TEXT SCAMS

DMV traffic ticket text scam 2026: is it real, or is it phishing?

A text claiming the DMV will suspend your license over an unpaid traffic ticket is the fastest-growing government-imposter smishing wave of the year.

SB

SafeBrowz Threat Research Security ResearchJune 8, 20269 min read

What the DMV text scam is, and why it is everywhere in 2026

The text reads like an official summons. It names your state DMV, claims you have an overdue traffic ticket or unpaid violation, and then it escalates fast: pay within a short window or your registration, license, and driving privileges get suspended, a service fee gets added, your case gets sent for prosecution, and your credit score takes a hit. There is a link. The link is the whole attack.

This is not a fringe scam. The Federal Trade Commission first flagged it in July 2025 in an alert titled "That text about an overdue traffic ticket is probably a scam." The agency described it directly as the next move after the unpaid-toll wave: same playbook, scarier story, bigger payment demand. By April 2026 the FTC issued a follow-up, "That text about a traffic violation is probably a scam," documenting a new variant built around a QR code and a fake court hearing.

The numbers behind the trend are real and recent. The FTC's March 2025 data release reported $12.5 billion in total reported fraud losses for 2024, up 25 percent year over year, with government-imposter losses alone reaching $789 million, up $171 million from 2023. In May 2026 the FTC's "New trends in reports of imposter scams" alert put imposter-scam losses at roughly $3.5 billion across more than a million reports, with government-imposter reports up about 40 percent. A government agency that touches nearly every adult driver is exactly the brand a smishing crew wants to wear.

What the scam text actually says

The wording rotates, but the skeleton is stable. A typical message reads something like this:

• "[State] DMV Final Notice: Our records show an outstanding traffic ticket on your file. Pay before [date] or your driver license and vehicle registration will be suspended. Settle now: [link]"
• "DMV Violation Alert: You have an unpaid violation. Failure to respond within 24 hours will result in a report to the DMV violation database, a 35% service fee, and prosecution. [link]"
• "State Department of Motor Vehicles: Your driving privileges will be suspended for 30 days due to an unpaid citation. Avoid legal action and credit damage: [link]"

The 2026 variant the FTC documented in April is more elaborate. It embeds a QR code, displays a fake state seal, includes a fabricated case number, and even names a scheduled court-hearing date to make the threat feel like a real legal proceeding. Messages of this form sometimes cite an official-sounding statute or "administrative code" reference. Treat any such citation as part of the costume, not as proof of legitimacy. Whatever the wording, the destination is a phishing page that harvests your card details and personal data, or the message pushes you toward gift cards, a wire transfer, Venmo, or Zelle. None of those is how a real DMV collects anything.

What the scam links look like (illustrative)

The link is engineered to look almost-official at a glance on a small phone screen. The domain crams in "dmv" plus your state plus a word like "pay," "portal," "violation," or "services," and then lands on a cheap top-level domain that no government agency would ever use. The examples below are illustrative examples - real DMV sites only end in .gov:

• dmv-ca-gov-payment.com
• txdmv-violation.cc
• ny-dmv.online
• dmv-services-portal.xyz
• flhsmv-pay.top
• dmv-ticket-settle.info

The trick is that the real agency name appears somewhere in the string, but not as the actual top-level domain. The true domain is the part immediately before the first single slash after https://. Everything to the left of that is dressing. A real California DMV address is dmv.ca.gov. Anything like dmv-ca-gov-payment.com is a different site that merely contains those words. The same goes for the QR-code variant: a QR code is just a link you cannot read with your eyes, which is exactly why scammers like it. Scan it and you land on the same kind of page.

Red flags that give it away every time

You do not need to know your state's exact process to spot this. The tells are structural.

• It arrived as a text. The DMV does not text payment demands. A real violation comes by mail, on paper, to the address on your record.
• There is a countdown. "Within 24 hours," "before [date]," "suspended in 30 days." Real administrative processes run over weeks and arrive by post. Urgency is the lever.
• The link is not a .gov domain. Real US state motor-vehicle agencies always use a .gov address - sometimes under the state's main portal (such as mass.gov or michigan.gov) rather than a "dmv" name, but always .gov. Any .com, .org (including the well-known privately owned dmv.org, a third-party site that is not a government agency), .cc, .online, .xyz, .top, or .info address claiming to be the DMV is not the real agency, no matter what words it contains.
• It threatens prosecution, credit damage, or a "service fee." The Colorado DMV's June 2025 warning specifically called out texts threatening prosecution. The DMV does not assess a "35% service fee" or report your driving to your credit bureau.
• The sender is odd. The California DMV flagged texts coming from a +63 (Philippines) country code. Others come from a random Gmail, Outlook, or Yahoo address. A real agency does not email-blast a license suspension from a personal mailbox.
• It wants gift cards, wire, Venmo, or Zelle. No government agency collects a fine through any of these. This one tell, by itself, is conclusive.
• A QR code, fake seal, fake case number, or a "court hearing date." The April 2026 FTC alert documents exactly this dressing. It is designed to look like paperwork. It is not paperwork.

