For those who bought a sketchy textual content final 12 months about an unpaid toll or parking ticket, you were not alone. These DMV and E-ZPass phishing scams swept throughout the nation in 2025, focusing on drivers in states like California, Florida, and New York with fraudulent messages designed to scare folks into handing over their private and monetary data. Now the scammers are again, and so they’ve upgraded their strategy.
Within the newest iteration of this rip-off, shoppers obtain a textual content message warning them they’re receiving a “closing discover” for a visitors violation, warning them to make an pressing fee, and pointing them to a QR code for fee.
In keeping with a new report from BleepingComputer, a wave of those visitors violation phishing texts is making the rounds throughout not less than 9 states: California, Connecticut, Illinois, New Jersey, North Carolina, Virginia, and Texas. Mashable additionally discovered proof that scammers are focusing on folks in Georgia as nicely.
This time, as a substitute of a easy hyperlink, the messages embrace a picture of a pretend official court docket discover and a QR code. The discover is dressed up in convincing authorized language, warning recipients that their car is the topic of an excellent violation and that the matter has entered “formal enforcement stage.” Scan the QR code, it instructs, to settle your unpaid steadiness.
‘Castfishing’ is the most recent rip-off, and it is scarily like sextortion
That steadiness, in each case that BleepingComputer documented, is $6.99 — a sufficiently small quantity that loads of folks will not suppose twice about paying it.
Scanning the code takes victims by a CAPTCHA earlier than depositing them on a pretend DMV website designed to reap names, addresses, telephone numbers, and bank card data. The stolen knowledge can then be used for identification theft, monetary fraud, or offered to different unhealthy actors.
Mashable Gentle Velocity
The earlier model of the rip-off, which we lined final 12 months, relied on clickable hyperlinks that safety software program might extra simply flag. The embedded pictures on high of the added CAPTCHA make it tougher for automated techniques and safety researchers to catch.
The Illinois Division of Transportation issued an alert this previous March warning residents that texts claiming recipients owe cash for visitors tickets, tolls, or different fines should not authentic messages from the state. That warning echoes what DMV companies in New York and elsewhere have stated repeatedly: state companies don’t use textual content messages to gather funds or request private data.
Most not too long ago, California Lawyer Common Rob Bonta issued a press launch warning Californians in regards to the rip-off.
This Tweet is at present unavailable. It is likely to be loading or has been eliminated.
This Tweet is at present unavailable. It is likely to be loading or has been eliminated.
What to do if you happen to obtain a visitors violation discover by textual content
The rule right here hasn’t modified, even when the rip-off has. For those who get an unsolicited textual content about an unpaid advantageous, visitors violation, or court docket case, no matter how official it appears, do not scan something, do not click on something, and do not pay something.
Contact your native visitors court docket or state DMV for details about any excellent violations or fines, which is able to sometimes arrive by mail.
Lastly, you possibly can report suspected phishing scams to the FTC or the FBI’s Web Crime Grievance Heart. You possibly can ignore the textual content message or delete it.
Have a narrative to share a couple of rip-off or safety breach that impacted you? Inform us about it. Electronic mail [email protected] with the topic line “Security Web” or use this kind. Somebody from Mashable will get in contact.
Subjects
Cybersecurity
Scams
