Phishing emails impersonating state treasury offices have surged dramatically in recent years, with public sector organizations experiencing a 360% increase in phishing attacks between May 2023 and May 2024. This spike represents a serious threat to anyone with unclaimed money, unclaimed property, or pending state treasury claims. In March 2026, the Michigan Department of Treasury issued a specific alert warning that scammers are increasingly impersonating state tax agencies during tax season, crafting convincing messages designed to steal refunds or extract fraudulent payment claims from unsuspecting residents. The timing of these attacks is not accidental.
Scammers know that during tax season and when people are actively searching for unclaimed funds, citizens are more likely to click suspicious links or provide personal information. A typical phishing email might claim to be from your state’s Department of Treasury, alerting you to unclaimed funds in your name—then directing you to a fake website where your Social Security number, bank account details, and other sensitive information are harvested. What makes these attacks particularly dangerous is their sophistication. The emails often use official-looking logos, state government domain names designed to look legitimate, and language that mimics real treasury communications. For residents actively claiming unclaimed property or following up on state treasury matters, distinguishing between a legitimate state notification and a phishing attempt has become increasingly difficult—and the criminals are getting better at deception every month.
Table of Contents
- How Phishing Attacks on State Treasury Offices Have Escalated
- Why State Treasury Offices Are Prime Targets
- Real-World Examples of Treasury-Focused Phishing Scams
- Protecting Yourself from Treasury Phishing: Practical Steps
- Common Mistakes That Lead to Successful Phishing Attacks
- Special Risks for Unclaimed Property Claimants
- The Future of Treasury Phishing and Evolving Protection
- Conclusion
How Phishing Attacks on State Treasury Offices Have Escalated
The 360% growth in phishing attacks on public sector organizations represents one of the largest cybersecurity concerns facing state governments today. According to research from the Cloud Security Alliance, this dramatic increase occurred specifically between May 2023 and May 2024, with no indication that the trend has slowed. The attacks have become more targeted and personalized, moving beyond generic “Nigerian prince” scams to highly specific impersonations of state treasury departments, unclaimed property divisions, and tax collection offices. Concurrent with the surge in phishing emails, account takeover attacks increased by 43% during the same period.
This means that when scammers successfully steal credentials through a phishing email, they’re increasingly able to use those credentials to access actual state government portals, unclaimed property databases, and financial systems. In some cases, fraudsters have used compromised credentials to file false claims for unclaimed property or redirect legitimate refunds to accounts they control. The sophistication of these attacks is compounded by the fact that vendor email compromise attacks more than doubled between May 2023 and May 2024. This means criminals are not only targeting individual citizens—they’re also breaching the email systems of contractors and vendors who work with state treasury offices. When a vendor’s email is compromised, scammers can send phishing messages that appear to come from legitimate state government contractors, making detection even more difficult.
Why State Treasury Offices Are Prime Targets
Scammers specifically target people searching for unclaimed property and state treasury funds because these individuals are inherently motivated to respond quickly. Unlike random phishing campaigns that cast a wide net hoping for a small percentage of clicks, treasury-focused phishing preys on people who are actively looking for money they believe belongs to them. The psychological hook is powerful: a person who has already decided to pursue unclaimed funds is far more likely to click a link promising information about their claim than someone receiving an unsolicited email. State treasury offices themselves are attractive targets because they house massive databases of personal financial information, Social Security numbers, and bank account details.
A successful breach of a state treasury system—or even successful theft of credentials that lead to access—can expose thousands of citizens simultaneously. The Florida Department of Financial Services, Texas Comptroller’s Office, and other state treasury divisions have all had to issue warnings about phishing attempts, illustrating that no state is immune to this threat. One critical limitation many people face is that phishing emails are often indistinguishable from legitimate communications at first glance. State treasury offices use email for legitimate notifications about unclaimed property matches, and scammers have learned to mimic this exact format and language. A resident might receive what appears to be a matching notification for unclaimed funds, complete with a state government sender address and official formatting—only to discover upon clicking that the website is a carefully crafted fake designed to steal their information.
Real-World Examples of Treasury-Focused Phishing Scams
In March 2026, the Michigan Department of Treasury issued a detailed warning about active smishing (SMS phishing) and email scams where criminals attempt to steal tax refunds or extract payment from residents. The Michigan alert specifically cautioned that scammers were sending messages claiming to be from the state tax authority, offering refunds or requesting updated information about unclaimed property claims. These weren’t generic scams—they were carefully targeted at Michigan residents with specific references to state tax deadlines and property claims. new Jersey Treasury has similarly reported active phishing and smishing campaigns featuring fake approval messages with malicious links.
In these scams, a resident might receive a message claiming their unclaimed property claim has been “approved” and requesting them to click a link to “verify account information” or “confirm banking details for deposit.” The links direct to websites with URLs that closely resemble official state sites—for example, a fake site might use “treasury-nj.gov.verify.com” or similar variations designed to appear legitimate at a glance. Another documented example involves vendor email compromise, where criminals breach the email account of a legitimate contractor working with a state treasury office, then use that compromised account to send phishing messages. A victim might receive an email that appears to come from an official treasury department address (because it does come from a treasury contractor’s system), instructing them to update their unclaimed property claim information. The victim has no reason to be suspicious—the email comes from an official source. By the time they realize they’ve been compromised, their personal information is already in the hands of criminals.
