AI v Phishing

Example of iMessage phishing.

I recently received an iMessage (not a text message) from an unknown number claiming to be from the VA State Department of Motor Vehicles. The message not so politely informed me that I had an outstanding traffic ticket and that I needed to pay a fine. I've seen hundreds of these kinds of messages at this point in my life and have enough technical knowledge to quickly identify that this was just another phishing attempt. I was about to delete it and block the number (which, I acknowledge, is Sisyphean) when I had a thought. What would an OpenAI model make of this?

Checking in with ChatGPT 1

I crafted my prompt,

I just received the following text and suspect it's a.phishing attempt. Analyze the text and highlight any features of the text that would support or reject this suspicion.

... and included the text of the message shown at the top of this missive.

I have to say I was happy with the results. The LLM's response was clear, accurate, and issued decent advice. The full text of the response is below (slightly reformatted, no text changes).

Red Flags That Suggest Phishing

  1. Suspicious URL
    • https://dmv-virginia.gov-XXXX.XXX/portal is not a legitimate government domain. 2
    • Official government domains end in .gov, not .icu.
    • The structure dmv-virginia.gov-vmtj.icu is trying to impersonate dmv.virginia.gov, but it is clearly a different (fraudulent) domain.
  2. Urgency and Threats
    • The message uses scare tactics like license suspension, credit score impact, and prosecution to provoke panic.
    • Phrases like “Final Notice,” “Enforcement Penalties,” and “Pay immediately” are typical phishing pressure tactics.
  3. Unusual Enforcement Claims
    • The supposed Administrative Code “15C-16.003” does not correspond to any known regulation and is likely fabricated.
    • Claims like “transfer to a toll booth” make no logical sense in the context of a traffic fine.
  4. Poor Formatting and Grammar
    • “Begin onJune 4” — no space between words.
    • This kind of minor typo is common in phishing messages.
  5. Inconsistent and Unusual Payment Instructions
    • “Reply Y and re-open this message” is not how government agencies handle payents.
    • Official entities do not direct users to click suspicious links or reply to texts for payment.

Signs That Could Suggest Legitimacy (But Don’t Hold Up Here)

  • Use of DMV and a serious-sounding tone may mimic official communication, but this is superficial.
  • The message uses legalese and administrative-sounding language, which is a common phishing tactic to gain trust.

Conclusion

This message is almost certainly a phishing scam. Do not click the link, do not reply, and consider reporting it to: * FTC ReportFraud * Virginia DMV directly: https://www.dmv.virginia.gov

If you’re concerned about tickets or your license, always go directly to the official DMV site: https://www.dmv.virginia.gov

More Traditional Checks

After checking with the robot, I decided to investigate the domain. Of course, I found all the telltale signs of a phisher at work. First, the domain was registered the previous day with a timestamp of “2025-05-31T21:23:08.0Z”. The registrar is Dominet (HK) Limited at Alibaba Cloud. The contact is listed as some poor person in Pennsylvania who I suspect has had their identity stolen. (If you're technical and reading this, don't harass the contact — they are likely victims in all this too.)

I also decided to check in with my network and several others are reporting receiving this exact message which means either we're all guilty of the same recent traffic violation or the phishers are just spamming.

Final Thoughts

Normally, I just write a little note to the less technical folks in my family and friend group to remind them not to click on links. This time, I just wanted to reach out more broadly to remind any technical folks reading this that it would be nice if you did that too. We have to look out for the vulnerable among us since, in some ways, the internet is still just as much the wild west as it was in the 90s. Happy and safe computing!

1: I selected ChatGPT only because I've been working with it lately. It would be interesting to see what Claude, Gemini, Llama, or any of the others would do with the same prompt. 2: Domain altered so that no one accidentally visits the phishing site.