New Scam Alert: QR Codes Replace Links in Traffic Ticket Phishing
Cybercriminals have rolled out a new variant of traffic-violation scams, replacing suspicious links with QR codes to trick victims into handing over sensitive data.
According to BleepingComputer, scammers are sending fake “Notice of Default” messages that appear to come from US state courts. These messages pressure recipients to act quickly by prompting them to scan a QR code to resolve an alleged violation.
This campaign builds on earlier toll and parking ticket scams, but with a more deceptive delivery method. Instead of clickable links, victims now receive an image of an official-looking notice containing a QR code, making the message appear more legitimate at first glance.
How the scam works
The fraudulent messages typically claim there is an unpaid traffic violation that must be settled immediately. In one example shared with BleepingComputer, the message impersonates the Criminal Court of the City of New York and warns of legal consequences if payment is not made.
“This notice constitutes a final and urgent warning regarding an outstanding traffic violation involving your registered vehicle within the State of New York,” the fake notice reads, according to BleepingComputer.
Once scanned, the QR code directs victims through multiple steps designed to avoid detection. Users are first taken to a CAPTCHA page to prove they are human, before being redirected to a phishing website that mimics official agencies like a DMV.
The final page requests personal and financial details under the guise of settling a small fee, typically $6.99.
Security researchers say QR codes add a layer of deception that traditional phishing links lack. Scammers are adapting to user awareness as people have learned to distrust suspicious links, so attackers are embedding malicious URLs inside QR codes instead.
The use of images, official language, and small payment amounts is deliberate. It creates urgency while lowering suspicion, increasing the chances that victims will comply without verifying the request.
Data theft beyond the payment
While the fee itself is small, the real target is far more valuable: your data.
Victims who proceed are asked to provide personal details such as their name, address, phone number, and email, followed by credit card information. According to BleepingComputer, this data can then be used for identity theft, financial fraud, and follow-up phishing attacks.
In some cases, fake domains closely resemble legitimate government sites but use misleading endings like “.org” or “.life” instead of “.gov.”
How to stay safe
Experts recommend treating QR codes in unsolicited messages with the same caution as suspicious links.
- Do not scan QR codes from unknown senders
- Be wary of urgent payment demands tied to legal threats
- Verify any violations directly through official government websites
- Check domain names carefully; legitimate agencies typically use “.gov”
- Contact your bank immediately if you suspect your data has been compromised
State agencies have repeatedly emphasized, as reported by BleepingComputer, that they do not request payments or sensitive information via text messages.
Also read: Meta’s new AI scam detection tools for Facebook, Messenger, and WhatsApp show how major platforms are trying to spot fraud before users get pulled in.
About Author
