A phishing campaign is targeting residents in many U.S. states by sending fake traffic violation notifications via text messages. These messages contain embedded QR codes that direct victims to steal their personal and financial information. The campaign has been reported in New York, California, North Carolina, Illinois, Virginia, Texas, Connecticut, and New Jersey.

The messages include an image of a fake court notification, unlike the widespread transit and parking violation fraud texts circulating in 2025. The image format and embedded QR code are used to make it difficult for automated security tools and researchers to detect and analyze the phishing infrastructure.

How Does Traffic Violation QR Code Fraud Work?

The fake notifications mimic state courts, claiming to come from the New York City Criminal Court. The message states that an unpaid parking or transit violation has entered official enforcement and directs the recipient to scan a QR code to pay the balance.

Scanning the QR code redirects to an intermediary page that requires a CAPTCHA to proceed. Once the CAPTCHA is completed, the user is redirected to a second site that mimics a state DMV or relevant agency. In all examples reviewed by BleepingComputer, the specified unpaid balance is noted as $6.99.

Phishing sites impersonating the New York DMV have used hostnames like ny.gov-skd[.]org and ny.ofkhv[.]life.

After passing the balance screen, a form is presented requesting name, address, phone number, email address, and credit card information. This data is collected by the attacker and can be used for financial fraud, identity theft, subsequent phishing, or sold to other threat actors.

How to Recognize and Avoid Traffic Violation QR Code Fraud?

State agencies have confirmed that they do not send text messages requesting personal or payment information. Any unsolicited message claiming an unpaid state fine and directing the recipient to scan a QR code or click a link should be ignored, no matter how official the attached image looks.

If you receive one of these messages, do not scan the QR code, do not complete any CAPTCHA, and do not enter any personal or financial information on the landing page. The $6.99 amount is used to make the request seem ordinary and low-risk, but the form collects full payment card information.

Recipients who have submitted information should contact their banks or card issuers immediately to report potential fraud and request card replacement.