A new wave of SMS phishing ("smishing") attacks is impersonating U.S. state courts by sending fake "Notice of Default" traffic violation text messages. Unlike earlier campaigns that embedded direct URLs, this updated tactic leverages QR codes to redirect victims to credential-harvesting phishing sites — a technique known as quishing (QR code phishing) designed to bypass URL-based spam filters and security tools.
How the Scam Works
Recipients receive an SMS that appears to come from a state court or DMV authority, claiming an unpaid traffic fine has entered "default" status. The message creates urgency by warning of escalating penalties, license suspension, or legal action.
The critical evolution in this campaign: instead of a clickable link, the text contains a QR code and instructs the recipient to scan it to pay a nominal fee — typically $6.99 — to resolve the alleged violation.
When scanned, the QR code redirects to a convincing phishing site that:
- Collects personal information — full name, address, driver's license number, date of birth
- Harvests financial data — credit card number, expiration date, CVV, and billing address
- May install tracking scripts or lightweight malware through malicious page content
The $6.99 fee is a deliberate low-pressure tactic: the amount is small enough that victims may not question paying it, while the real objective is the full financial and personal data harvest.
Why QR Codes?
The shift from embedded URLs to QR codes is a calculated evasion technique:
- Bypasses URL filtering: Security software and mobile carrier spam filters cannot scan QR code image content to detect malicious destinations
- Discourages copy-paste inspection: Unlike a hyperlink, a QR code cannot be quickly examined before scanning
- Exploits mobile scanning habits: Users have been conditioned to trust QR codes through legitimate use in restaurants, parking meters, and transit systems
- Camera-based delivery: The attack chain moves from SMS to camera app to browser — crossing multiple application boundaries that reduce the chance of a consistent security warning
Scope and Targeting
The campaign impersonates multiple state courts across the United States, with researchers observing variations tailored to specific states. This geographic personalization increases perceived legitimacy — recipients in a given state see a message appearing to come from their local court system.
Traffic violation scam campaigns targeting U.S. mobile users have surged since 2024, with toll-road impersonation scams (fake E-ZPass, SunPass, and similar) establishing the template that this court impersonation variant now follows.
Protecting Yourself
How to identify this scam:
- Legitimate courts and DMV agencies do not send payment requests via SMS
- Government agencies use official mail for "Notice of Default" and enforcement actions
- QR codes in unsolicited text messages should be treated with extreme suspicion
- The $6.99 "fee" framing is a classic low-friction social engineering technique
If you receive a suspicious traffic violation text:
- Do not scan the QR code
- Do not call any phone number included in the message
- Independently look up your actual state court or DMV website to check for any genuine outstanding violations
- Report the message to the FTC at reportfraud.ftc.gov and forward it to 7726 (SPAM) on your phone
If you already scanned and submitted information:
- Contact your bank or card issuer immediately to report potential fraud and request a card replacement
- Place a fraud alert on your credit file with one of the major bureaus (Equifax, Experian, TransUnion)
- Monitor accounts for unauthorized transactions
The Broader Quishing Trend
QR code phishing attacks have seen significant growth across multiple sectors, targeting not just consumers but also corporate environments where fake QR codes are delivered via email, printed materials, and even physical media placed in public spaces. Security awareness training programs should explicitly address QR-based phishing as a distinct threat vector, separate from traditional URL-based phishing.
Source: BleepingComputer