Update: Republished on March 23 with a warning into a new text attack and a twist on this surging Chinese threat, with additional advice on how to stay safe.
Stop sending texts, the FBI told Americans in December, as Chinese hackers marauded through U.S. networks. But there’s another text threat that’s now rapidly sweeping across America “from state to state,” and this one is more likely to get you, stealing your money, maybe even your identity. And it’s also made in China.
“Have you received a text suggesting you may owe unpaid tolls on your vehicle?” the bureau warned again this week. “There is a good chance it’s a fraudster trying to get your personal information.” We’re talking the smishing texts now targeting iPhone and Android phones across America with fake toll bills. The FBI tells users to delete these texts immediately, and there are lots of them.
In a new report, the Anti-Phishing Working Group (APWG) paints a bleak picture. “Residents of the U.S. are being bombarded with text messages from Chinese phishers, purporting to come from U.S. toll road operators, including the multi-state EZPass.” Don’t dismiss this as just toll fraud. The same kits drive package delivery and other fake messages with the same concept of operations, just different text and links. This can be tuned to any lure. It’s an infrastructural attack on our phones, not a single campaign.
The scale of this is now so “astronomical,” one cyber expert suggests, that it would be “alarming to know what the true cost is.” It’s certainly more than a scam, it’s an attack, says Trend Micro. And it’s spiralling out of control. According to Robokiller, more than 19 billion spam texts were sent in the U.S. in February alone.
And don’t dismiss this as a trick to steal a few dollars — that’s not the point at all. “They don’t care about the seven bucks,” says Aidan Holland from Censys, “they want your credit card number.” The FTC says it’s even worse, that your identify could be stolen.
“The texts,” says the FBI, “claim the recipient owes money for unpaid tolls and contain almost identical language. The ‘outstanding toll amount’ is similar. However, the link provided within the text is created to impersonate the state’s toll service name, and phone numbers appear to change between states.”
The reason those links are different is that the attackers are registering tens of thousands of domains to mimic state and city toll agencies and lure clicks. And the reason the texts all seem similar is that they’re crafted by “an upgraded phishing kit sold in China, which makes it simple to send text messages and launch phishing sites that spoof toll road operators in multiple U.S. states.”
That’s the crux of APWG’s warning, which points out that “the phone numbers that the phishers send the messages to are usually random — they are sometimes sent to people who do not use toll roads at all, or target users in the wrong state. Some of the text messages are sent from phone numbers in countries other than China.”
But the top level domains are almost always Chinese, which is “one way to spot these scam messages.” Look for “lesser-known top-level domains such as .TOP, .CYOU, and .XIN.” The .TOP domain in particular “has a notable history of being used by phishers.”
This is where it gets interesting. APWG says “the .TOP Registry has long-running compliance problems. ICANN issued a breach letter to .TOP Registry in July 2024, citing .TOP’s failures to comply with abuse reporting and mitigation requirements, and as of March 2025 the case is still listed as unresolved on ICANN’s Web site.”
It should be fairly easy to stop, right? Surely the networks or phone OS makers can block texts with these links or provide new anti-scam measures to stop them hitting phones. Wrong. SMS and now RCS are open protocols, and while anti-spam measures are supposedly in place they’re not working. This should be easy—it clearly isn’t.
Norton has issued advice for Americans to stay safe against this deluge of Chinese texts:
- “Unexpected notices – If you don’t remember missing a toll, be skeptical of any sudden violation notice. Legitimate agencies usually send invoices via official mail, not random emails or texts.
- Urgent or threatening language – Messages that pressure you to pay immediately or threaten fines and legal action are often scams.
- Unusual sender email or website links – Look closely at email addresses and URLs. Scammers often use misspelled domain names or extra characters (e.g., “Toll-Authority123.com” instead of “TollAuthority.com”).
- Suspicious links or attachments – Never click on links in unsolicited emails or texts. Hover over them to check the URL first—if it doesn’t match the official toll agency’s website, it’s a scam.
- Requests for personal information – Legitimate toll agencies don’t ask for sensitive details like Social Security numbers or full credit card info via email or text.”
Trend Micro has a whole section on its website dedicated to toll scams. The company’s Jon Clay told CNBC this week that “Apple doesn’t do anything about it… Android will add it to their spam list so you won’t get texts from the same number, but then the scammers will just change numbers. Apple has done a wonderful job of telling everyone their phone is secure, and they are, but not from this kind of attack.”
