January 19, 2021 By David Bisson 3 min read

Text phishing scammers are targeting New York state drivers with messages asking them to update their driver’s licenses. Using the ongoing adoption of the REAL ID Act of 2005 in an attempt to make the scam sound legitimate, the attackers have used three specific text phishing messages, the New York State Department of Motor Vehicles (DMV) said in December 2020.

When it comes to the wider world of digital attacks, this is classed as a phishing scam. The goal of the scammers is to encourage victims to submit personal information.

Learn what to look out for when it comes to this and similar text phishing scams. A message that says it comes from a government agency might be real or a government phishing scam.

The Fake Text Messages

The New York DMV released three types of text phishing messages that serve as the opening salvo in this attack.

Message No. 1: The first attack message informs the recipient in broken English that anyone holding a driver’s license must “update their contact to compliance regulation agreements.”

Message No. 2: The next text phishing message does something similar, telling the recipient they need to modify their mailing and contact information in order to speed up compliance with new ID regulations. This version of the scheme mentions REAL ID by name.

Travelers might recognize REAL ID as a requirement for commercial flights. This form of identification provides proof of the minimum set of security requirements necessary for a person to enter a federal building or board a federally regulated commercial aircraft.

The text phishing message doesn’t mention flights. Instead, it mentions ‘travel’ only. This might be an attempt to trick drivers into thinking they need a REAL ID to drive, travel by train or use other modes of transportation other than federally regulated commercial flights.

Message No. 3: The final text message parrots the previous two iterations but uses the most broken grammar of the three.

It reads as follows: “Due to update on our new regulation compliant, driver license holder must update their contact.”

All three of the driver’s license phishing messages redirect to a fake DMV website designed to steal information.

Other Text Phishing Attacks

New York State DMV warned of a similar text phishing attack in October 2020. In that case, threat actors were using scam text messages to redirect users to a fake DMV website. If someone clicked on it, the attackers could target them with identity theft and/or malware.

In another case, a text phishing scam used a pandemic relief payment as a cover story. The attack message informed the recipient they were entitled to $600 if they clicked on an embedded link. These attackers used spoofing techniques to disguise their message as official correspondence from New York’s Department of Labor, Abnormal Security discovered in December 2020. In the end, if you click on the campaign it leads to a fake New York government portal designed to steal information.

Anti-Phishing Best Practices

These attacks highlight the need for employers to defend themselves against phishing attacks pretending to be government messages. They can do so by investing in creating a security awareness training program. Seeing phishing attacks in a test setting can educate employees about some of the most common types of scams in use today, as well as emerging campaigns.

In addition, employers can consider using phishing prevention technical controls. These monitor their networks for suspicious actions, such as signs of attackers misusing a compromised account. Companies can also leverage user behavior analytics to monitor real users’ behavior against a known baseline and to respond to anomalies before a threat actor makes their move.

More from News

What is the Open-Source Software Security Initiative (OS3I)?

3 min read - The Open-Source Software Security Initiative (OS3I) recently released Securing the Open-Source Software Ecosystem report, which details the members’ current priorities and recommended cybersecurity solutions. The accompanying fact sheet also provides the highlights of the report. The OS3I includes both federal departments and agencies working together to deliver policy solutions to secure and defend the ecosystem. The new initiative is part of the overall National Cybersecurity Strategy. After the Log4Shell vulnerability in 2021, the Biden-Harris administration committed to improving the security…

Europe’s Cyber Resilience Act: Redefining open source

3 min read - Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents. While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new…

Feds release urgent guidance for U.S. water sector

3 min read - The water and wastewater sector (WWS) faces cybersecurity challenges that leave it wide open to attacks. In response, the CISA, EPA and FBI recently released joint guidance to the sector, citing variable cyber maturity levels and potential cybersecurity solutions. The new Incident Response Guide (IRG) provides the water sector with information about the federal roles, resources and responsibilities for each stage of the cyber incident response lifecycle. Sector owners and operators can use this information to augment their incident response…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today