Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 07, 2026 · 5 min read

That Traffic Violation Text With a QR Code Is a Scam—It Has Already Hit Eight States

Scammers are sending fake court notices via text message, demanding a $6.99 payment through a QR code that leads to phishing sites designed to steal your credit card, name, address, and phone number.

A smartphone showing a suspicious text message with a QR code placed on a car dashboard

How the Scam Works

The scam begins with a text message that impersonates a state court. The message claims you have an outstanding traffic violation and warns of legal consequences if you do not pay immediately. It includes a QR code instead of a link, a deliberate choice that helps the scam evade automated security filters that scan URLs in text messages.

Scanning the QR code takes you to an intermediary page that first presents a CAPTCHA puzzle. This is not for your protection. It exists to block security researchers and automated analysis tools from examining the phishing infrastructure behind the scam.

After solving the CAPTCHA, you are redirected to a phishing site that impersonates your state's DMV or a court website. The site claims you owe a small fee, typically $6.99, for an unpaid toll or parking violation. Proceeding past the balance screen reveals a form requesting your full name, home address, phone number, email address, and credit card details.

That data goes directly to the attackers, who use it for identity theft, financial fraud, targeted phishing follow ups, or resale to other criminal groups.

Which States Are Affected

Reports have been filed across at least eight states:

  • New York
  • California
  • North Carolina
  • Illinois
  • Virginia
  • Texas
  • Connecticut
  • New Jersey

The campaign is likely to expand to additional states. The phishing infrastructure uses domains that mimic official government websites, such as "ny.gov-skd.org" and "ny.ofkhv.life" for New York targets.

Why QR Codes Make Phishing Harder to Detect

Traditional SMS phishing (sometimes called "smishing") includes a clickable link. Mobile carriers and security software can scan those links and block messages containing known malicious URLs. QR codes bypass this entirely because the malicious URL is encoded inside an image, not visible as text.

This is not the first time attackers have used QR codes to deliver phishing payloads. The technique, known as "quishing," has been growing steadily. North Korean hackers pioneered QR code phishing campaigns targeting government credentials, and corporate environments have seen a surge in QR codes embedded in phishing emails.

The two stage redirect (QR code to CAPTCHA, then CAPTCHA to phishing site) adds another layer of evasion. Security tools that follow links to analyze landing pages are stopped by the CAPTCHA, making automated detection significantly harder.

Evolution From Toll Scams

This campaign is a direct evolution of the toll and parking ticket text scams that spread across the United States throughout 2025. Those earlier versions used direct text links to phishing sites, impersonating toll agencies like E-ZPass or SunPass.

The switch to QR codes and the addition of CAPTCHA barriers represent a technical upgrade by the threat actors. Each iteration makes the scam harder for automated systems to detect and easier for victims to fall for, especially when the message arrives with the urgency of a legal notice.

How to Spot and Avoid This Scam

The most important thing to know: no state government agency sends traffic violation notices via text message with QR codes. Multiple state agencies have explicitly confirmed this in response to the current campaign. If you receive one, it is a scam.

  • Never scan QR codes from unsolicited text messages. If you receive a text about a traffic violation, toll, or court summons, do not scan any embedded QR code
  • Verify independently. If you think you might have an unpaid violation, go directly to your state's official DMV or court website by typing the URL in your browser
  • Check the sender. Legitimate government agencies do not send official legal notices through SMS text messages
  • Report it. Forward suspicious texts to 7726 (SPAM) and report phishing to the FBI's IC3 at ic3.gov
  • Watch for follow up phishing. If you accidentally entered information on a phishing site, monitor your email for phishing attempts and your financial accounts for unauthorized charges

If You Already Scanned the Code

If you entered personal or financial information on one of these phishing sites, take these steps immediately:

  • Contact your credit card company or bank to report the compromised card and request a replacement
  • Place a fraud alert on your credit reports through Equifax, Experian, or TransUnion
  • Change passwords for any accounts that use the same email address you entered on the phishing site
  • Monitor your email inbox closely for follow up phishing emails that reference the information you provided