Controls Shape Attacks

Traffic Violation Smishing Evolved. Links Are Out, QR Codes Are In.

A new smishing campaign is sending fake “Notice of Default” traffic violation texts across the US, impersonating state courts in New York, California, North Carolina, Illinois, Virginia, Texas, Connecticut, and New Jersey. The previous wave used plain text links. This one ships an image of an official-looking court notice with an embedded QR code instead.

The pivot is deliberate. Links in phishing texts are increasingly flagged by mobile security tools and carrier filters. An image attachment with a QR code sidesteps those detections entirely: there’s no URL to scan until the recipient physically raises their camera.

Scanning routes victims through a CAPTCHA to a phishing site impersonating the state’s DMV or another agency. The outstanding balance is always $6.99. Clicking through lands on a form requesting name, address, phone, email, and credit card details. Fake NY sites use hostnames like “ny.gov-skd[.]org” or “ny.ofkhv[.]life.”

The $6.99 is the engineering, not the prize. It’s deliberately small to lower resistance. The card number, billing address, and CVV collected along the way are what get sold or used downstream.

The lures are convincing. Messages include case numbers, fake judge names, real statutory citations, court dates, and AI-generated state seals. Maryland’s Judiciary, North Carolina courts, New Jersey’s NJCCIC, and multiple state DMVs have all issued warnings in the past few weeks.

Over the past several weeks, thousands of domains have been registered to impersonate nearly all US states, staged ahead of deployment. The domain infrastructure was built before the campaign ran. This is organized, not opportunistic.

Courts don’t collect payment via QR codes in text messages. Neither do toll agencies. Any unsolicited text demanding payment with a QR code is the attack, regardless of how official the attached image looks.

- Alex