Cybersecurity

Over the last week, hundreds of domains were registered to impersonate 20 states and establish toll scam websites. The domains aimed at NJ residents include URLs similar to “nj.gov**[.]help/mvc.”

The webpages use stolen branding and mimic the official Motor Vehicle Commission (MVC) website’s look and feel. The webpage displays “Welcome to NJMVC.GOV,” but the actual URL ends with a .help top-level domain. We are aware that there are already incident reports of SMS phishing scams that include links to these websites. We anticipate a surge in scam texts targeting NJ residents.

These texts may claim there is an unpaid toll, threaten late fees, and direct recipients to fraudulent webpages.

• The NJ MVC only sends text messages to remind residents about scheduled MVC appointments.
• The NJ MVC does not send texts regarding outstanding toll payments.
• You can always check your toll service’s account by manually typing the official website URL into the browser, and not by clicking on a link provided in an email or text message.

Always remember the following.

• Avoid clicking links, responding to, or acting on unsolicited text messages.
• Confirm requests from senders via contact information obtained from verified and official sources.
• Report fraudulent activity to the Linden Police Department, to the NJCCIC, FTC, and FBI’s IC3, and forward the message to 7726 (SPAM).

Google recently ended critical security support for Android 12 and all prior versions of its mobile operating system. This poses a serious security risk to the over 40% of all Android devices that no longer have access to security patches. Immediate action is required for affected users, as these devices are now vulnerable to new malware and spyware attacks.

Any Android device incapable of updating to Android 13 or a newer version should promptly be replaced.

Hackers have been attempting to impersonate Linden Planning and Zoning Board officials to fraudulently solicit payments from applicants. Please remember that all City of Linden email addresses end in @linden-nj.gov. If you receive a suspicious request, do NOT respond, and do NOT send money. Instead, immediately contact our offices directly using a verified phone number or email address from our official website to confirm legitimacy.

Phishing remains one of the top attack vectors that hackers use to compromise accounts, steal credentials, gain remote access, and steal financial information. These email and SMS-based attacks are easy to distribute at scale and require little personalization, making them a commonly used tactic. Phishing attacks can now range from simple emails, to multi-stage campaigns that use artificial intelligence (AI) and imitate trusted brands.

For example, in a recent vishing campaign, hackers uses a phishing kit to create a custom phishing page, spoof the company’s IT help desk phone number, and contact a target! By spoofing a trusted phone number, hackers can impersonate the help desk to trick users into entering their credentials on a phishing page, while the phishing kit enables them to control what the target sees in real time.

In another campaign, hackers abused trusted services by sending phishing emails that include links to SharePoint, Google Drive, and OneDrive from compromised email addresses. These links enable hackers to deliver malicious payloads or steal credentials and can go undetected by email security systems.

What to do?

• ALWAYS exercise caution with communications from ANY senders, even those that appear to originate from legitimate platforms.
• Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links or opening attachments.
• Navigate directly to legitimate websites (instead of clicking on links embedded in emails) and verify them before submitting account credentials, providing personal or financial information, or downloading files.
• Users who submitted credit card information to suspicious webpages are advised to contact their banking institutions to report the fraudulent purchases immediately.
• Enable MFA and keep systems and browsers up to date.
• If you believe you’ve been victimized, disconnect the potentially infected device(s) from the Internet and run anti-virus/anti-malware scans.
• If sensitive information was entered, then change passwords for compromised accounts, monitor for unauthorized activity, and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes.
• If you are a Linden resident, then report malicious cyber activity to the Linden Police Department, as well as the NJCCIC and the FBI’s IC3.

The FIFA World Cup 2026 will span 16 venues across the United States, Mexico, and Canada, with matches running for 39 days from June 11 to July 19. MetLife Stadium in East Rutherford, New Jersey, will host eight matches, including the Tournament final.

