January 19, 2021 By David Bisson 3 min read

Text phishing scammers are targeting New York state drivers with messages asking them to update their driver’s licenses. Using the ongoing adoption of the REAL ID Act of 2005 in an attempt to make the scam sound legitimate, the attackers have used three specific text phishing messages, the New York State Department of Motor Vehicles (DMV) said in December 2020.

When it comes to the wider world of digital attacks, this is classed as a phishing scam. The goal of the scammers is to encourage victims to submit personal information.

Learn what to look out for when it comes to this and similar text phishing scams. A message that says it comes from a government agency might be real or a government phishing scam.

The Fake Text Messages

The New York DMV released three types of text phishing messages that serve as the opening salvo in this attack.

Message No. 1: The first attack message informs the recipient in broken English that anyone holding a driver’s license must “update their contact to compliance regulation agreements.”

Message No. 2: The next text phishing message does something similar, telling the recipient they need to modify their mailing and contact information in order to speed up compliance with new ID regulations. This version of the scheme mentions REAL ID by name.

Travelers might recognize REAL ID as a requirement for commercial flights. This form of identification provides proof of the minimum set of security requirements necessary for a person to enter a federal building or board a federally regulated commercial aircraft.

The text phishing message doesn’t mention flights. Instead, it mentions ‘travel’ only. This might be an attempt to trick drivers into thinking they need a REAL ID to drive, travel by train or use other modes of transportation other than federally regulated commercial flights.

Message No. 3: The final text message parrots the previous two iterations but uses the most broken grammar of the three.

It reads as follows: “Due to update on our new regulation compliant, driver license holder must update their contact.”

All three of the driver’s license phishing messages redirect to a fake DMV website designed to steal information.

Other Text Phishing Attacks

New York State DMV warned of a similar text phishing attack in October 2020. In that case, threat actors were using scam text messages to redirect users to a fake DMV website. If someone clicked on it, the attackers could target them with identity theft and/or malware.

In another case, a text phishing scam used a pandemic relief payment as a cover story. The attack message informed the recipient they were entitled to $600 if they clicked on an embedded link. These attackers used spoofing techniques to disguise their message as official correspondence from New York’s Department of Labor, Abnormal Security discovered in December 2020. In the end, if you click on the campaign it leads to a fake New York government portal designed to steal information.

Anti-Phishing Best Practices

These attacks highlight the need for employers to defend themselves against phishing attacks pretending to be government messages. They can do so by investing in creating a security awareness training program. Seeing phishing attacks in a test setting can educate employees about some of the most common types of scams in use today, as well as emerging campaigns.

In addition, employers can consider using phishing prevention technical controls. These monitor their networks for suspicious actions, such as signs of attackers misusing a compromised account. Companies can also leverage user behavior analytics to monitor real users’ behavior against a known baseline and to respond to anomalies before a threat actor makes their move.

More from News

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

Should there be a total ban on ransomware payments?

3 min read - The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today