Unpaid parking fines have become the latest cover for a sophisticated phishing scam targeting residents across major American cities. Fraudsters posing as parking authorities are sending out fake text messages informing receivers of non-existent parking arrears. These fraudulent texts warn that failing to respond to these fake bills would result in a $35 daily penalty.
Authorities in numerous US cities have issued alerts about this growing mobile phishing campaign. The fraudsters’ strategy is particularly successful since it creates a sense of urgency by threatening to increase penalties, which may force vulnerable individuals into exposing personal information or clicking on malicious links.
Although parking scams have long been a problem, many US cities have recently issued warnings due to a surge in phishing text messages. Residents of Annapolis, Boston, Charlotte, Denver, Detroit, Greenwich, Houston, Milwaukee, Salt Lake City, San Diego, and San Francisco have received alerts.
How Scammers Exploit Google Redirects for Unpaid Parking Phishing Scams
This scam, which pretends to be an unpaid parking fee notice, is just one example of a relatively unsophisticated phishing attempt. To get users to provide personal and financial information, the message takes advantage of their distrust of debt.
A similar method is employed in the current unpaid toll scam text, which seems legitimate enough to deceive many people into clicking a link to reportedly pay a fee.
This scam wave began last December and continues to affect residents. New York citizen recently got a text message claiming to be from the City of New York, stating that an unpaid parking fee will result in a daily penalty of £35.
Scammers send fake alerts of unpaid parking charges to pose as local councils. The message asks recipients to submit personal information, such as name, address, and credit card number, and offers a URL that looks like an official government website. If the victim proceeds, their credit card information is sent to the scammers immediately.
Scammers exploit an open redirect on Google.com to route customers to a phishing website in order to bypass detection. This site is named after the city it impersonates, for example, the New York phishing site is nycparkclient[.]com.
Last year, Apple has included a security feature that bans links in text messages from unknown senders and suspicious URLs. However, iMessage does not block links from Google.com because it is a trusted site.
This enables criminals to exploit the open redirect and deceive innocent individuals into opening the link. In the New York City campaign, following the link leads to a webpage that claims to be the “NYC Department of Finance: Parking and Camera Violations.” The website then wants customers to input name and postcode.
According to reports, clicking the link takes users to a website masquerading as a local parking violation department. Furthermore, threat actors modify the presented balance from one campaign to the next to escape detection.
In one case, BleepingComputer received a text message indicating an overdue parking charge amount of $4.6. When visitors attempt to make a payment, they are provided with a standard phishing form requesting personal information.
A key indicator of this scam is the placement of the dollar sign. Instead of appearing before the amount as is customary in the US, it is shown afterwards. This means it is likely that the phishing attempt came from somewhere outside of the United States.
A page where the attackers attempt to steal personal information is displayed to the victim when they click the “Proceed Now” button. This includes the victim’s name, address, phone number, email address, and, eventually, credit card information.
The data can be used for a number of fraudulent activities once it is in their control, including identity theft, financial fraud, more phishing attempts, and even selling the data to other criminals.
Phishing texts highlight the growing threat in our digital age, especially through mobile communications. If you receive an unexpected text or email from an unknown number requesting that you open a link, pay a bill, or respond in any manner, block and report the sender immediately.
Citizens are advised to remain alert while authorities tackle with this phishing issue. Learning how to recognise the signs of phishing can protect your personal information and lower your risk of falling victim to these scams. Examples of noticeable mistakes found in parking charge frauds include misspelt words or misplaced symbols, such as a dollar sign after the amount.
Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.
