USPTO GovDelivery Scam How Fraudsters Weaponize Real .gov Emails to Steal From Trademark Filers

• .What: An organized fraud operation scrapes new USPTO trademark filings in real time, then weaponizes the legitimate GovDelivery government notification system to generate authentic .gov emails during live phone scams - making victims believe they are speaking with USPTO officials.
• .Who: Every individual or business that files a US trademark application. 77,000+ victim records identified in exposed CRM databases. The operation spans 9 distinct scam verticals including trademarks, publishing, design, tax advisory, and academic services.
• .How: Real-time scraping of USPTO TEAS filings, VoIP calls from spoofed 571 area code numbers (Alexandria, VA - USPTO headquarters), and abuse of the public GovDelivery subscription form to trigger legitimate government emails on demand during active calls.
• .Data scraped: Applicant names, business names, email addresses, phone numbers, filing dates, trademark details - all harvested within hours of filing.
• .Actor: An organized operation based in Pakistan with US and UK shell company infrastructure, active since at least October 2021. 40+ identified operators.
• .Impact: Victims pay fraudulent "trademark processing fees" ranging from hundreds to thousands of dollars. The operation also deploys remote access trojans on victim computers and operates fake publishing, design, and financial advisory fronts. Amazon obtained a $36.4 million default judgment against 18 Pakistan-based defendants running a related publishing fraud scheme.
• .Status: Complaints filed with FBI IC3, Department of Commerce Office of Inspector General, USPTO TMScams, and FCC. Operation remains active as of April 1, 2026.
• .Victim Records: 77,000+
• .Fraudulent Domains: 60+
• .Identified Operators: 40+
• .Scam Verticals: 9
• .Related Judgment: $36.4 million

ZERO|TOLERANCE filed a US trademark application through the USPTO's Trademark Electronic Application System (TEAS) in early 2026. Two days later, the operation's automated scraper had harvested our filing data - applicant name, email address, phone number, and trademark details - from the publicly accessible USPTO database.

On March 4, 2026, we received a phishing email impersonating the USPTO TEAS system, sent from a fraudulent domain registered to an individual in Karachi, Pakistan. As a cybersecurity research firm, we recognized the impersonation immediately.

Rather than dismiss it, we initiated an authorized passive OSINT investigation.

What we found over the following weeks was not a single phishing campaign but a multi-year, multi-vertical organized crime operation with exposed infrastructure, unauthenticated CRM databases containing tens of thousands of victim records, an active remote access trojan deployment targeting US computers, and a corporate structure spanning Pakistan, the United Arab Emirates, the United Kingdom, and the United States.

We filed an FBI IC3 complaint on March 4, 2026, documenting the full infrastructure. We subsequently filed complaints with the Department of Commerce Office of Inspector General, the USPTO's TMScams reporting channel, and the FCC.

On April 1, 2026 - 28 days after our IC3 filing - the operation targeted us again. This time, they deployed a tactic we had not previously documented: the weaponization of the GovDelivery system.

At approximately 6:32 PM EST on April 1, 2026, a legitimate email from "U.S. Patent and Trademark Office " arrived at security@zerotolerance.me. " We had not subscribed to any USPTO notification service.

Shortly after, a phone call arrived from a 571 area code number - the area code assigned to Alexandria, Virginia, where USPTO headquarters is located. The caller identified themselves as a USPTO official and demanded payment of additional trademark processing fees.

A second legitimate USPTO email arrived: "Subscription Change Confirmation." New topics had been added to the subscription: Patents Alerts, Trademarks Alerts, and a regional outreach office. The emails kept arriving in sync with the caller's statements.

Here is how the tactic works:

1. The operation's automated scraper monitors new USPTO trademark filings and harvests the applicant's contact information - typically within hours of filing.

2. Before or during the call, an operator registers the victim's email address on the USPTO's public GovDelivery subscription form.

GovDelivery is a legitimate government notification platform operated by Granicus on behalf of dozens of federal agencies including the USPTO. The subscription form is publicly accessible and requires no identity verification - anyone can subscribe any email address.

3. The victim receives a real email from subscriptions.uspto.gov. The email is DKIM-signed, TLS-encrypted, and sent from actual USPTO infrastructure. It passes every spam filter and authentication check because it is not spoofed. It is a genuine government email.

