After the COVID-19 pandemic hit last year, many states issued emergency declarations allowing driver’s licenses to remain valid past expiration dates. But those extensions mostly have ended, and drivers now need to make sure their licenses are renewed.
Scammers are exploiting that shift, cybersecurity experts say.
Driver’s license phishing scams designed to steal people’s identities have been popping up across the U.S., according to state motor vehicle agencies.
Fraudsters send out texts or emails falsely warning that the target’s license needs to be updated, is missing information or is expiring. If the person clicks the link, it typically opens a Google Forms spreadsheet requesting personal information such as a Social Security number and date of birth.
“It’s really despicable,” said David Druker, a spokesperson for the Illinois secretary of state’s office, which issues driver’s licenses. “It’s just outrageous that when the country is going through the COVID crisis, people are taking the time and energy to steal information from others.”
In typical phishing, scammers email malicious links or attachments and people unwittingly click them. When the scammers operate through texting, the method is called “SMS phishing” or “smishing.”
In the past two months, Iowa, Minnesota, Ohio, Vermont and Wyoming were among the states warning residents about the scams.
In Illinois, Druker said, thousands of people have received texts and emails in which scammers pose as the secretary of state or as officials from the state department of transportation. Druker said he is not aware whether anyone has fallen for the ploys.
After learning about the phishing and smishing, Illinois officials alerted the FBI and IRS, which have worked with Google to take down the sham webpages. So far, the agencies have identified 1,035 sites and Google has shut down nearly 900 of them, Druker said.
“We do not communicate with people about personal information through text or email,” he said. “We send formal letters from our office.”
Scams in some states have played off the Real ID, a secure government-issued driver’s license or identification card that the U.S. Department of Homeland Security will soon be requiring for air travel or access to government-restricted areas. The federal government has extended the deadline for states to issue Real IDs from Oct. 1, 2021, to May 3, 2023, because of the pandemic.
In New York, the Department of Motor Vehicles alerted residents to a text scam that asks them to update their mailing address and contact information for “expedited compliance” with new Real ID regulations.
The agency posts a running list of examples of the many phishing ruses in which scammers pretend to be the DMV. The texts and emails often include DMV logos, images and content copied from the department’s website or from another state government agency.
‘Perfect Scam Storm’
Fraudsters love to create a sense of urgency when trying to hook victims, cybersecurity experts say.
Driver’s license phishing texts and emails play into that strategy, and have become the “scam du jour,” said Alex Hamerstone, risk management director at TrustedSec, a cybersecurity consulting company based near Cleveland.
“It’s very topical. A lot of states extended driver’s license expirations because of COVID. It feels real and looks like it comes from the DMV,” Hamerstone said. “It’s a perfect scam storm.”
In New Jersey, the Department of Transportation posted a warning on its Facebook page last month with a screenshot of a bogus text message that claimed the target needed to “validate” their driver’s license.
“NJDOT is not involved in driver’s licenses or vehicle registrations. They are handled by the New Jersey Motor Vehicle Commission,” the department wrote. “We will never ask for or need your driver’s license information.”
Earlier this month, New Jersey’s Office of Homeland Security and Preparedness issued its own alert about a similar, email-based phishing effort.
It’s been difficult for some residents to get in-person appointments with the state’s motor vehicles department, so these scams may have played into that backdrop, said Michael Geraghty, New Jersey’s cybersecurity director.
While New Jersey officials have alerted Google about the scams and gotten it to take down the sites, that won’t necessarily stop the criminals, Geraghty added.
“It doesn’t prevent the same bad actors from opening a new Google account with a fictitious name, creating a form and using software to blast out text messages,” he said.
In Utah, the state departments of transportation and public safety issued a joint warning about the texting scam. The phony text pretends to come from the DOT and asks people to click on a link because “their contact information seems to be invalid or missing.”
Clicking on the link opens a Google Forms page soliciting personal information. The document, which the agencies included with their warning, features a header image from the state DOT, which doesn’t even issue licenses in Utah.
“We really hope that anyone who received this noticed a lot of red flags,” said Joe Dougherty, the public safety agency’s spokesperson. “Asking for someone’s Social Security number is a huge one. Even your credit card company only asks for the last four digits.”
Dougherty said Utah officials reached out to Google, as other states have, and the company killed the web page.
In a statement from Google to Stateline, the company said its policy prohibits the use of its products for phishing, including for soliciting or collecting sensitive data.
"We are deeply committed to protecting our users from phishing abuse across our services, and are continuously working on additional measures to block these types of attacks as methods evolve," the spokesperson wrote.
While shutting down the pages helps, it may not be enough, Dougherty said. “That doesn’t stop a person from going out and doing this again.”