Morning Overview

Feds warn that “pay the fine now” texts with QR codes are draining people’s bank accounts.

Drivers across the United States are receiving text messages that look like official traffic-violation notices, complete with a state seal, a fake case number, and a QR code directing them to “settle the unpaid balance.” The Federal Trade Commission has reported a spike in these scam texts, and the FBI’s Internet Crime Complaint Center logged over 2,000 complaints tied to a related unpaid-toll version of the scheme since early March 2024. Once a recipient scans the code and enters payment details, the money moves through gift cards, wire transfers, payment apps, or cryptocurrency, making recovery nearly impossible.

How QR-code fine texts drain bank accounts

The mechanics are simple and effective. A text arrives warning of an unpaid fine or toll balance and threatens license revocation and additional penalties if the recipient does not act fast. Embedded in the message is a QR code that, when scanned, routes the user to a site designed to look like a government payment portal. That site captures bank credentials, Social Security numbers, and card details, according to the Postal Inspection Service, which calls the tactic “quishing,” short for QR-code phishing.

The payment channels these fake portals push are chosen specifically because they are hard to reverse. The FTC has documented scams that route victims into retail payment systems, gift cards, wire transfers, payment apps, and cryptocurrency. Each of those rails shares a common trait: once the money leaves, the sender has almost no path to get it back. That is the core of the “draining” effect. Victims are not just handing over credentials for future theft; they are authorizing real-time transfers that can empty accounts within minutes.

The Delaware Judiciary released a public warning after a wave of “Final notice” texts hit residents statewide. The messages included a QR code and threatened license suspension. The court’s statement was blunt: the Justice of the Peace Court does not send texts or emails about outstanding violations. That declaration is significant because it removes any ambiguity for Delaware residents. No legitimate version of this message exists from that court, so any text claiming otherwise can be treated as fraudulent on sight.

Federal agencies track the spike, but state warnings fill a gap

The FTC has described the anatomy of these messages in consumer alerts: a QR code, an official-looking notice with a state seal and fabricated case number, a scheduled “hearing” with a date and time, and a forced choice between attending the fake hearing or paying the fine immediately. The agency reports a spike in traffic-violation scam texts that follow this pattern, often timed to arrive outside normal business hours when recipients are less likely to call a court directly.

The FBI’s Internet Crime Complaint Center issued its own public service announcement focused on unpaid-toll smishing, reporting over 2,000 complaints since early March 2024. FBI guidance recommends filing a complaint with IC3 and deleting the texts rather than engaging with them. Separate FBI cyber alerts have warned that QR codes can also prompt malicious software downloads, not just credential theft, expanding the risk beyond direct financial loss to include device compromise and long-term surveillance of a victim’s online activity.

State-level warnings like Delaware’s fill a gap that federal alerts alone cannot close. When a state court explicitly says “we never send these messages,” it gives residents a clear, local reference point. Federal advisories tend to describe broad patterns and generalized red flags. A state-specific denial names the exact institution being impersonated, which makes it easier for recipients to recognize the scam in the moment they receive it. Whether states that issue these targeted warnings actually see faster drops in local complaint volume is an open question, since neither IC3 nor the FTC publishes state-by-state complaint breakdowns for this specific fraud. But the logic is straightforward: a Delaware resident who has seen the Justice of the Peace Court’s denial is far less likely to scan a QR code claiming to come from that court.

What federal data still does not show about QR-code fine scams

Several gaps in the public record limit the full picture. No federal agency has released aggregated national loss totals tied specifically to QR-code fine scams. The 2,000-plus IC3 complaints cover unpaid-toll smishing, but the traffic-violation variant, which uses fake court notices and hearing dates, does not yet have its own published complaint count. There is also no official breakdown showing how often these QR codes lead to direct credential theft versus malware installation. Regulators have described both outcomes in separate advisories, but no single dataset tracks the split.

Victim demographics remain largely unreported as well. Without knowing which age groups, regions, or device types are most affected, public awareness campaigns are working without a targeting map. The FTC’s guidance on barcode-based payments explains why certain payment rails make recovery difficult, but it does not quantify how much money has been lost through those channels in this specific scam category. That leaves policymakers and consumer advocates relying on anecdotal reports from local law enforcement and victim complaints rather than a comprehensive national dataset.

Those gaps matter because they shape how resources are allocated. If older adults are disproportionately targeted, public-service campaigns might need to focus on print mailers, local TV, and in-person outreach at community centers. If the bulk of complaints cluster in states with electronic tolling systems, then transportation agencies could be key partners in warning drivers. Without that level of detail, agencies are left issuing broad, one-size-fits-all alerts that may not reach the people most at risk.

How to respond when a QR-code fine text arrives

For anyone who receives one of these texts, the first step is straightforward: do not scan the QR code and do not click any embedded link. Treat the message as untrusted until you can verify it independently. If the text claims to come from a court, police department, or toll authority, contact that agency directly through its official website or a phone number listed on a past, legitimate bill-not the contact information in the text itself.

Checking your own records is safer than reacting to the message. Log in to your state’s actual court or toll portal by typing the URL into your browser or using a saved bookmark. If there is a real unpaid ticket, it will appear there. If nothing shows up, you can safely disregard the text. Never provide Social Security numbers, driver’s license details, or full banking credentials in response to a message you did not initiate.

If you have already scanned a QR code and entered information, move quickly. Contact your bank or card issuer to report potential fraud and ask them to monitor or freeze the affected accounts. Change passwords for any online banking or email accounts that might have been exposed, and enable multifactor authentication where available. Reporting the incident to the FTC and IC3 can help investigators track patterns and, in some cases, shut down the infrastructure behind the scams.

Consumers can also reduce their exposure by treating QR codes in general with more skepticism. Scanning a code should never be the only way to pay a government fine or toll. When in doubt, bypass the code and navigate directly to the agency’s known website. That small extra step can be the difference between resolving a legitimate ticket and handing a scammer everything they need to empty your accounts.

More from Morning Overview

*This article was researched with the help of AI, with human editors creating the final content.