Fake DMV Texts Scam Hit Thousands in Widespread Phishing Campaign

A series of fraudulent text messages impersonating state Departments of Motor Vehicles (DMVs) has spread throughout the United States tricking thousands of Americans into handing over sensitive personal and financial information.

According to Check Point Research, the campaign first identified in May 2025 used spoofed SMS messages and fake websites to exploit public trust in local authorities and collect data on a large scale.

Unpaid Tolls and Threats of License Suspension

Victims reported receiving texts warning of unpaid toll violations or legal penalties. The messages urged immediate action, threatening consequences such as license suspension. Included was a link directing recipients to what appeared to be a state DMV site. In reality, these were convincing clones, designed to match the visual identity of each targeted state.

Once on the fake site, victims were asked to pay a small fee and enter personal details including full name, address, email, phone number and credit card information. While the payment amount was often under seven dollars, the real damage came from the data collection.

A Well-Built Scam Network

The infrastructure behind the attack was anything but random. Most of the fraudulent sites followed a clear naming pattern that mimicked real DMV URLs. According to Check Point’s blog post, a large number of domains were hosted on the same IP address, 49.51.75162, which has a known history of malicious activity. The sites focused on high-population states like California, Texas, New York, and Florida. However, States directly impacted by the campaign included:

Texas
Florida
Georgia
New York
California
New Jersey
Pennsylvania

Despite the wide distribution of domains and hosting servers, the phishing kit used was consistent. Each fake DMV site loaded the same set of JavaScript, CSS, and image files. The design work, behaviour, and codebase point to a centralized development effort, not the work of independent copycats.

Examples of some of the fake DMV texts scam messages received by users

Evidence Points to China-Based Threat Actor

Check Point researchers have spotted several indicators linking this operation to a China-based group. All domains shared name servers from a Chinese provider alidns.com, and the SOA contact email pointed to hichina.com.

Additionally, source code comments were written in Chinese, and the phishing kit itself matched patterns found in a toolkit known as “Lighthouse,” previously used by Chinese threat actors from the Smishing Triad in attacks targeting US DMVs.

Although direct attribution is always difficult, the overlap in infrastructure, coding language, and phishing toolkit suggests a well-resourced operation likely running from China or by Chinese-speaking operators.

Impact and Public Response

CPR noted that the scope of this attack is among the most extensive smishing campaigns (SMS Phishing) in the US this year. The FBI’s Internet Crime Complaint Center (IC3) received over 2,000 related complaints in just one month. Cybersecurity researchers believe the real number of victims is much higher, as many may have dismissed the incident due to the low dollar amount involved.

The story reached national outlets including CBS News, causing officials to act quickly. DMV and Department of Transportation websites across multiple states issued public warnings. They reminded residents that toll-related matters are never handled via unsolicited texts and urged victims to report the scams.

What You Can Do

This campaign is just another example of how a malicious text message, small dollar amounts, and the appearance of government authority can still trick thousands of unsuspected users. Therefore, users and organisations must pay attention to what they are responding to and following these tips: