In recent weeks, a text-message scam with a variation that deserves special attention has resurfaced: the scammers are sending out alleged "Non-compliance Notifications" that appear to come from state courts or agencies like the DMV, and include a QR code for the victim to "resolve" an alleged pending charge. Behind that QR there is no real obligation: there is a trap designed to steal personal and bank data.
The modality is not entirely new - remember the waves of messages on toll and unpaid fines that they circulated in early 2025 - but the criminals have made small changes that increase the probability of success. In this more recent version, the message usually contains an image that simulates an official court notice in alarmist language, urging the receiver to scan the QR code to "avoid procedures" or "go to an audience." The economic hook is deliberately small: in reported cases the amount required is only $6.99, a low enough number for many people to pay without thinking and avoid paperwork, but lucrative enough when it is multiplied by thousands of victims.
After scanning the code, the route is intentionally indirect: first you reach an intermediate site that asks to solve a CAPTCHA to "verify that you are not a robot." This step is not innocent: CAPTCHA and the intermediate links help to remove automated controls and to make it difficult for security analysts to investigate. After completing this check, the user is redirected to a false website that imitates the relevant state agency - for example, sites that try to pass through transit offices or vehicle departments. In the examples analyzed by specialized media, the domains used had strange forms, such as "ny.gov.skd [.] org" or "ny.ofkhv [.] life," a clear indication that they do not belong to official entities.
The final screen requests personal information and credit card details to "pay" the fine. That form does not process legitimate payments: all it does is capture your name, phone, address, mail and bank data for the attackers to use or sell. With these elements they can commit financial fraud, identity supplanting or launch more sophisticated phishing campaigns directed against you and your contacts.
Public institutions have already repeatedly warned that they do not request payments or sensitive information by text messages. For example, the New York Governor's office posted an alert on message campaigns that supplanted E-ZPass and other official services; you can read his statement on the state's official website Here.. In addition, consumer protection reference organisations offer practical guides to recognize and avoid phishing; the Federal Trade Commission (FTC) maintains useful resources on its page: How to recognize and avoid phishing fraud. And to see technical reports and analysis on this type of campaign, security journalists often document them in media such as BleepingComputer ( bleepingcomputer.com), which has followed the evolution of these scams.
If you receive such a message, there are several clear signs that it could be a scam: the sender does not appear among your contacts, the text appeals to fear or urgency, the amount requested is very low and they force you to use a link or QR instead of offering an official channel. Whatever the form, the golden rule is the same: do not scan the code or enter personal or financial data on pages whose origin has not been verified. If you are in doubt, browse directly to the official agency site (e.g. the DMV page of your state) or call the official number on your website to confirm any notification.
It is also appropriate to take practical measures: check your bank movements if you have come to pay, communicate the incident to your financial institution to block the card if necessary, and change important passwords if you have used the same information in other services. To report these fraud, you can file a complaint on the FTC portal ( reporting) and, in the United States, it is also recommended to inform the FBI through the IC3 ( Internet Crime Complex Center).
Behind the technical detail - QR codes, CAPTCHA, false domains - there is always a human strategy: hasten the receiver to act without thinking. Keep calm, check through official channels and not give anyone your data by message are the best defenses. If you have any doubts about the veracity of a notification, try to look for the exact name of the campaign or text in a search engine and consult official sources before touching anything; many of these scams are already documented in the specialized media and in the authorities' alerts.
The technology we use daily can make life a lot easier, but it also opens doors for new deceit. The key is to combine common sense with basic digital security patterns: do not scan QR from unknown shipments, do not enter data into unverified sites and report the attempt to help fewer people fall into the same trap.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...