Traffic violation scams switch to QR codes in new phishing texts

Scammers are sending fake “Notice of Default” traffic violation text messages impersonating state courts across the U.S., pressuring recipients to scan a QR code that leads to a phishing site demanding a $6.99 payment while stealing personal and financial information.

This is a new variation of the widely sent toll violation and unpaid parking ticket scams that users received in 2025, which claimed to be from state toll agencies.

This new campaign started a few weeks ago, with someone sharing a text targeting New York residents with BleepingComputer, and many other people reporting similar texts online for other states, including California, North Carolina, Illinois, Virginia, Texas, Connecticut, and New Jersey.

Unlike the previous campaign, which included a text message and links to phishing sites, this new variation instead includes an image of an alleged court notice with an embedded QR code.

“This notice constitutes a final and urgent warning regarding an outstanding traffic violation involving your registered vehicle within the State of New York,” reads the fake court notice.

“This matter has now entered the formal enforcement stage.”

The text message shared with BleepingComputer claims to be from the “Criminal Court of the City of New York”, stating that there is an unpaid parking or toll violation that must be paid immediately or the person must appear in court. Included are instructions to scan a QR code to settle the unpaid balances.

Scanning the QR code brings the targeted person to an intermediary site that first prompts you to solve a captcha to prove you are human. The QR codes and CAPTCHA are used to make it harder for automated security software and researchers to analyze the phishing campaign.

Solving the CAPTCHA redirects you to another phishing site that impersonates the state’s DMV or another agency, claiming there is an unpaid toll or parking ticket. In all examples seen by BleepingComputer, this outstanding balance is $6.99.

For example, phishing sites that impersonate the New York DMV use the hostname “ny.gov-skd[.]org” or “ny.ofkhv[.]life”.

Clicking continue will take you to a page where you can enter your personal and credit card information to pay the alleged charge.

This form is used to steal your data, including your name, address, phone number, email address, and, eventually, your credit card information.

This information can then be used for a wide variety of malicious activities, including follow-on phishing attacks, financial fraud, identity theft, and the sale of your data to other threat actors.

As a general rule, if you receive a text from an unknown phone number or email address requesting payment of a bill, ignore it.

State agencies have repeatedly stated in response to these scams that they do not use text messages requesting personal information or payment information.

Automated Pentesting Covers Only 1 of 6 Surfaces.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Get Your Copy Now