4. An operator calls the victim from a VoIP number provisioned with a 571 area code - the same area code as the real USPTO. The number is freshly rotated; when we checked robocall databases, complaint forums, and FCC filings, there were zero public reports against it.

By the time victims report the number, the operators have already moved to a new one.

5. The caller demands payment for fictitious trademark fees. When the victim hesitates, the caller directs them to check their email.

6. gov email that arrived in sync with the phone call. Most people cannot distinguish between a GovDelivery subscription notification and a transactional fee confirmation.

The timing creates a powerful false correlation: the call and the email arrive together, so the caller must be legitimate.

7. gov emails on demand. Each modification triggers a new email from subscriptions.uspto.gov. The victim sees a stream of authentic government emails arriving while the caller is on the line.

8. The victim pays the fraudulent fee.

The critical innovation is that these emails are not spoofed, not phished, not forged. They are legitimate government emails sent from real USPTO infrastructure through a real government notification platform.

The scammers are not impersonating the government's email system - they are making the government's email system work for them.

The legitimate USPTO GovDelivery email that the scammers trigger contains the following anti-scam warning in its body text: "If you're contacted by someone pretending to be a USPTO 'official' who asks you to verify information and pay additional fees, watch out.

The scammers are betting that victims will see the .gov sender address, feel reassured, and never read the fine print. Based on the 77,000+ victim records we identified, they are right.

This is not a small-time phishing campaign. Our investigation uncovered an organized operation with the following documented scale:

• .77,000+ victim records across two exposed, unauthenticated CRM databases
• .60+ fraudulent domains registered to the operation
• .40+ identified operators using fabricated Western persona names
• .9 distinct scam verticals: trademark services, academic writing, book publishing, graphic design, tax advisory, BPO services, pet sales, HVAC/cleaning fronts, and SaaS platforms
• .34+ fake publishing brand websites impersonating legitimate publishers
• .8 brand impersonations of major companies including Amazon, Penguin Random House, Macmillan, and IngramSpark
• .122 documented unauthorized remote access sessions across 18 US victim computers using a remote access trojan disguised as a legitimate Intel graphics service
• .3 UK shell companies registered to operators, at least one dissolved with no financial activity on record
• .US nexus entities in Texas operating as apparent fronts
• .Active since at least October 2021
• .Still active as of April 1, 2026 - confirmed by the live attack against ZERO|TOLERANCE

In a related case, Amazon obtained a $36.4 million default judgment in the Northern District of California (Case No. 3:23-cv-05580) against 18 Pakistan-based defendants - 10 individuals and 8 corporate entities - operating an identical publishing fraud scheme.

The modus operandi matches: fake Western brand names, Pakistan-based call centers, US shell companies, and a pattern of low-cost hook services escalating to thousands of dollars in fraudulent fees before the operators ghost the victim.

The full scam operates as follows:

1. HARVESTING: An automated scraper continuously monitors the USPTO's Trademark Electronic Application System for new filings.

The scraper specifically filters for applications filed without an attorney of record - targeting pro se applicants who lack legal representation and are most vulnerable to fraudulent outreach.

Contact data - names, emails, phone numbers, business names, filing dates - is harvested and ingested into the operation's CRM system within hours.

2. LEAD DISTRIBUTION: Harvested leads are distributed to call center operators through an internal CRM. The CRM tracks each victim's status, assigned operator, contact history, and payment stage. Operators use fabricated Western names and personas.

3. INITIAL CONTACT: Victims receive either a phishing email from a fraudulent domain impersonating the USPTO TEAS system, or a phone call from a spoofed 571 area code number. In some cases, both.

4. GOVDELIVERY LEGITIMACY INJECTION: The operator registers the victim's email on the USPTO GovDelivery form, triggering legitimate .gov emails in real time to support the phone call.

5. FEE EXTRACTION: The caller demands payment for fictitious trademark fees - registration fees, processing fees, publication fees, or renewal fees. Payment is collected through online portals.

6. ESCALATION: For victims who pay, the operation escalates with additional fictitious fees and services - trademark monitoring, international registration, copyright filing, legal consultations. A single victim can be milked for thousands of dollars over multiple calls.

