A phishing campaign targets residents of several US states with fake traffic violation notices sent via text message, using embedded QR codes to direct victims to sites that steal personal and financial information. The campaign has been reported in New York, California, North Carolina, Illinois, Virginia, Texas, Connecticut and New Jersey.
The texts include an image of a fabricated court notice instead of a simple link, a change from the toll scam and parking violation texts that circulated widely in 2025. The image format and embedded QR code are used to make phishing infrastructure more difficult for automated security tools and researchers to detect and analyze.
How the QR code scam works for traffic violations
The fake notices pose as state courts, and one example claims to be from the “Criminal Court of the City of New York.” The message indicates that an unpaid toll or parking violation has formally taken effect and instructs the recipient to scan a QR code to settle the balance.
Scanning the QR code takes you to an intermediate page that requires a CAPTCHA to continue. Completing the CAPTCHA redirects to a second site that poses as a state DMV or related agency. In all examples reviewed by BleepingComputer, the declared outstanding balance is $6.99.
Phishing sites impersonating the New York DMV have used hostnames including “ny.gov-skd(.)org” and “ny.ofkhv(.)life.”
Upon passing the balance screen, a form is presented requesting name, address, phone number, email address and credit card details. The attacker collects that data and can use it for financial fraud, identity theft, follow-on phishing, or sales to other threat actors.
How to Identify and Avoid the Traffic Violation QR Code Scam
State agencies have confirmed that they do not send text messages requesting personal or payment information. Any unsolicited text claiming an unpaid government fine and directing the recipient to scan a QR code or click a link to pay should be ignored, regardless of how official the attached image appears.
If you receive one of these messages, do not scan the QR code, do not complete any CAPTCHAs and do not enter any personal or financial information on the destination site. The $6.99 amount is used to make the request appear routine and low-risk, but the form collects all payment card details.
Recipients who have already submitted information should contact their bank or card issuer immediately to report possible fraud and request a replacement card.