Protecting Yourself from Treasury Phishing: Practical Steps
The most effective defense against phishing emails impersonating state treasury offices is to never click links in unsolicited emails, regardless of how legitimate they appear. Instead, if you receive a message about unclaimed property or state treasury funds, navigate directly to the official state website by typing the address into your browser yourself. For example, if you receive an email claiming to be from the Florida Department of Financial Services, go directly to fla.gov and find the unclaimed property portal rather than clicking any link in the email. This simple step eliminates the risk of being directed to a fake website. Compare this approach to the more vulnerable behavior of clicking links in emails: even if you assume you’re being careful, phishing links often use URL obfuscation techniques that make it nearly impossible to detect they’re fake before clicking.
Some links use homograph attacks, where characters that look identical (like the Latin letter “o” and the number “0”) are swapped to create URLs that visually resemble legitimate sites. The tradeoff of navigating directly to official sites is that it takes slightly longer than clicking a link, but the security benefit is overwhelming—you eliminate almost all risk of landing on a fake website. Enable two-factor authentication on any state treasury accounts you create while searching for or claiming unclaimed property. Two-factor authentication (also called multi-factor authentication) means that even if a scammer steals your username and password through phishing, they cannot access your account without a second form of authentication—typically a code sent to your phone or generated by an authenticator app. Many state treasury offices now support two-factor authentication for their unclaimed property portals, and using this feature dramatically reduces the damage a phishing attack can cause.
Common Mistakes That Lead to Successful Phishing Attacks
Many victims fall for treasury phishing scams because they ignore subtle red flags in the email address itself. While a phishing email might use official state branding and logos, the sender’s email address is often not a legitimate government domain. A real state treasury office will send emails from addresses like “unclaimed@state.tx.us” or similar official government domains. Scammers often use lookalike domains like “unclaimed@state-tx.us” or “unclaimed@texas-state.us”—addresses that appear official at a glance but aren’t actually controlled by the state. The warning here: always examine the full email address in the “from” field, not just the display name. Another common mistake is responding to emails asking for verification of personal information.
Legitimate government agencies do not ask you to verify your Social Security number, bank account details, or password via email. If an email claims to be from your state’s treasury office and asks you to “confirm your information,” “update your account details,” or “verify your identity,” it is certainly a phishing attempt. A real state agency will either already have your information or will provide a secure method to submit it—they will never request sensitive information via an unsolicited email. People also underestimate the legitimacy created by stolen email credentials and compromised contractor accounts. Because vendor email compromise attacks have doubled, you may receive phishing emails from what appears to be a legitimate government email address or contractor email address. The false sense of security this creates is a major limitation in human-based threat detection. You cannot assume an email is legitimate simply because it comes from what appears to be an official source—this is precisely why directly navigating to official websites rather than clicking email links is so critical.
Special Risks for Unclaimed Property Claimants
People actively searching for or claiming unclaimed property face heightened risk from treasury phishing because they are in active research mode. When you’re in the process of searching state unclaimed property databases, checking the status of a claim, or waiting for a response from a state treasury office, you’re primed to click emails that appear to be related to your search. Scammers exploit this state of heightened attention and urgency. A phishing email received while you’re actively working on an unclaimed property claim is significantly more likely to be clicked than a random phishing email would be.
Additionally, the information that unclaimed property claimants typically provide to state treasury offices makes them valuable targets for identity theft. When you file a claim for unclaimed property, you provide your full name, Social Security number, current address, and often banking details for payment. If a scammer can trick you into providing this information through a phishing email rather than through the official state portal, they have everything needed to commit identity fraud. The risk is not just that your unclaimed property claim will be stolen—it’s that your identity will be used for far more serious crimes.
The Future of Treasury Phishing and Evolving Protection
As government agencies continue to shift more services online, phishing attacks targeting treasury and financial services are likely to remain a growing threat. The trend of 360% growth in public sector phishing attacks shows no signs of reversing. Artificial intelligence and large language models are making phishing emails even more convincing, with criminals now able to generate highly personalized, grammatically perfect phishing messages that read like authentic government communications. The sophistication of these attacks will only increase.
However, awareness itself is a powerful defense. By understanding that these scams exist, recognizing the tactics they use, and committing to practices like navigating directly to official websites and never clicking email links about financial matters, you significantly reduce your vulnerability. Many states are also implementing stronger protections on their official unclaimed property portals, including two-factor authentication and security awareness messaging. Staying informed about the specific warnings issued by your state’s treasury office—like the Michigan and New Jersey alerts—gives you the most current intelligence about active campaigns.
Conclusion
Phishing emails impersonating state treasury offices represent a real and growing threat to anyone with unclaimed money or property in their state. The 360% surge in public sector phishing attacks between 2023 and 2024, combined with a 43% increase in successful account takeovers, demonstrates that scammers are not only increasing their volume but also improving their effectiveness. The recent warnings from state treasury offices in Michigan, New Jersey, and elsewhere confirm that these attacks remain active and dangerous in 2026.
Your best protection is a combination of skepticism and direct action: be skeptical of unsolicited emails about unclaimed property, and take direct action by navigating independently to official state websites rather than clicking email links. If you’re actively searching for unclaimed property or pursuing a claim with your state treasury office, maintain extra vigilance during this period of heightened personal vulnerability. Report suspicious emails claiming to be from state treasury offices to the official fraud alert addresses provided by your state—the U.S. Department of Treasury maintains fraud alerts at oig.treasury.gov/fraud-alerts, and the IRS provides reporting mechanisms for fake treasury emails at irs.gov/help/report-fraud.