US Cities Warn of Wave of Unpaid Parking Phishing Texts
Summary:
Several U.S. cities are issuing warnings about a surge in phishing text messages that impersonate municipal parking violation departments in an attempt to steal sensitive data from unsuspecting recipients. One such message, analyzed by BleepingComputer, falsely claims to be from the City of New York, notifying victims of an unpaid parking fine. The message states that a daily $35 penalty will incur if the fine is not paid and urges recipients to click on a link to make a payment. This link redirects users to a fraudulent website impersonating the "NYC Department of Finance.” Once on the site, victims are prompted to provide personal information, including their name, birthdate, state, zip code, billing address, city, email, phone number, and eventually, credit card details. By collecting such details from victims, actors can then launch additional targeted phishing attacks, commit identity theft and financial fraud, or even sell the information to other malicious actors.
Security Officer Comments:
While phishing scams of this nature are not new, there has been a significant increase in smishing attacks since December 2024, as reported by several cities across the U.S. These attacks involve text messages that attempt to deceive recipients into providing personal information by clicking on malicious links. Although Apple introduced a security feature last year that disables links in text messages from unknown senders or suspicious domains, threat actors have managed to bypass this safeguard using Google's open redirect. Since Google.com is a trusted domain, Apple iMessage does not block links that appear to originate from it. By utilizing this open redirect, fraudsters can trick unsuspecting users into clicking on the malicious link, often without realizing it, thus increasing the effectiveness of these smishing attacks.
Suggested Corrections:
Individuals should exercise caution when receiving unsolicited text messages, particularly those that demand immediate action or include links asking for personal information. Parking fines, for example, are typically sent through official mail, not text messages, so any such message claiming an unpaid invoice should raise immediate suspicion. As a general rule, avoid clicking on links in texts from unfamiliar senders, even if they seem to come from trusted entities. Instead, users should directly visit official websites or reach out to the appropriate authorities using known contact numbers to verify the authenticity of any claims.
Link(s):
https://www.bleepingcomputer.com/ne...arn-of-wave-of-unpaid-parking-phishing-texts/
Several U.S. cities are issuing warnings about a surge in phishing text messages that impersonate municipal parking violation departments in an attempt to steal sensitive data from unsuspecting recipients. One such message, analyzed by BleepingComputer, falsely claims to be from the City of New York, notifying victims of an unpaid parking fine. The message states that a daily $35 penalty will incur if the fine is not paid and urges recipients to click on a link to make a payment. This link redirects users to a fraudulent website impersonating the "NYC Department of Finance.” Once on the site, victims are prompted to provide personal information, including their name, birthdate, state, zip code, billing address, city, email, phone number, and eventually, credit card details. By collecting such details from victims, actors can then launch additional targeted phishing attacks, commit identity theft and financial fraud, or even sell the information to other malicious actors.
Security Officer Comments:
While phishing scams of this nature are not new, there has been a significant increase in smishing attacks since December 2024, as reported by several cities across the U.S. These attacks involve text messages that attempt to deceive recipients into providing personal information by clicking on malicious links. Although Apple introduced a security feature last year that disables links in text messages from unknown senders or suspicious domains, threat actors have managed to bypass this safeguard using Google's open redirect. Since Google.com is a trusted domain, Apple iMessage does not block links that appear to originate from it. By utilizing this open redirect, fraudsters can trick unsuspecting users into clicking on the malicious link, often without realizing it, thus increasing the effectiveness of these smishing attacks.
Suggested Corrections:
Individuals should exercise caution when receiving unsolicited text messages, particularly those that demand immediate action or include links asking for personal information. Parking fines, for example, are typically sent through official mail, not text messages, so any such message claiming an unpaid invoice should raise immediate suspicion. As a general rule, avoid clicking on links in texts from unfamiliar senders, even if they seem to come from trusted entities. Instead, users should directly visit official websites or reach out to the appropriate authorities using known contact numbers to verify the authenticity of any claims.
Link(s):
https://www.bleepingcomputer.com/ne...arn-of-wave-of-unpaid-parking-phishing-texts/