How this differs from the unpaid toll text scam

If this feels familiar, that is because it is the same crews evolving the same kit. The unpaid toll text scam was the breakout SMS phishing of 2024 and 2025, the subject of the FBI IC3 public service announcement on April 12, 2024 about smishing over road-toll debt. That campaign impersonated toll programs like E-ZPass, FasTrak, and SunPass with a small "unpaid toll" of a few dollars. To be clear, that IC3 PSA is the toll advisory, not a DMV-specific alert.

The DMV version is the escalation, and the FTC framed it that way itself. The toll scam asked for a small amount from a toll program. The DMV scam impersonates the licensing authority directly and raises the stakes: not a $3 toll but your license, your registration, your right to drive, and the threat of court. Bigger threat, same mechanic. The brand changes; the harvest at the end of the link does not.

What SafeBrowz sees on the network

When the SafeBrowz engine examines a DMV lookalike page, the structure of the attack is consistent enough to read across all three detection layers. A few patterns stand out.

First, the domains are young. The destination behind a DMV smishing text is almost always a domain registered within the last few weeks, often the last few days. No legitimate government portal is days old. Domain-age signals alone flag a large share of these before any content even loads.

Second, the structure is a keyword sandwich on a cheap TLD. The string carries "dmv" plus a state abbreviation plus a transactional word ("pay," "portal," "settle," "violation"), then resolves on a low-cost top-level domain that no .gov registrant uses. The agency name living anywhere except the real registrable domain is itself the signal.

Third, the page content gives itself away. A real state seal, a "Pay Outstanding Violation" headline, a card form, and a countdown timer, all served from a non-.gov host, is a textbook brand-impersonation profile. The page often blocks right-click, hides the address bar where it can, and renders the form before any "official" text the user could read. Content-level analysis catches the impersonation even when the domain is brand new and absent from every blocklist.

Which agencies the attackers spoof next

Smishing crews follow the path of least friction: any agency with universal reach, a payment surface, and a credible threat. The DMV checks all three, which is why it followed tolls. Based on the same logic, the believable next pivots are predictable.

• Vehicle registration and emissions/inspection authorities. A natural sibling of the DMV theme, with the same "your registration will be suspended" hook.
• State courts and "e-filing" or "failure to appear" notices. The April 2026 fake-court-hearing variant is already halfway there. Expect standalone "outstanding warrant" or "missed jury duty" texts.
• Tax authorities. The IRS and state revenue departments are perennial imposter targets; see our coverage of the IRS tax refund scam.
• Toll and parking enforcement, in reverse. Parking-citation texts ("city parking violation, pay or be booted") reuse the DMV emotional template at the municipal level.
• Utility shutoff and benefit-eligibility notices. Same urgency, same payment surface, broad reach.

The defense does not change agency to agency. The brand on the message is interchangeable; the structure of the attack is not. That is the whole reason a structural defense beats a per-brand one.

Why browser-side detection beats SMS and email filtering alone

Carrier and email filters do real work, but they are fighting the message, and the message is the cheapest part of the operation. Attackers churn through sender numbers and burner email accounts daily. They keep the text short to slide under keyword filters. They use link shorteners and QR codes specifically so the dangerous part is invisible until you act on it. A filter that misses one in a thousand still lets through plenty when the campaign sends millions.

The thing that does not change is the destination. To steal anything, the scam has to land you on a page that impersonates the DMV and asks for a card number or your personal details. That page is where the attack is actually committed, and that page is what a browser-layer scanner inspects directly. When you tap the link, a browser extension can recognize the page is impersonating a government agency on a non-.gov domain and block it before the form ever loads, regardless of which sender number or QR code delivered it. The message filter and the browser layer are complementary, but the browser layer is the one standing where the money is taken.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. It catches government-impersonation keyword patterns on non-.gov hosts, cheap-TLD abuse, and "pay-violation" redirect families instantly.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, plus domain-age lookup (most DMV-scam destinations are less than 30 days old) and 30+ scam TLDs.
• Layer 3 - AI deep scan: content-aware brand-impersonation analysis in 100+ languages catches a brand-new lookalike that no blocklist has seen yet, including the QR-code and fake-seal variants.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any link from a suspicious DMV text and get a verdict in seconds.

