A sophisticated new phishing campaign is targeting drivers across the United States, leveraging the fear of legal penalties to steal personal and financial data. Scammers are sending fraudulent SMS messages impersonating state courts, such as the "Criminal Court of the City of New York," which contain a fake "Notice of Default." The messages claim the recipient has an outstanding traffic, parking, or toll violation and that the matter has "entered the formal enforcement stage." Unlike previous iterations of this scam that used clickable links, this new variant embeds a QR code within an image of the official-looking notice. Recipients are pressured to scan the code to resolve the alleged fine, which directs them to a convincing phishing website. This site then demands a payment—often cited as $6.99—while simultaneously harvesting credit card details, personal identification, and other sensitive information.
The campaign, which began circulating widely a few weeks ago, represents a significant evolution in social engineering tactics. By utilizing QR codes, attackers bypass traditional link-based URL filters and exploit the perceived legitimacy and convenience of scanning a code with a smartphone camera. Reports have surfaced from residents in multiple states including New York, California, Texas, Illinois, and New Jersey, indicating a broad, coordinated attack. This scam is a direct descendant of the widespread toll and parking ticket phishing texts that plagued users in 2025, but its shift to QR codes and its guise as an urgent court document make it particularly deceptive and dangerous.
The cybersecurity implications are severe. This method demonstrates attackers' continuous adaptation to user awareness and security software. QR codes can obscure the final destination URL, making it harder for individuals to scrutinize the address for signs of fraud before visiting. Furthermore, the use of official court branding and urgent legal language creates a powerful psychological trigger, prompting even cautious users to act hastily. Security experts warn that any unsolicited message demanding payment or personal information should be treated with extreme skepticism. Individuals who receive such a message should independently verify any alleged violations through official government or court websites via a trusted browser, not through any link or code provided in the message.
To protect against such threats, users are advised to never scan QR codes from unsolicited or suspicious messages. It is critical to verify the sender's authenticity through official channels and to be wary of any communication that uses high-pressure tactics or threats of legal action to force immediate action. Organizations and state agencies must also ramp up public awareness campaigns to educate citizens about these evolving digital threats. As phishing kits that facilitate these QR code attacks become more accessible online, security professionals anticipate a continued surge in such scams, requiring heightened vigilance from both the public and private sectors to mitigate the risk of large-scale data theft and financial fraud.
