Dealing with the DMV is bad enough, but a scam looking to steal your valuable personal details while pretending to be your local DMV? That's just downright evil.
And that's what I got today, when a random text message tried to get me to click on a URL that sent me to a convincing-looking fake DMV website — and then asked for my Social Security number and my driver's license number.
- The best identity theft protection services
- Nasty email hack can steal your personal data
- New: Your Android phone may soon have a huge internet problem
Otherwise, this "smishing" — SMS phishing — scam told me, my driver's license may not be in compliance with new federal rules if I didn't follow along.
While I was first tipped off to the sketchiness of the text message because of its URL — the New York state DMV would not use a web address ending in ".in", the top-level domain for India — this could easily fool someone who trusts the texts they receive. (They should not.)
Making matters worse, those who click on that URL are sent to a regular-looking website with a legitimate-looking domain name: https://secure.newyorkdmv[dot]net/. Not only is this an secure HTTPS site, but the use of "secure" as a subdomain adds just the right touch to make someone think they're going to the actual DMV website.
But things get even more convincing once you click through. You first get a warning message that reads: "Our records indicate that your contact information must be updated for REAL ID Compliance. Please provide an Up-to-date Mailing Address and Phone Number".
Aside from the random use of capital letters, this looks pretty convincing. The scammers' reference to REAL ID Compliance, a new federal regulation that many state DMVs have to comply with, makes it all more convincing.
On top of that, the page where you enter your name, address, date of birth, SSN and driver's license number — enough for a good head start in identity theft — looks legitimate enough so that someone could easily be fooled.
Take a look at the fake DMV site:
Note the use of the New York State logo in the top right corner, and how the site looks well-designed enough to confuse someone afraid of losing access to their driver's license.
The actual NY DMV website (below) is a bit better designed, but it's still close enough to the above forgery that I wouldn't think any less of someone who was fooled.
How to avoid scams like this:
A few simple rules to stay safe. First, never click on links sent by anyone you don't know or recognize. That's not just for text messages, but emails as well.
Second, don't think a site is safe or trustworthy just because it looks like it should be, and especially just because it has an HTTPS padlock in the address bar.
In this instance, I would advise someone who opened that URL to open a new tab or window, and do a Google search for their state or province's actual DMV website. Comparing the real site's appearance and web address to the fake ones will reveal you're not on the actual website in question.
Third, ask yourself when filling out forms online whether the recipient really needs this information. Only the IRS, state tax authorities and your employer really need your Social Security number — everyone else can use other forms of ID. And if the DMV already has your mobile phone number, why would its form ask for exactly that information?