7. REMOTE ACCESS (select victims): In some cases, operators convince victims to install a remote access tool. The operation deploys a RAT disguised as a legitimate system service.

Once installed, operators gain full stealth desktop access - they can view the victim's screen, access files, and exfiltrate data without any visible notification to the user.

Our investigation documented 122 unauthorized remote access sessions totaling 9.35 hours across 18 identified US victims, with stolen files transferred to a server in Karachi.

8. GHOSTING AND ROTATION: Once a victim is drained or becomes suspicious, the operators stop responding. Domains are rotated. Phone numbers are replaced. New brand names are launched with the same operators and the same CRM.

This operation succeeds because of systemic failures across multiple platforms and providers:

1. GovDelivery open subscription model. The USPTO's GovDelivery subscription form accepts any email address without verification, CAPTCHA, rate limiting, or double opt-in confirmation. Anyone in the world can subscribe any email address to USPTO notifications.

This is the foundational vulnerability that enables the entire social engineering tactic. Granicus, which operates GovDelivery on behalf of federal agencies, provides no protection against third-party email registration abuse.

2. USPTO TEAS data is publicly accessible. Trademark filings are public records by design - this is fundamental to the trademark system. However, the combination of real-time accessibility, structured data, and no rate limiting on queries makes automated scraping trivial.

The API exposes the attorney-of-record field, allowing the operation to programmatically filter for unrepresented filers and target only the most vulnerable applicants. The operation's scraper processes approximately 225 new victim records per day.

3. VoIP number provisioning without adequate verification. The operation provisions dozens of VoIP phone numbers through wholesale providers, selecting 571 area code numbers to match USPTO's geographic location.

These numbers are rotated rapidly - often before a single consumer complaint is filed. Wholesale VoIP providers sell numbers in bulk with minimal subscriber verification, enabling phone number spoofing at scale.

4. No caller authentication for government services.

There is no standardized mechanism for a trademark applicant to verify that an incoming call is genuinely from the USPTO. STIR/SHAKEN call authentication, while mandated by the FCC, has limited effectiveness against sophisticated VoIP operations that provision numbers through compliant carriers.

5. Payment processor blind spots. The operation collects payments through legitimate payment platforms. The processors see a transaction from a seemingly legitimate business entity - not a cross-border fraud operation routing funds through shell companies.

Trademark holders should watch for the following signs of this operation:

• .Unexpected GovDelivery emails. If you receive a "Welcome New User" or "Subscription Change Confirmation" email from subscriptions.uspto.gov that you did not initiate, someone else registered your email address. Do not click any links. Do not confirm the subscription. It will auto-expire.

• .Phone calls from 571 area code numbers demanding trademark fees. The USPTO does not call applicants to collect fees. The USPTO does not ask for payment information by phone, email, or text message. Any call demanding trademark payment is fraudulent.

• .Emails from non-.gov domains impersonating TEAS. Legitimate USPTO emails come from @uspto.gov domains. Emails from domains containing "usa," "office," "govt," or other government-adjacent terms that are not .gov addresses are fraudulent.

• .Pressure to pay immediately. Legitimate government processes do not require immediate payment during a phone call. Any urgency is manufactured.

• .Requests to install remote access software. The USPTO will never ask you to install software, share your screen, or grant remote access to your computer.

• .Follow-up calls offering additional services. If you paid once, expect escalation calls offering trademark monitoring, international registration, copyright services, or legal consultations. These are all fraudulent.

The operators of this scheme face exposure under multiple federal statutes. More significantly, the platforms and providers whose systems enable the operation face questions about their own obligations:

• .18 U.S.C. § 1030 (Computer Fraud and Abuse Act) - The operation's deployment of remote access trojans on victim computers constitutes unauthorized access to protected computers with intent to defraud. The 122 documented sessions across 18 US victims establish a pattern of systematic computer fraud.

• .18 U.S.C. § 1343 (Wire Fraud) - Each fraudulent phone call and electronic payment constitutes a separate count of wire fraud. With 77,000+ victim records, the potential count exposure is staggering.

• .18 U.S.C. § 1028A (Aggravated Identity Theft) - The operation uses fabricated identities, impersonates government officials, and harvests personal data for fraud.

• .FTC Act Section 5 - The operation constitutes unfair and deceptive trade practices. The FTC issued a specific Consumer Alert in September 2025 about USPTO impersonation scams - confirming this is a recognized fraud pattern.

