Scammers are sending faux “Discover of Default” visitors violation textual content messages impersonating state courts throughout the U.S., pressuring recipients to scan a QR code that results in a phishing web site demanding a $6.99 cost whereas stealing private and monetary data.
This can be a new variation of the broadly despatched toll violation and unpaid parking ticket scams that customers acquired in 2025, which claimed to be from state toll businesses.
This new marketing campaign began a couple of weeks in the past, with somebody sharing a textual content concentrating on New York residents with BleepingComputer, and lots of different folks reporting comparable texts on-line for different states, together with California, North Carolina, Illinois, Virginia, Texas, Connecticut, and New Jersey.
In contrast to the earlier marketing campaign, which included a textual content message and hyperlinks to phishing websites, this new variation as an alternative consists of a picture of an alleged courtroom discover with an embedded QR code.
“This discover constitutes a ultimate and pressing warning concerning an excellent visitors violation involving your registered car throughout the State of New York,” reads the faux courtroom discover.
“This matter has now entered the formal enforcement stage.”
Supply: BleepingComputer
The textual content message shared with BleepingComputer claims to be from the “Legal Court docket of the Metropolis of New York”, stating that there’s an unpaid parking or toll violation that should be paid instantly or the individual should seem in courtroom. Included are directions to scan a QR code to settle the unpaid balances.
Scanning the QR code brings the focused individual to an middleman web site that first prompts you to resolve a captcha to show you’re human. The QR codes and CAPTCHA are used to make it more durable for automated safety software program and researchers to investigate the phishing marketing campaign.
Fixing the CAPTCHA redirects you to a different phishing web site that impersonates the state’s DMV or one other company, claiming there may be an unpaid toll or parking ticket. In all examples seen by BleepingComputer, this excellent stability is $6.99.
For instance, phishing websites that impersonate the New York DMV use the hostname “ny.gov-skd[.]org” or “ny.ofkhv[.]life”.
Supply: BleepingComputer
Clicking proceed will take you to a web page the place you possibly can enter your private and bank card data to pay the alleged cost.
This type is used to steal your information, together with your title, tackle, telephone quantity, e-mail tackle, and, finally, your bank card data.
This data can then be used for all kinds of malicious actions, together with follow-on phishing assaults, monetary fraud, identification theft, and the sale of your information to different risk actors.
As a common rule, should you obtain a textual content from an unknown telephone quantity or e-mail tackle requesting cost of a invoice, ignore it.
State businesses have repeatedly said in response to those scams that they don’t use textual content messages requesting private data or cost data.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, exhibits the place protection ends, and offers practitioners with three diagnostic questions for any software analysis.
