Expired driver’s licenses open lane for cybercriminals

 

Connecting state and local government leaders

Fraudsters are sending out emails and texts saying that an expired driver’s license must be updated and directing victims to online forms that collect personal information such as a Social Security numbers and dates of birth.

After the COVID-19 pandemic hit last year, many states issued emergency declarations allowing driver’s licenses to remain valid past expiration dates. But those extensions mostly have ended, and drivers now need to make sure their licenses are renewed.

Scammers are exploiting that shift, cybersecurity experts say.

Driver’s license phishing scams designed to steal people’s identities have been popping up across the U.S., according to state motor vehicle agencies.

Fraudsters send out texts or emails falsely warning that the target’s license needs to be updated, is missing information or is expiring. If the person clicks the link, it typically opens a Google Forms spreadsheet requesting personal information such as a Social Security number and date of birth.

“It’s really despicable,” said David Druker, a spokesperson for the Illinois secretary of state’s office, which issues driver’s licenses. “It’s just outrageous that when the country is going through the COVID crisis, people are taking the time and energy to steal information from others.”

In typical phishing, scammers email malicious links or attachments and people unwittingly click them. When the scammers operate through texting, the method is called “SMS phishing” or “smishing.”

In the past two months, Iowa, Minnesota, Ohio, Vermont and Wyoming were among the states warning residents about the scams.

In Illinois, Druker said, thousands of people have received texts and emails in which scammers pose as the secretary of state or as officials from the state department of transportation. Druker said he is not aware whether anyone has fallen for the ploys.

After learning about the phishing and smishing, Illinois officials alerted the FBI and IRS, which have worked with Google to take down the sham webpages. So far, the agencies have identified 1,035 sites and Google has shut down nearly 900 of them, Druker said.

“We do not communicate with people about personal information through text or email,” he said. “We send formal letters from our office.”

Scams in some states have played off the Real ID, a secure government-issued driver’s license or identification card that the U.S. Department of Homeland Security will soon be requiring for air travel or access to government-restricted areas. The federal government has extended the deadline for states to issue Real IDs from Oct. 1, 2021, to May 3, 2023, because of the pandemic.

In New York, the Department of Motor Vehicles alerted residents to a text scam that asks them to update their mailing address and contact information for “expedited compliance” with new Real ID regulations.

The agency posts a running list of examples of the many phishing ruses in which scammers pretend to be the DMV. The texts and emails often include DMV logos, images and content copied from the department’s website or from another state government agency.

‘Perfect scam storm’

Fraudsters love to create a sense of urgency when trying to hook victims, cybersecurity experts say.

Driver’s license phishing texts and emails play into that strategy, and have become the “scam du jour,” said Alex Hamerstone, risk management director at TrustedSec, a cybersecurity consulting company based near Cleveland.

“It’s very topical. A lot of states extended driver’s license expirations because of COVID. It feels real and looks like it comes from the DMV,” Hamerstone said. “It’s a perfect scam storm.”

In New Jersey, the Department of Transportation posted a warning on its Facebook page last month with a screenshot of a bogus text message that claimed the target needed to “validate” their driver’s license.

“NJDOT is not involved in driver’s licenses or vehicle registrations. They are handled by the New Jersey Motor Vehicle Commission,” the department wrote. “We will never ask for or need your driver’s license information.”

Earlier this month, New Jersey’s Office of Homeland Security and Preparedness issued its own alert about a similar, email-based phishing effort.

It’s been difficult for some residents to get in-person appointments with the state’s motor vehicles department, so these scams may have played into that backdrop, said Michael Geraghty, New Jersey’s cybersecurity director.

While New Jersey officials have alerted Google about the scams and gotten it to take down the sites, that won’t necessarily stop the criminals, Geraghty added.

“It doesn’t prevent the same bad actors from opening a new Google account with a fictitious name, creating a form and using software to blast out text messages,” he said.

In Utah, the state departments of transportation and public safety issued a joint warning about the texting scam. The phony text pretends to come from the DOT and asks people to click on a link because “their contact information seems to be invalid or missing.”

Clicking on the link opens a Google Forms page soliciting personal information. The document, which the agencies included with their warning, features a header image from the state DOT, which doesn’t even issue licenses in Utah.

“We really hope that anyone who received this noticed a lot of red flags,” said Joe Dougherty, the public safety agency’s spokesperson. “Asking for someone’s Social Security number is a huge one. Even your credit card company only asks for the last four digits.”

Dougherty said Utah officials reached out to Google, as other states have, and the company killed the web page.

In a statement from Google to Stateline, the company said its policy prohibits the use of its products for phishing, including for soliciting or collecting sensitive data.

"We are deeply committed to protecting our users from phishing abuse across our services, and are continuously working on additional measures to block these types of attacks as methods evolve," the spokesperson wrote.

While shutting down the pages helps, it may not be enough, Dougherty said. “That doesn’t stop a person from going out and doing this again.”

This article first appeared on Stateline, an initiative of The Pew Charitable Trusts.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.