle before midnight to avoid a penalty." The link takes you to a portal with the right logo, the right colours, the correct agency name in the URL, and a familiar step-by-step payment flow. You pay £2.90. You feel relieved. The toll never existed.
This is GovTrap — and according to new research from CTM360, it is not a small operation. Researchers identified over 11,000 active malicious domains impersonating government services across North America, Europe, Asia, and Oceania. Each one is designed to harvest credentials and payment card data from citizens who have no reasonable basis for suspicion.
Why this attack works — and it's not because people are naive
Government institutions are trusted by design. We are taught from early in life to respond when the tax authority writes to us, to pay a fine before the deadline, to update our licence before it lapses. GovTrap doesn't exploit a gap in people's security knowledge. It exploits something far harder to train away: a lifetime of conditioning to comply with official-looking requests.
The infrastructure reflects this understanding. These aren't slapdash imitations. They replicate the full service environment — branding, language, multi-step workflows, even error states. The lures are localised: an employee in Germany receives a message in German referencing the correct local agency; one in Singapore gets the same template adapted to their transport authority. The urgency hook — unpaid fine, expiring licence, tax refund pending verification — is chosen specifically because inaction feels riskier than clicking.
Key insightThe most effective fraud campaigns don't rely on confusion. They rely on trust — and GovTrap is engineered to earn exactly the kind of trust that good citizens extend to their governments.
The attack chain
| Stage | What happens |
|---|---|
| 1. Lure delivery | SMS, phishing email, or social media post — localised, urgent, referencing a real service (toll, tax, fine, licence) |
| 2. Fake portal | Victim lands on a cloned government site. Domain uses low-cost, disposable registration — swapped out quickly when flagged |
| 3. Data harvest | Credentials, payment card details, and personal identity information submitted through the fake form |
| 4. Monetisation | Direct card fraud, identity theft, money mule networks, or bulk data resale |
Why this is a workplace problem, not just a consumer one
It is tempting to file GovTrap under "personal security" and move on. That framing misses the point. Your employees receive these SMS messages on the same phones they use for two-factor authentication. They act on them during the workday — between meetings, over lunch, sometimes on a work device. The credentials stolen are personal credentials, but the same person holds the keys to your systems.
There is also a velocity problem. CTM360's research found that GovTrap relies on rapid domain turnover: new portals are registered as old ones are taken down. At 11,000+ live domains, traditional blocklists cannot keep pace. By the time a domain is flagged and distributed to endpoint tools, it has already served its purpose and been replaced.
Key insightBlocklists are written for yesterday's infrastructure. GovTrap's entire model is built on making sure the attack completes before the blocklist catches up.
What organisations should do now
Three practical steps that don't require new tools:
- Tell your team this campaign exists. Not a policy email — a short, specific message: "here is what a GovTrap lure looks like, here is the URL pattern to watch for, here is what to do if you're unsure." Concrete beats generic.
- Reinforce the habit of verifying independently. If a message claims to be from a government agency, go directly to the official site rather than clicking the link. Especially on mobile, where the full URL is rarely visible.
- Check whether your security tools surface a warning at the moment of the click. Not in a daily digest — at the moment someone is about to submit their details. That is the only intervention point that matters.
How we're thinking about this at Mungo Labs
GovTrap is a clear illustration of why we build around real-time, contextual warnings rather than after-the-fact detection. The window between a fraudulent link being clicked and credentials being submitted is measured in seconds. The only defence that operates in that window is one that is already there — a specific signal, in plain language, surfaced at the moment of action.
For SMBs without a dedicated security team, this is particularly acute. You cannot run a weekly threat briefing or staff a SOC to track campaign infrastructure. What you can do is ensure that when an employee's device encounters a suspicious domain, the person at the keyboard gets told why it is suspicious — not just that it is. That distinction, which sounds small, is the difference between a warning that gets dismissed and one that changes the outcome.
If you're thinking about how to close the gap between when a threat arrives and when a person can act on it, we'd be glad to show you what we're building.
Schedule a Discovery Call →Source: CTM360, "GovTrap: Global Government Impersonation Campaign," April 2026.
← Back to all posts