Text phishing scammers are targeting New York state drivers with messages asking them to update their driver’s licenses. Using the ongoing adoption of the REAL ID Act of 2005 in an attempt to make the scam sound legitimate, the attackers have used three specific text phishing messages, the New York State Department of Motor Vehicles (DMV) said in December 2020.
When it comes to the wider world of digital attacks, this is classed as a phishing scam. The goal of the scammers is to encourage victims to submit personal information.
Learn what to look out for when it comes to this and similar text phishing scams. A message that says it comes from a government agency might be real or a government phishing scam.
The Fake Text Messages
The New York DMV released three types of text phishing messages that serve as the opening salvo in this attack.
Message No. 1: The first attack message informs the recipient in broken English that anyone holding a driver’s license must “update their contact to compliance regulation agreements.”
Message No. 2: The next text phishing message does something similar, telling the recipient they need to modify their mailing and contact information in order to speed up compliance with new ID regulations. This version of the scheme mentions REAL ID by name.
Travelers might recognize REAL ID as a requirement for commercial flights. This form of identification provides proof of the minimum set of security requirements necessary for a person to enter a federal building or board a federally regulated commercial aircraft.
The text phishing message doesn’t mention flights. Instead, it mentions ‘travel’ only. This might be an attempt to trick drivers into thinking they need a REAL ID to drive, travel by train or use other modes of transportation other than federally regulated commercial flights.
Message No. 3: The final text message parrots the previous two iterations but uses the most broken grammar of the three.
It reads as follows: “Due to update on our new regulation compliant, driver license holder must update their contact.”
All three of the driver’s license phishing messages redirect to a fake DMV website designed to steal information.
Other Text Phishing Attacks
New York State DMV warned of a similar text phishing attack in October 2020. In that case, threat actors were using scam text messages to redirect users to a fake DMV website. If someone clicked on it, the attackers could target them with identity theft and/or malware.
In another case, a text phishing scam used a pandemic relief payment as a cover story. The attack message informed the recipient they were entitled to $600 if they clicked on an embedded link. These attackers used spoofing techniques to disguise their message as official correspondence from New York’s Department of Labor, Abnormal Security discovered in December 2020. In the end, if you click on the campaign it leads to a fake New York government portal designed to steal information.
Anti-Phishing Best Practices
These attacks highlight the need for employers to defend themselves against phishing attacks pretending to be government messages. They can do so by investing in creating a security awareness training program. Seeing phishing attacks in a test setting can educate employees about some of the most common types of scams in use today, as well as emerging campaigns.
In addition, employers can consider using phishing prevention technical controls. These monitor their networks for suspicious actions, such as signs of attackers misusing a compromised account. Companies can also leverage user behavior analytics to monitor real users’ behavior against a known baseline and to respond to anomalies before a threat actor makes their move.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...