Trend Micro has also just warned of a new twist to this scam. “Unlike many other toll scams that target drivers in specific states, this scam is very generic, appearing to come from the vague-sounding ‘City Department of Transportation.’ It threatens drivers with a court summons if they do not pay the fee by a certain date.”
That urgency is a typical tactic. The new text reads something like: “City Department of Transportation Final warning: $6.99 owed. Must pay by 03/17 to close case or face court summons. Settle now: <URL> Thank you for your cooperation.”
APWG says recipients of such scam texts — of which there are now likely hundreds of thousands — can “help update alerting/blocking mechanisms that protect billions of devices and software clients worldwide” by reporting these to the FBI’s IC3.gov or directly to them at apwg.org/sms.
This isn’t the only SMS attack warning hitting users this weekend. The Australian Federal Police — the country’s FBI equivalent, has warned users of a nasty new attack that spoofs its identity to appear to come from a genuine crypto exchange, tricking users into sending their crypto to the attackers. These threats cross borders. If it’s happening overseas, you can be certain it will come to the U.S. sooner rather than later.
“Australian law enforcement, in partnership with Binance, has issued a warning about scammers impersonating Binance and targeting crypto investors,” the crypto giant told users on Saturday. The fake texts “appear to be sent by a Binance representative, inform victims of a ‘breach’ of their accounts. To make the scam look legitimate, the scammers include fake verification codes in the messages.” The victims is tricked into calling support, before “transferring their funds to a ‘trust wallet’ [the attackers] control.”
The fake SMS texts reportedly rely on “sender ID spoofing, a technique that makes fraudulent messages show up in the same thread as actual Binance texts… With millions lost to crypto scams, authorities are ramping up measures to prevent further fraud in the ever-evolving crypto market trends.”
Echoes here of the phantom hacker attacks in the U.S. that the FBI has also recently warned are ramping up once again. This involves pretending funds are at risk and need to be moved to a safe account, with an attacker impersonating a bank representative.
Just as with the crypto warning, this hack relies on spoofed identities, ”and they may even be able to spoof that bank’s phone number, so the number on your caller ID or cell phone might show that it’s the bank,” the bureau says. “Scammers do not discriminate against anyone. They want money from anyone they can take it from.”
During an attack, “the scammer requests the victim open their financial accounts to determine whether there have been any unauthorized charges – a tactic to allow the scammer to determine which financial account is most lucrative for targeting. The scammer informs the victim they will receive a call from that financial institution’s fraud department with further instructions.”
Meanwhile, as regards the surging toll threat, the FBI says “check your account using the toll service’s legitimate website, contact the toll service’s customer service phone number, [and] delete any smishing texts received.” If you do click the link and provide information, check your accounts and change your key passwords even if you haven’t made a payment. You should certainly do that for comms and finance platforms.
Norton agrees, advising users who fear they may have fallen victim to one of these phishing attacks to do the following:
- “Report it to your toll agency – Contact the real toll road authority in your area and inform them of the scam. They can verify whether you owe anything and help you avoid further fraud.
- Dispute the charge with your bank – If you entered your payment details on a fraudulent site, call your bank or credit card company to dispute the charge and request a card replacement if needed.
- Monitor your accounts – Keep an eye on your bank statements and credit card transactions for any suspicious activity.
- File a complaint with authorities – Report toll scams to the Federal Trade Commission (FTC) at reportfraud.ftc.gov or your local consumer protection agency.
- Strengthen your online security – If you provided login credentials on a fake website, change your passwords immediately and enable two-factor authentication on your accounts.”
The security team also advises users to change accounts to stay protected from such threats in the future:
- “Register for an official toll account – Sign up for an official electronic toll account (e.g., E-ZPass, SunPass, FasTrak) so you can manage payments directly and avoid relying on random notices.
- Verify before paying – If you receive a toll violation notice, visit the official website by typing the URL into your browser—don’t click links from emails or texts.
- Use credit cards instead of debit cards – Credit cards offer better fraud protection if you accidentally pay a scammer.
- Enable scam alerts – Many banks and mobile carriers offer scam text and email alerts that can help you identify fraudulent messages.
- Stay updated on scams – Follow your state’s toll road agency and consumer protection agencies for alerts on new scam tactics.”
Again, don’t just look out for toll texts, the lure could be anything, it just so happens that these Chinese attacks are mining a successful multi-state seam right now. But eventually that will shift to something else.
For the time being this threat continues to surge — be careful out there.