Major international sporting events have become prime targets for cyber threat actors, as evidenced by attacks on the FIFA World Cup 2022 in Qatar, UEFA Euro 2024 in Germany, the 2024 Summer Olympics in Paris, and other past global events. Historical cyber threat activity targeting global events including (but not limited to) malware infection (including destructive wiper malware), distributed denial-of-service (DDOS) attacks, phishing campaigns, malicious mobile applications, fraudulent ticketing websites, account credential exposure, unauthorized access, ransomware attacks, Deepfake AI-generated content, disinformation campaigns, and more.

As early as August 2025, there have been a surge in domain registrations tied to the upcoming FIFA World Cup 2026. These domains, often masquerading as legitimate ticketing portals, merchandise outlets, or live-stream platforms, serve as precursors to cyber campaigns designed to harvest credentials, distribute malware, and siphon financial data.

It is likely that cyber threat activity related to the FIFA World Cup 2026 will be similar to observed activity during previous global events, with social engineering schemes, ransomware attacks, and nation-state targeting. Deepfake technology and other AI-generated content may be used to spread disinformation, cause confusion, incite panic, or attempt to exercise political influence. While the match venues are potential targets of cyber threats, threat actors may also target critical infrastructure supporting the World Cup, such as energy and water utilities, to impact the tournament or as part of a larger cyber operation.

Linden residents should be on high alert for FIFA World Cup 2026 scams, including fake ticket sales, counterfeit merchandise, and phishing attempts. Protect yourself by only using official, verified websites for any purchases or information, and never click on links from unsolicited emails or texts.

Threat actors (aka hackers) continue to impersonate recruiters and employers to target potential job seekers with fake or unrealistic remote job offers. They often send unsolicited emails or text messages that promise high pay for little work, require payment to get a job or training, lure targets with bad checks to buy fake work equipment or supplies, involve repackaging or shipping items often purchased with stolen credit cards, or request personal data, leading to financial loss and identity theft. Over the past month, there has been an observable increase in remote job scams targeting residents.

Threat actors will often claim a quick turnaround to convince their targets to act quickly and apply by stating that applications will be reviewed within two to 24 hours. Clicking on the “CLICK HERE TO APPLY” directs targets to a page designed to capture sensitive information. Copyright symbols at the bottom of the email are often hyperlinked to a phishing page also designed to steal account credentials. Below is a real example of such a phishing email. Don’t take the bait!

Always report scams and other malicious cyber activity to the FBI’s IC3 and also to the NJCCIC.

Latest Scam Methods

The Bank Impersonation Scam – In this scenario, scammers impersonate your bank using spoofed caller IDs. They falsely claim fraudulent activity on your account, then either trick you into sending payments (‘to reverse the fraud’) or ask for sensitive information to gain access and steal your money.

The Smishing Scam – Smishing, an SMS-based form of phishing, involves scammers impersonating legitimate organizations via text message. These communications often create a false sense of urgency, directing recipients to malicious links where payment information or personally identifiable data is solicited for fraudulent purposes.

The Social Media Deposit Refund Scam – Scammers who are impersonating artists on social media platforms entice victims with offers to purchase photographs. The scammers issue counterfeit checks and subsequently request a partial refund, often citing ‘supply’ costs. Despite the check appearing to clear initially, it is later identified as fraudulent by the bank. By this time, funds sent by the victim to the scammer cannot be recovered.

Here are steps you can take to protect yourself against these and other scams.

• Verify Phone Calls – Hang up on suspicious calls. Verify legitimacy by contacting the company using a number from their official website. For bank calls, always end the call and then dial the number on the back of your debit or credit card to be certain that you are actually communicating with your bank.
• Be Skeptical – Exercise skepticism toward unsolicited investment opportunities guaranteeing substantial returns. Prior to transferring funds, conduct due diligence using reputable sources to confirm the entity’s legitimacy. Exercise heightened caution if the arrangement requires cryptocurrency, as this is a common fraud tactic.
• Don’t Give Into Pressure and Urgency – Scammers employ urgency tactics, such as false account compromise alerts, service termination threats, or legal action claims, to bypass rational judgment. Always consult a trusted contact before acting on such demands. Legitimate entities provide written notices and due process. Legitimate companies and/or government agencies will never demand gift card payments. Never share gift card codes with strangers, as this is the equivalent of handing them cash.
• Never Send Money To People You Have Not Met In Person – Always exercise extreme caution toward online acquaintances soliciting funds or promoting investment opportunities, particularly those involving cryptocurrency. These scenarios represent very common social engineering fraud tactics.

