A surge in phishing text messages disguised as parking violation notices has prompted multiple US cities to issue warnings. Victims are lured into fake payment portals that steal sensitive information, fueling concerns over digital fraud.
Cities Across the US Issue Warnings
Authorities from coast to coast are raising alarms about an ongoing mobile phishing campaign. Cities including Annapolis, Boston, Denver, Detroit, Houston, Milwaukee, Salt Lake City, Charlotte, San Diego, and San Francisco have all reported cases. Even New York has been hit, with residents receiving fraudulent texts claiming they owe unpaid parking fines.
These scams aren’t new, but the current wave has been particularly aggressive. It started in December and hasn’t slowed down. The texts claim an outstanding parking invoice must be paid immediately, or a $35 daily fine will be added.
One recipient, who shared the message with BleepingComputer, was told:
“This is a final reminder from the City of New York regarding the unpaid parking invoice. A $35 daily overdue fee will be charged if payment is not made today.”
The text includes a link, which appears legitimate but redirects to a phishing site mimicking an official city webpage.
How the Scam Works
The fraudsters behind this campaign have a sophisticated setup. They exploit a loophole in Google’s open redirect system, allowing them to disguise their malicious links. Because the redirect originates from Google.com—a trusted domain—security features on Apple’s iMessage and other messaging services don’t flag it as suspicious.
Here’s what happens when someone clicks the link:
- They are taken to a fake parking violation payment page.
- The website, designed to mimic official city portals, asks for a name and zip code.
- Regardless of the input, the site claims there is an outstanding balance.
- A prompt urges immediate payment to avoid accumulating fees.
The scam is designed to look convincing, but there’s a key giveaway—improper formatting. Many of these fake websites display the dollar sign after the amount (e.g., 35$ instead of $35), a common mistake from non-US-based scammers.
What Scammers Want From You
The goal isn’t just to collect a few dollars in fake fines. These phishing sites are data traps.
Clicking “Proceed Now” on the fake payment page leads to a form requesting:
- Full name
- Address
- Phone number
- Credit card details
With this information, scammers can commit identity theft, financial fraud, and even sell personal data on the dark web. A single mistake—entering your details—could lead to unauthorized charges, compromised accounts, and further phishing attempts.
How to Protect Yourself
Authorities are urging residents to stay vigilant and take the following precautions:
- Verify before you pay. If you receive a parking fine notice via text, don’t click the link. Instead, check the city’s official website or call the parking department directly.
- Look for red flags. Scams often contain spelling errors, odd phrasing, or formatting mistakes. The misplaced dollar sign is one example.
- Avoid clicking unknown links. Even if a link looks official, it may redirect to a fraudulent website. Hover over it to preview the actual URL before clicking.
- Report suspicious messages. Block the sender and forward scam texts to 7726 (SPAM) to alert your mobile carrier.
Cities and Tech Companies Fight Back
While Apple has introduced security features that disable links from unknown senders, scammers have found workarounds. Using Google’s open redirect is just one example.
Law enforcement agencies are investigating, and some cities are working with cybersecurity experts to track down the perpetrators. However, with phishing tactics constantly evolving, public awareness remains the best defense.
For now, if you receive an unexpected text about a parking fine, think twice before you tap. A few seconds of caution could save you from financial loss and identity theft.
