Source: BleepingComputer
A large-scale SMS phishing (smishing) campaign has been detected in several U.S. cities, masquerading as official notifications from municipal parking departments. Residents are receiving fraudulent messages claiming they have outstanding parking fines, with a daily penalty of $35 looming for non-payment.
While such scams have existed for years, the current wave of fraudulent SMS messages has prompted authorities in multiple cities—ranging from Boston and Detroit to San Francisco and Charlotte—to issue warnings. The campaign, which began in December, remains active, targeting residents across various states, including New York.
The text of the message asserts that this is the final notice regarding an unpaid fine requiring immediate settlement to prevent accruing daily penalties. Embedded within the message is a link leading to a phishing site designed to mimic an official municipal parking portal. In the case of New York, cybercriminals have been using the deceptive domain “nycparkclient[.]com.”
To circumvent security measures, the attackers employ an open redirect via “Google[.]com,” allowing them to evade iMessage’s link-blocking mechanism. Apple automatically disables suspicious domains in messages from unknown senders, but by leveraging Google’s redirection, the attackers enhance the perceived legitimacy of the link, increasing the likelihood that recipients will click on it.
Upon landing on the fraudulent website, victims are prompted to enter their name and ZIP code, after which they are presented with a fabricated debt amount. In one documented instance, a user was falsely informed of an outstanding balance of $4.60.
However, observant users may notice a subtle inconsistency: the dollar sign appears after the amount, an unusual formatting choice in the United States. This anomaly suggests that the scammers are likely operating from outside the country.
Clicking the “Pay” button directs victims to a form requesting personal details, including their address, phone number, email, and credit card information. This sensitive data can be exploited for identity theft, financial fraud, and subsequent cyberattacks.
Experts advise ignoring such messages, refraining from clicking on suspicious links, and immediately blocking the sender’s number. If in doubt about the legitimacy of a fine, individuals should contact their city’s parking department directly.