• .FCC Regulations (47 U.S.C. § 227) - The spoofing of caller ID information to impersonate a government agency violates the Truth in Caller ID Act. The FCC can impose fines of up to $10,000 per violation.

• .Lanham Act (15 U.S.C. § 1125) - The impersonation of the USPTO and trademark-related services constitutes false designation of origin and false advertising. Amazon's $36.4 million judgment against a related operation was brought under this act.

Regarding platform liability:

• .Granicus/GovDelivery bears responsibility for operating a government notification system with no protection against third-party email registration abuse. The absence of CAPTCHA, rate limiting, or verified opt-in on a system that sends DKIM-signed .gov emails creates a ready-made social engineering amplifier. Any individual or entity can trigger authentic government emails to any email address in the world, on demand, for free. This is not a sophisticated exploit. It is a design failure.

• .Wholesale VoIP providers that provision 571 area code numbers without adequate subscriber verification enable government impersonation at scale. The FCC's STIR/SHAKEN mandate has not solved this problem.

• .Payment processors that onboard entities connected to this operation without detecting the fraud pattern are failing their own anti-money laundering and know-your-customer obligations.

Our investigation was conducted through authorized passive OSINT - examining publicly exposed, unauthenticated infrastructure. The following questions remain open:

• .How many victims have paid? The CRM databases contain 77,000+ records, but we cannot determine what percentage resulted in successful payment extraction. The total financial harm could range from millions to tens of millions of dollars.

• .What is the relationship between this operation and the defendants in Amazon v. Wasim? The modus operandi is identical. Some operator names overlap. Whether this is the same organization, a franchise, or an independent copycat operating from the same talent pool in Karachi remains unconfirmed.

• .Has Granicus been notified? We reported the GovDelivery abuse to the Department of Commerce OIG and to USPTO TMScams. Whether Granicus has taken any action to prevent third-party email subscription abuse is unknown.

• .How many federal agencies are affected? GovDelivery operates notification systems for dozens of US federal agencies. If the subscription form vulnerability exists across all GovDelivery implementations - not just USPTO - the same tactic could be used to generate legitimate .gov emails from any participating agency. The attack surface may extend far beyond trademark fraud.

• .What is the total financial infrastructure? We identified payment collection through legitimate platforms and funds routed to a UAE address. The full money laundering chain - from victim payment to operator payout - has not been fully mapped.

If you have filed a US trademark application - or are planning to file one - take the following steps:

1. Expect the call. Every new trademark filer's contact information is being scraped in real time. You will likely be contacted by this operation. Knowing the scam exists is your primary defense.

2. The USPTO will never call you to collect fees. Period. The USPTO communicates through TEAS, official mail, and published correspondence channels. Any phone call demanding trademark payment is fraudulent. Hang up.

3. Ignore unexpected USPTO subscription emails. If you receive GovDelivery emails from subscriptions.uspto.gov that you did not sign up for, do not click any links and do not confirm the subscription. Someone registered your email as part of a scam.

The subscription will auto-expire if left unconfirmed.

4. Verify independently. If you have any doubt about a communication claiming to be from the USPTO, call the USPTO directly at their published number: 1-800-786-9199. Do not call any number provided by the suspicious caller.

5. Report it. Send details to TMScams@uspto.gov. File an FTC report at reportfraud.ftc.gov. File an FCC complaint for spoofed numbers at consumercomplaints.fcc.gov. The more reports filed, the more resources law enforcement can allocate.

6. Do not install software. If anyone claiming to represent the USPTO asks you to install remote access software, share your screen, or download an application, refuse immediately. This is a precursor to remote access trojan deployment.

7. If you already paid, contact your bank or payment provider immediately to initiate a chargeback. File a report with the FBI's Internet Crime Complaint Center at ic3.gov.

Document everything - the phone number that called you, any emails received, any names given, and any payment receipts.

We filed a trademark. They came for us. We investigated. Now we are publishing what we found so that the next target knows what is coming.

FTC Consumer Alert (September 2025), USPTO Official Guidance (Recognizing Common Scams), USPTO Official Guidance (Spoofing Phone Numbers), Amazon.com Inc. v. Wasim et al (N.D. Cal.