What to do right now

If a DMV text just landed, here is the whole correct response.

1. Do not tap the link or scan the QR code. The link is the entire attack surface. Curiosity is how people get caught.
2. Verify directly, not through the text. If you genuinely want to know whether you owe anything, open a new browser tab and type your state DMV address yourself. The real ones end in .gov: dmv.ca.gov (California), txdmv.gov (Texas), dmv.ny.gov (New York), flhsmv.gov (Florida). Log in or call the number listed on that official site.
3. Forward the text to 7726 (SPAM). That is the free shortcode US carriers use to flag smishing.
4. Report it. File with the FTC at reportfraud.ftc.gov and with the FBI's Internet Crime Complaint Center at ic3.gov. Include the sender number, the link, and a screenshot.
5. Then delete the message.

If you already tapped the link but entered nothing, you are most likely fine: close the tab and clear cookies for that domain. If you entered card details, call your bank using the number on the back of your card, freeze or lock the card in your banking app right away, and watch your statements. If you handed over your Social Security number or full personal details, go to identitytheft.gov for a step-by-step recovery plan and place a free fraud alert with one of the credit bureaus. Our full "I got scammed, what do I do now" walkthrough covers the first-hour playbook in detail.

The states that have already warned the public

This is not a guess. DMVs across many states (including NY, FL, CA, GA, IL, CO, VA, TX, TN, AZ, CT) have issued warnings about exactly these texts. The Colorado DMV published an urgent warning in June 2025 about texts threatening prosecution. The Texas DMV ran a campaign titled "Don't click it. It's not a ticket!" The New York DMV warned residents about a fresh barrage of scam texts, and the California DMV maintains a standing scam-alert page. If your state's licensing agency has told you in plain language that it does not text payment demands, that statement settles the question by itself.

Frequently asked questions

Is the DMV traffic ticket text real or a scam?

It is a scam. State DMVs do not text people demanding payment for traffic tickets, and they do not send "pay now" links or QR codes by SMS. The FTC, the FBI's IC3, and DMVs across many states (including NY, FL, CA, GA, IL, CO, VA, TX, TN, AZ, CT) have all warned that these texts are phishing. A real violation arrives as a paper notice by mail.

Can the DMV actually suspend my license over a text I ignore?

No. Ignoring a scam text has no effect on your real driving record, because the text is not from the DMV. License or registration suspension is a formal administrative process that runs over weeks and is documented by mail to the address on your record. There is no "respond within 24 hours by text" pathway, ever.

What does a real DMV website address look like?

Real state DMV sites end in .gov. Examples include dmv.ca.gov, txdmv.gov, dmv.ny.gov, and flhsmv.gov. Any address ending in .com, .cc, .online, .xyz, .top, or .info that claims to be the DMV is fake, even if the words "dmv" and your state appear in the link.

I scanned the QR code in the text. What now?

A QR code is just a hidden link. If you only opened the page and entered nothing, close the tab and clear cookies for that site. If you typed in card or personal details, call your bank using the number on your card, freeze the card in your banking app, and report it at reportfraud.ftc.gov and ic3.gov. If you shared your Social Security number, start at identitytheft.gov.

Why am I getting these texts if I do not even owe a ticket?

Attackers do not target by driving record. They blast millions of messages to phone numbers bought from data brokers. A large share of recipients have no outstanding ticket at all. Receiving the text is not evidence you owe anything.

The text quoted an official-looking statute or case number. Does that make it real?

No. A fabricated case number, a quoted "administrative code," a state seal image, and a scheduled court-hearing date are all part of the costume. The April 2026 FTC alert documents this exact dressing in the newest variant. Official-looking does not mean official. Verify only by typing your state's .gov DMV address yourself.

How do I report a DMV scam text?

Forward the message to 7726 (SPAM) to flag it with your carrier. File a report with the FTC at reportfraud.ftc.gov and with the FBI's Internet Crime Complaint Center at ic3.gov, including the sender number, the link, and a screenshot. Then delete the text.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge