QR code pivot in traffic violation scams reflects attacker adaptation to SMS filtering
Scammers are distributing fake traffic violation notices via SMS with embedded QR codes that direct victims to phishing sites harvesting payment details and personal information. The shift to QR codes likely reflects successful SMS URL filtering deployed by carriers.
Affected
Scammers have shifted from embedding direct URLs in SMS traffic violation scams to using QR codes that direct victims to phishing pages. The scam claims a 'Notice of Default' from state courts and pressures recipients to scan the code and make a $6.99 payment, which serves as both monetisation and credential harvesting at the phishing landing page. This represents clear evasion behaviour: carriers and security vendors have invested heavily in filtering known phishing domains and URL shorteners from SMS traffic, making bare links increasingly unreliable for attackers.
The QR code vector exploits the human trust model around mobile scanning: users perceive QR codes as 'safer' than clicking links because the destination is not immediately visible. Additionally, SMS carriers have less effective filtering for QR codes themselves (the image is just binary data), meaning detection must occur at the application layer or through user awareness. The attackers likely tested this approach, found it raised fewer carrier blocks, and have now scaled it as a reliable delivery method.
Victims face dual harms: immediate financial loss from the fraudulent charge and subsequent identity theft or account compromise from data harvesting at the phishing site. The spoofing of state court authority adds psychological pressure and legitimacy that increases conversion rates. Geographic targeting (state-specific court impersonation) further personalises the social engineering attack.
Defenders should implement client-side protections: SMS apps with QR code scanning warnings, enhanced user education on unsolicited payment requests, and carrier-level QR detection heuristics (sudden prevalence of QR images in SMS from unknown senders). Financial institutions should flag the $6.99 transaction pattern for fraud investigation. SMS authentication codes should remain isolated from user-generated messages to prevent QR-based SIM interception attacks.
This campaign highlights a fundamental asymmetry in mobile security: URL filtering improved, so attackers moved the payload delivery one step further from automated detection. QR codes will likely remain a reliable vector until scanning apps implement better recipient-context analysis (flagging codes from unexpected senders) or carriers deploy image-analysis detection at scale.
Sources