Text phishing scammers are targeting New York state drivers with messages asking them to update their driver’s licenses. Using the ongoing adoption of the REAL ID Act of 2005 in an attempt to make the scam sound legitimate, the attackers have used three specific text phishing messages, the New York State Department of Motor Vehicles (DMV) said in December 2020.

When it comes to the wider world of digital attacks, this is classed as a phishing scam. The goal of the scammers is to encourage victims to submit personal information.

Learn what to look out for when it comes to this and similar text phishing scams. A message that says it comes from a government agency might be real or a government phishing scam.

The Fake Text Messages

The New York DMV released three types of text phishing messages that serve as the opening salvo in this attack.

Message No. 1: The first attack message informs the recipient in broken English that anyone holding a driver’s license must “update their contact to compliance regulation agreements.”

Message No. 2: The next text phishing message does something similar, telling the recipient they need to modify their mailing and contact information in order to speed up compliance with new ID regulations. This version of the scheme mentions REAL ID by name.

Travelers might recognize REAL ID as a requirement for commercial flights. This form of identification provides proof of the minimum set of security requirements necessary for a person to enter a federal building or board a federally regulated commercial aircraft.

The text phishing message doesn’t mention flights. Instead, it mentions ‘travel’ only. This might be an attempt to trick drivers into thinking they need a REAL ID to drive, travel by train or use other modes of transportation other than federally regulated commercial flights.

Message No. 3: The final text message parrots the previous two iterations but uses the most broken grammar of the three.

It reads as follows: “Due to update on our new regulation compliant, driver license holder must update their contact.”

All three of the driver’s license phishing messages redirect to a fake DMV website designed to steal information.

Other Text Phishing Attacks

New York State DMV warned of a similar text phishing attack in October 2020. In that case, threat actors were using scam text messages to redirect users to a fake DMV website. If someone clicked on it, the attackers could target them with identity theft and/or malware.

In another case, a text phishing scam used a pandemic relief payment as a cover story. The attack message informed the recipient they were entitled to $600 if they clicked on an embedded link. These attackers used spoofing techniques to disguise their message as official correspondence from New York’s Department of Labor, Abnormal Security discovered in December 2020. In the end, if you click on the campaign it leads to a fake New York government portal designed to steal information.

Anti-Phishing Best Practices

These attacks highlight the need for employers to defend themselves against phishing attacks pretending to be government messages. They can do so by investing in creating a security awareness training program. Seeing phishing attacks in a test setting can educate employees about some of the most common types of scams in use today, as well as emerging campaigns.

In addition, employers can consider using phishing prevention technical controls. These monitor their networks for suspicious actions, such as signs of attackers misusing a compromised account. Companies can also leverage user behavior analytics to monitor real users’ behavior against a known baseline and to respond to anomalies before a threat actor makes their move.

More from News

$10.3 Billion in Cyber Crime Losses Shatters Previous Totals

4 min read - The introduction of the most recent FBI Internet Crime Report says, “At the FBI, we know ‘cyber risk is business risk’ and ‘cybersecurity is national security.’” And the numbers in the report back up this statement. The FBI report details more than 800,000 cyber crime-related complaints filed in 2022. Meanwhile, total losses were over $10 billion, shattering 2021's total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3).  Top Five Cyber Crime TypesIn the past five years, the…

4 min read

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read

Google’s Bug Bounty Hits $12 Million: What About the Risks?

4 min read - Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase. Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security…

4 min read