In early April 2026 a large-scale phishing campaign began pushing QR codes in fake traffic–violation texts across the U.S., not just isolated nuisance messages. The repeated use of the fake case number “26-TR-273196” — seen with state prefixes like CO, NJ, IL, TX, MN and TN — makes clear this is a volume-driven, adaptive scam aimed at harvesting payment and identity data.

How the QR-to-payment pipeline works

Text arrives impersonating a local court or DMV and asks the recipient to scan a QR code to view a citation; scanning leads to a multi-stage phishing site that typically presents a CAPTCHA, then a payment page asking for about $6.99 and personal details. The CAPTCHA is a deliberate step to filter out automated analysis and slow down security researchers’ crawlers, so the phishing page can collect human-entered cards and ID data.

These sites often use SSL certificates and copied logos to look legitimate while operating on compromised or newly registered domains. Scammers push the messages through purchased contact lists and automated SMS systems; victims reported include everyday drivers, older adults, and fleet drivers whose organizations manage many phones. Cook County and several state courts have documented people attempting to pay fake fines in person after receiving these texts.

Why the reused case number is a strong fraud signal

Recommended Reading

BlackSanta: kernel‑level EDR killers that exploit HR recruitment workflows

BlackSanta is a focused, kernel‑level intrusion campaign that has quietly targeted HR teams for more than a year, using resume‑themed ISO files and signed but vulnerable drivers to disable endpoint defenses and siphon sensitive data without triggering normal alerts. What makes BlackSanta different This is not opportunistic commodity malware. BlackSanta combines spear‑phishing aimed at recruitment […]

BlackSanta: kernel‑level EDR killers that exploit HR recruitment workflows

Real traffic citations are unique and issued by specific jurisdictions; the same case number “26-TR-273196” appearing with different state prefixes is a practical indicator of fraud. Investigators found that the scam’s localization—adding a state abbreviation or a county court name—aims to increase trust without any back-end linkage to real court systems.

By early April 2026 the Cook County Clerk’s office and California Courts publicly warned they do not send payment QR codes via SMS, and multiple states echoed that official notices will not appear as unsolicited texts. That set of confirmations is an operational checkpoint: if a jurisdiction publicly denies SMS payments, treat any such message claiming to be from them as fraudulent.

Why QR codes and CAPTCHAs change detection and defense

QR codes hide the destination URL from the user and many automated filters, so carriers and endpoint scanners that flag suspicious links are less effective; attackers supply a human-readable web page only after the QR scan and CAPTCHA completion. Adding a small, low-dollar charge ($6.99) reduces suspicion and increases the chance a victim will complete a transaction and submit card details.

The practical difference between the older clickable-link scams and this QR/CAPTCHA chain is material: defenses that relied on URL reputation lists, link rewriting, or simple keyword blocking are partially bypassed. The next checkpoint to watch is whether attackers fuse this chain with voice phishing or more targeted social engineering aimed at fleet managers—those steps would raise the campaign from broad-volume to tailored compromise.

Checks, rules, and a quick triage table for drivers and fleets

Organizations and individual drivers should adopt simple verification rules: never scan a payment QR from an unsolicited text, confirm any alleged citation through an official court website or phone number posted on that site, and log and block numbers that send certificate-style demands. Fleet operators should enforce a policy that drivers verify citations through the fleet’s admin channel before taking any payment action.

Short Q&A

Should I ever scan a QR code from a court-like text? No — courts rarely send payment requests via unsolicited SMS. Verify any citation on the official court website or by calling the publicly listed number.

How should fleets respond? Require drivers to forward suspicious texts to a central contact; do not allow in-field payments without fleet verification. Train drivers to recognize reused case numbers and to refuse QR scanning for fines.

What if I already paid $6.99? Contact your card issuer immediately, report the charge as fraudulent, and file a complaint with your state’s consumer protection office and the FBI’s Internet Crime Complaint Center (IC3).