Rupert Marais is a leading security specialist at the forefront of endpoint defense and cybersecurity strategy. With extensive experience in network management and a deep understanding of evolving threat landscapes, Rupert has become a vital voice in identifying how modern scammers exploit human psychology and technical loopholes. His expertise is particularly critical today as we see a sophisticated shift in “smishing” campaigns that blend traditional social engineering with deceptive new technologies like QR codes.
We sat down with Rupert to discuss the rise of traffic violation scams, the mechanics of credential harvesting, and how threat actors are successfully impersonating government agencies to siphon financial data from unsuspecting citizens across the United States.
Why are scammers shifting from standard links to embedded QR codes in text messages, and how do intermediary steps like CAPTCHAs help them bypass automated security filters?
The shift toward QR codes is a deliberate move to blindside automated security systems that are typically tuned to scan and flag suspicious URLs in plain text. When a scammer embeds a QR code within an image of a “court notice,” they are creating a visual layer that traditional text filters often ignore, forcing the user to bridge the gap between their SMS app and their mobile browser. Once the user scans the code, they are often met with a CAPTCHA, which serves a dual purpose: it builds a false sense of legitimacy by mimicking “secure” sites and, more importantly, it blocks automated crawlers used by security researchers. These bots generally cannot solve CAPTCHAs, meaning the actual phishing payload—the fake DMV site—remains hidden from the automated scanners that would otherwise flag and take down the domain. This technical hurdle significantly extends the lifespan of the campaign, allowing it to remain active for weeks rather than hours.
When messages use “Notice of Default” language regarding a small $6.99 fee, what psychological triggers are being pulled, and how does this low dollar amount increase the success rate of stealing sensitive financial information?
The “Notice of Default” phrasing is designed to trigger an immediate fear response, suggesting that the recipient has already missed a deadline and is now facing “formal enforcement.” However, the true genius of this scam lies in the specific $6.99 figure, which is low enough to fall below the threshold of suspicion for most people. Instead of questioning the validity of the fine, many victims feel a sense of relief that the penalty is so affordable and decide to pay it immediately just to “make the problem go away.” We observe that victims are far more likely to enter their credit card details for a $6.99 charge than they would be for a $150 fine, as the lower amount feels like a trivial administrative error rather than a major legal threat. This “micro-transaction” strategy allows scammers to harvest high volumes of valid credit card numbers with minimal friction.
These campaigns target residents in states like New York, California, and Texas by impersonating local criminal courts. What are the primary red flags in the domain names or messaging that distinguish them from legitimate government communications?
The primary red flag is always the domain structure, which often attempts to look official while failing basic scrutiny. For example, in the New York campaign, we see hostnames like “ny.gov-skd[.]org” or “ny.ofkhv[.]life,” which use “ny” and “gov” as subdomains or prefixes to trick the eye, even though the actual top-level domain is completely unrelated to government infrastructure. Legitimate state agencies will almost exclusively use “.gov” domains without strange hyphens or random strings of letters at the end. Another major red flag is the delivery method itself; the “Criminal Court of the City of New York” or the DMV will not initiate a formal legal warning via an unsolicited SMS from a random mobile number. If you look closely at the “notice” image, you will often find inconsistencies in the branding or generic language that doesn’t align with the specific jurisdiction it claims to represent.
Once a person submits their address and credit card details to a fraudulent site, what is the typical lifecycle of that stolen data?
The lifecycle of stolen data begins with immediate validation, where the threat actor may run a small test transaction to ensure the card is active. Following this, the data is typically packaged into “fullz”—a term for a complete set of personal information including name, address, phone number, and financial details—and sold on dark web marketplaces. These packages are highly valued because they contain everything needed to bypass “Know Your Customer” (KYC) checks at banks or to open fraudulent lines of credit. Beyond direct financial theft, this information is used for follow-on phishing attacks where the scammer can now use your real address to make a second, more convincing scam feel even more personalized. In many cases, the data is cycled through multiple criminal groups, each squeezing a different type of value from the victim’s identity.
Since government agencies do not typically request payment via SMS, what specific protocols should individuals follow when they receive unsolicited texts about toll violations?
The absolute first rule is to never click a link or scan a QR code contained in an unsolicited text message, regardless of how urgent it looks. If you are concerned about an actual violation, you should manually navigate to the official state DMV or toll agency website by typing the address directly into your browser or using a verified bookmark. Most states provide a “Search by Plate” or “Account Login” feature where you can safely verify your vehicle’s standing without interacting with the suspicious message. You can also contact the agency via their official customer service number found on a previous paper statement or the official “.gov” website. Reporting the message to your service provider by forwarding it to 7726 (SPAM) is another proactive step that helps carriers block these numbers for everyone.
What is your forecast for traffic violation scams?
I expect these scams to become increasingly localized and hyper-personalized as attackers use leaked database information to match your specific vehicle make or neighborhood to the fraudulent message. We will likely see a move away from static images toward more interactive, AI-generated “official” documents that can customize the fine amount or the violation date in real-time based on the recipient’s location. As people become more wary of SMS, I anticipate these campaigns will migrate toward encrypted messaging apps or even use deep-fake audio “collection calls” to supplement the phishing sites. The battle will continue to shift toward the visual and psychological, making it more important than ever for users to verify the source of every digital demand for money.
