A phishing scammer is running a better marketing stack than half the brands I audit
A text came in earlier to my wife’s phone claiming she had an unpaid traffic ticket from the Oklahoma Department of Public Safety.
The link pointed to the URL in this image:
This is the kind of domain that should set off every alarm in your head if you slow down and really look at it. Real Oklahoma government sites end in oklahoma.gov or service.ok.gov. The hyphen in “gov-okanr” is the giveaway, the way scammers buy domains that look right at a glance but route to whatever box they rented in a server farm somewhere overseas.
I told her to delete it, but to forward it to me first. I was curious.
I opened the URL inside a sandboxed browser, popped open Chrome DevTools, and watched the network panel light up while the fake Oklahoma DPS page loaded. What I found under the hood wasn’t a sloppy operation. In fact, it was actually a marketing operation, and a really well-instrumented one at that.
The scammer behind this site is running a better measurement stack than at least half the legitimate companies I audit. I want to walk through what I saw, because I think there’s an actual lesson in here for marketers.
What the network tab told me
Twenty-seven HTTP requests and 1.5 MB of resources. The page loaded cleanly enough that a non-technical user would not blink at it.
The first thing that caught my eye was a persistent WebSocket connection going to a path called logger (They didn’t try that hard. At least name it something else…). WebSockets stay open in the background. They stream data both ways in real time. A static government information page would have no earthly reason to keep a socket open like that. The reason this one does is that the kit is logging keystrokes back to the operator as the victim types. As soon as you start filling in your name, your driver’s license number, your card details, the attacker sees it live and can adapt the funnel based on what you do. If your card declines, you get a “please try another payment method” screen instantly. The branding looks consistent because it is consistent. They’re watching you.
The second thing I noticed was a session-replay beacon. The script was firing requests like “rs?id=...&t=marketing”. That’s a Hotjar or FullStory style replay tool, the kind of thing a SaaS company uses to watch real users move through a checkout flow so the product team can find friction points. This scammer is using one to watch his marks struggle through the fake DMV form so he can optimize for higher completion rates. They’re, I am not making this up, A/B testing their phishing funnel like a growth marketer.
The third thing was the moment I started laughing out loud. There was a Google Ads conversion pixel that looked like this:
pixel?google_nid=9675309&google_hm=...
That 9675309 is “867-5309” minus an 8. The scammer named their Google Ads conversion event after the Tommy Tutone song, which tells you a couple of things. They have a sense of humor, for one. More importantly, they’re buying paid Google Ads to drive traffic to the phishing page and firing a conversion event when victims land on it. They’re tracking ad ROI on a phishing campaign! I’m guessing they probably have a dashboard, too, and probably even a nicely designed Looker Studio report. Even scammers have to create marketing reports it seems. I’m sure the Tutone ID was just auto generated, but I like to think they did it on purpose.
The JavaScript bundles on the page had random eight-character filenames. TYBhKPvt.js. COJ1TQhw.js. B-hR3BU0.css. That is a phishing-kit fingerprint. Some of the kits being sold on Telegram right now ship with a built-in filename randomizer specifically to dodge URL-based blocklists. Every deployment looks slightly different to the automated scanners that browser security teams run.
There were a few sloppy bits, mostly broken font references throwing 404s. Sixteen console errors total, which is sixteen more than a real state government site would ship with (maybe, now that I think about it…). So the operator is not a perfectionist. They’re a marketer who cares about conversion, not code quality.
Why this matters if you do legitimate marketing for a living
The companies I audit, the ones running ten-and-twenty-million-dollar marketing programs, often can’t tell me which of their campaigns produced their last ten customers. They have GA4 set up wrong or they have UTM parameters that get stripped on redirects. They’re still measuring open rates on emails three years after Apple Mail Privacy Protection made open rates almost meaningless. Their ad attribution is duct-taped together with a SharePoint spreadsheet that nobody updates.
Meanwhile, a team (or more realistically just some guy) running a phishing kit out of, my best guess, somewhere in eastern Europe or southeast Asia, has:
Real-time event streaming from his landing page
Session replay so he can watch users hit friction points
Google Ads conversion tracking with a custom event ID
Per-victim tracking parameters in the URL so he can correlate clicks back to the SMS list he bought
A funnel he is clearly iterating on, given how clean the layout was compared to similar kits I have looked at in the past
He is doing this on a stolen budget, on infrastructure he probably doesn’t even pay for, against an audience that didn’t opt in. And his measurement is tighter than most of yours.
I’m saying this because the gap between “we have analytics” and “we actually know what is working” is enormous. The brands that are going to win the AI search era are the brands that can close that gap. AEO and GEO measurement is going to be even harder than SEO measurement was. If you can’t tell me which content is feeding the answer engines that recommend you, you’re going to be flying blind.
What the Ahrefs data reinforces
The shift in how people find information is real. Ahrefs published research in March 2026 showing that only 38% of citations in Google’s AI Overviews come from pages ranking in the top 10 organic results for the same query. The other 62% are coming from somewhere else, which means the old model of “rank well, get traffic” is becoming the old model of “rank well, get some traffic.”
The brands that will figure out the new model are the brands that already measure carefully. The ones who can actually trace a citation in an AI Overview back to the piece of content that earned it. The ones who know which podcast appearances and guest posts are showing up in LLM training data versus which ones are not. The ones who treat their measurement layer like infrastructure, not like a checkbox.
The phishing scammer I looked at isn’t going to win in any significant way. His domain will probably get killed in a week and undoubtedly Google will catch the ad. His kit will rotate to a new lookalike domain and the cycle will continue.
But the discipline he’s showing, the willingness to tool every step of his funnel and watch the data in real time, is the discipline that legitimate marketers keep claiming they have and very often don’t.
Ok, great, but how do you learn from this scam?
Two things, depending on which side of the screen you’re on.
If you’re a regular person who got the same text I did, DO NOT CLICK IT. Real Oklahoma DPS doesn’t text you about traffic violations. If you’re unsure about a license or registration issue, type service.ok.gov into your browser yourself and check there. Report scam texts to the FTC at reportfraud.ftc.gov and to the FBI’s Internet Crime Complaint Center at ic3.gov. Forward the SMS to 7726 (which spells SPAM) so your carrier can start blocking the number.
If you’re a marketer, take an hour this week and audit your own measurement stack, not the polished dashboard you show at the QBR but the actual plumbing underneath it. Are your UTMs surviving every redirect? Is your conversion tracking firing where you think it is firing? Can you trace a closed deal back to the first piece of content that brand touched? If a phishing kit operator can run cleaner attribution than your $80 million marketing org, that is a problem you can fix this quarter.
I’ll leave you with this. The scammer behind this gave his Google Ads conversion event a name that is a pun on a song from 1981. He was thinking about it. He was paying attention. He was, in his way, having fun with the work. The marketers who’ll win the next decade are the ones who pay that kind of attention to their own funnels, with the giant advantage of doing it for something legal and useful. And most of them, in my experience, aren’t paying that kind of attention yet.
Jarred Smith is the author of Explainable: Why AI Recommends Some Brands & Ignores Others, an Amazon bestseller on AEO, GEO, and SEO. He’s a marketing leader with nearly 20 years of experience across healthcare, public media, retail, and environmental services. Find him at jarredsmith.com.