Unpaid Parking Phishing Scheme Hits Boston, San Diego, Several Other US Cities

Authorities in several cities across the United States are warning about a newly spotted campaign that uses fake unpaid parking messages to deceive victims.

Fake unpaid parking invoices used in recent scam

Residents of various major US cities received fake text messages from threat actors masquerading as parking violation department employees, warning them of bogus unpaid parking invoices.

Reportedly, the recent campaign’s text messages notified recipients about pending parking invoices that, if unpaid, would incur additional fines of $35 a day.

Several cities issued warnings

Although phishing scams are often localized, the recent campaign’s breadth has led numerous cities in the US to issue warnings to their citizens.

Affected cities include Annapolis, Boston, Charlotte, Denver, Detroit, Greenwich, Houston, Milwaukee, Salt Lake City, San Diego and San Francisco.

Phishing link dropped in messages

As BleepingComputer reported, the body of the text message consists of a “standard” warning, in which recipients are served a “final reminder” of a bogus unpaid parking invoice.

Perpetrators also amplify the urgency of the made-up situation by mentioning a fake $35 daily overdue fee if the invoice remains unpaid.

The message concludes with a phishing link that victims are instructed to open in order to pay the rogue fine.

A closer look at the scam’s structure

Opening the link reportedly takes the visitor to a website masquerading as a local parking violation department site. The link and website likely differ based on the target’s location (i.e., targets from New York will probably get a website relevant to their location).

Furthermore, threat actors use different balances from one campaign to another to avoid raising suspicion. For instance, a text message received by BleepingComputer showed a balance of $4.6 in unpaid parking invoices.

Attempting to proceed with the payment prompts the visitor with a “traditional” phishing form, asking them for personal data including full name, birth date, state, city, zip code, billing address, email, and payment information.

Using Google links to bypass automatic scam link filtering

Many smartphones implement security features such as automatic link filtering to block URLs that may be used to scam recipients. In other words, a text message encompassing a phishing link could end up in the spam folder.

To circumvent this, threat actors used URL redirection, making it appear that the links originate from Google, a trusted domain that won’t be blocked or restricted.

Safeguarding against scams and other threats

Staying safe from scam attempts and other threats can be daunting. Threat actors’ cunning knows no limit, as new means of deceiving unsuspecting targets emerge every day.

Specialized solutions like Bitdefender Mobile Security for Android and iOS can help you stay a step ahead of perpetrators by providing robust features like app anomaly detection, malware scanner, web protection technology, scam alert, and a built-in VPN.

Scamio, our AI-powered scam detection service, can also help you check any tricky text, social media message, email, link, image, or QR code for scams. It also works for situation-specific scenarios: describe a situation and Scamio will briefly assess its perceived legitimacy for you.

Scamio is free and available on Facebook Messenger, WhatsApp, Discord and your web browser. You can also help others stay safe by sharing Scamio with them in France, Germany, Spain, Italy, Romania, Australia and the UK.