Report vishing scams and other malicious cyber activity to the FBI’s IC3 and the NJCCIC. If you or someone you know is being physically threatened, then contact the police department or dial 9-1-1 immediately.

What’s Happening?

Law enforcement continues to receive reports of fraudulent phone calls in vishing scams. Typically, threat actors (hackers) acquire publicly available information found online and impersonate specific organizations or individuals. They contact the recipient to extort money or convince their targets to divulge sensitive information, grant access to their accounts or devices, or purchase fraudulent goods or services. In one report, an educational institution received repeated suspicious phone calls from different phone numbers, including spoofed official ones, to appear legitimate. The threat actors claimed to be “Online IT Training” and asked for the head of the information technology department. When questioned, the threat actors could not respond “off script.”

Threat actors are increasingly leveraging voice cloning and artificial intelligence (AI) technologies to carry out impersonation and extortion scams. They can find and capture snippets of a person’s voice online, through social media platforms, in outgoing voicemail messages, or when the recipient caller answers a call. They can weaponize AI technology with the captured audio to clone a person’s voice and create fraudulent schemes, such as family emergencies, kidnappings, robberies, or car accidents. In one reported vishing scam, the threat actors impersonated the target’s daughter, claiming to be involved in a car accident. A male voice was also on the line, claiming to be a local law enforcement officer and reporting that the daughter supposedly admitted to using her cell phone while driving. He indicated that she was being held for charges of injuring the other driver, who was pregnant. The purported officer stated that a bail bond agent would contact them to post bail. Minutes later, a male caller posing as a bail bond agent contacted the target to indicate bail was set at $15,000 cash only, and threatened not to tell anyone because it would go on the daughter’s permanent record. After hanging up with the threat actors, the target called their daughter to confirm the call’s legitimacy before going to the bank. The daughter revealed she was not on the call or involved in a car accident.

What Should We Do?

• Refrain from answering unexpected calls from unknown contacts.
• When receiving unsolicited phone calls, do not respond to any requests for sensitive information, access, or money.
• If suspicious inquiries are made by individuals claiming to represent a trustworthy organization, hang up and call the organization back using the official phone number found on their website.
• Block and delete unsolicited or suspicious phone numbers received on cell phones and other devices.
• Establish a unique password or passphrase with important contacts, such as loved ones, employers, and coworkers, and request it if suspicious inquiries are made by individuals claiming to represent them.
• Report vishing scams and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.
• If you or someone you know is being physically threatened, then contact the police department or dial 9-1-1 immediately.

Over the last week, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) received several incident reports from NJ residents regarding an SMS text phishing (SMiShing) scam impersonating the Department of Motor Vehicles (DMV).

These messages claim that the user has an outstanding traffic ticket and payment is due. If not paid by May 29, the user will have their vehicle registration and driving privileges suspended, receive a toll booth charge increase, and their credit score will be impacted. The URL displayed in the message includes “ezpassnj” and “.gov” in an attempt to appear legitimate. The message itself does not allow the user to click the included link directly but instead instructs them to reply to the message with “Y” and reopen the message to click the link or to copy the URL to their browser. These links lead to fraudulent websites that attempt to extract personally identifiable information, financial details, or account credentials.

This SMiShing scheme is similar to others that have circulated impersonating NJ toll services and EZ-Pass claiming the user has an outstanding toll that needs to be paid to avoid a late fee.

• NJ MVC – The NJ MVC only sends text messages to remind residents about scheduled MVC appointments. It does not send text messages regarding driver’s licenses or vehicle registration status.
• New Jersey E-ZPass – NJ E-ZPass does not send unsolicited text messages to collect payments. If your account is in collections and being handled by Credit Collection Services, you may receive text messages from Credit Collection Services regarding your account. Their text message will list a phone number, their website www.ccspayment.com, and reference a file number.