“Who is sending those scammy text messages about unpaid tolls?”
It’s not simply you.
Seemingly everyone seems to be getting these textual content messages that function a notification of an unpaid toll highway violation. The overdue is often lower than $25, however is commonly paired with threats of extreme penalties, suspended car registrations and threats to report the fare to state motorcar businesses.
None of it’s professional. What is definitely occurring is a wide-ranging rip-off, circulating nationwide on cell phones, that makes an attempt to trick individuals into paying the phantom violations. Federal authorities, together with the FBI, the Federal Trade Commission and the Federal Communications Fee, are monitoring and investigating the rip-off, noting the social engineering assaults are growing in frequency and geographic attain.
The framework for the rip-off isn’t significantly novel: The FBI’s Web Crime Criticism Heart has fielded complaints about fake road toll collection text messages since March 2024. However the inclusion of toll highway violations is a brand new thematic spin to a wave of assaults often known as smishing — phishing over SMS or textual content messages — just like rip-off campaigns associated to missed bundle deliveries, risk researchers advised CyberScoop.
Scammers know textual content messages are among the many most private and time-sensitive types of communication. Mixed with the small quantities of cash requested in these messages, the rip-off hits a candy spot the place cybercriminals get the data they’re really after.
“They don’t care about the seven bucks. They want your credit card number,” mentioned Aidan Holland, safety researcher at Censys. “It’s just a low-dollar amount that most people will either pay without thinking or not give it a double take.”
Menace researchers attribute the unpaid toll rip-off to acquainted cybercriminals, with the infrastructure and phishing kits originating from China.
“It’s the same folks who are doing all sorts of text-based scams,” mentioned Renée Burton, VP of risk intelligence at Infoblox.

The scams maintain spreading partially as a result of the malicious actors are utilizing tens of 1000’s of URLs and persistently registering new domains.
The malicious websites linked to those assaults usually embody some variant of a professional toll highway assortment subdomain, however finish with unusual top-level domains which are extra generally related to cybercrime.
Palo Alto Networks’ Unit 42 mentioned the highest subdomains embedded in these URLs embody: “ezdrive,” “e-zpass,” “fastrak,” “thetollroad,” “txtag,” “paturnpike,” “ohioturnpike,” “sunpass,” “bayareafastrak,” amongst others.
Authentic toll highway assortment domains are inconsistent, a key issue contributing to the success of this marketing campaign, in response to Holland.
“There’s just so many different variants,” he mentioned. “It leaves room for confusion, and that room for confusion is being taken advantage of.”
Holland found as much as 57,000 malicious URLs earlier this month that have been instantly related to the rip-off.
Unit 42 final week mentioned it discovered greater than 10,000 registered domains for varied smishing companies posing as toll companies for U.S. states and bundle supply companies. Greater than two-thirds of those domains use the identical two-name servers and resolve to IP addresses from common internet hosting suppliers, in response to Unit 42.
Whereas the phishing websites largely resolve to servers in the USA, Singapore and Japan, nearly all of them have been hosted on networks owned by China-based corporations Tencent and Alibaba, Holland mentioned.
Researchers’ efforts to take these domains offline are ongoing, but gaining the higher hand in opposition to this cybercrime group is unwieldy.
“If we get a thousand domains taken down, they can register 40,000 tomorrow,” Burton mentioned. “That amount of domains they have tells you that they are making money off it.”
A lot of the malicious texts Holland noticed have been delivered through iMessage from e mail accounts registered to burner telephones operating SIM playing cards with numbers primarily based in the UK and the Philippines. He suspects cybercriminals are deploying this tactic as a result of emails are cheaper than cellphone numbers, even these originating from international locations with cheap disposable SIM playing cards.
The marketing campaign is just not unique to Apple units, nevertheless. Holland additionally noticed toll highway textual content scams on Android-based telephones.
Cybercriminals are additionally deploying ways to attempt to circumvent wi-fi network-based spam controls. Whereas wi-fi carriers can view common textual content messages that move by way of their community infrastructure filters, messages despatched through platforms like iMessage and the industry-standard wealthy communication companies (RCS) protocol are transmitted over the web and out of doors their direct purview.
“As bad actors evolve their tactics from targeting traditional text platforms to focusing more on over-the-top internet-based platforms like iMessage and RCS, wireless providers, others in the messaging ecosystem and law enforcement need to partner to combat these tactics,” mentioned a spokesperson for CTIA, the U.S.-based wi-fi {industry} affiliation.
Federal authorities beforehand mentioned this toll highway textual content rip-off is shifting from state to state. Earlier this month, researchers mentioned they noticed malicious exercise in not less than a dozen states and one Canadian province.
The FBI, FCC and FTC advise customers who obtain these textual content messages to train warning, not click on hyperlinks in sudden texts, file complaints and delete the messages. Customers are additionally inspired to report undesirable texts as spam, block the quantity and ahead the message to 7726 or “SPAM” to report them to their wi-fi supplier.
Whether or not it’s toll roads, bundle notifications, or different rudimentary notes tied to on a regular basis life, these scams proceed to pop up as a result of social engineering assaults work. But, the best way to keep away from them, irrespective of the topic, is to follow vigilance and deal with messages from unknown or unconfirmed senders with skepticism.
“These scams are somewhat easy to spot as fraud if you’re paying attention,” mentioned Chester Wisniewski, director and world subject chief know-how officer at Sophos. “Remain vigilant for non-U.S. country codes and look for unusual top-level domains — which are often a tell for suspicious activity.”
Have any questions or want help? Contact us here. For extra insights, go to our website.
Learn More…