Republished on February 8 with news of further attacks ahead of this weekend and more detailed analysis into the Chinese cybercriminals now targeting Americans.
Beware — there’s a nasty new threat working its way across America. The FBI warns “the scam may be moving from state-to-state,” and advises users that they need to delete any of these texts received — don’t leave them on your phone. If this scam isn’t already in the city where you live, chances are it will be soon and it’s all too easy to be duped. Here’s what you need to know.
If you have received a text warning you owe money for unpaid road tolls, “it’s probably a scam,” the FTC says. “Scammers are pretending to be tolling agencies from coast to coast and sending texts demanding money.” And the consequences are dire. “Not only is the scammer trying to steal your money, but if you click the link, they could get your personal info (like your driver’s license number) — and even steal your identity.”
The scam is stupidly simple, a text pretending to be from the local agency with a dollar amount and a link to pay. This is a phishing attack — or a smishing attack to be more exact, given this is almost always a text rather than an email.
Last month alone, there were media reports from Massachusetts, California, North and South Carolina, Illinois, Colorado, Florida and more. It’s always the same style of text and it’s always a scam. This has become a national level issue. A viral threat.
The FBI says it began receiving reports of the scam in March 2024, with thousands of citizens “reporting smishing texts representing road toll collection services” since then. The texts, the bureau says, “claim the recipient owes money for unpaid tolls and contain almost identical language. The ‘outstanding toll amount’ is similar… However, the link provided within the text is created to impersonate the state’s toll service name, and phone numbers appear to change between states.”
One of the latest cities to warn of the scam is Great Falls, which posted its alert on X on Thursday, telling citizens “This is a SCAM and is not coming from the City of Great Falls. Please do not click the link in the message.”
The FBI’s advice is simple and it will ensure you don’t join the thousands already duped. “Check your account using the toll service’s legitimate website [or] contact the toll service’s customer service phone number.” And then, critically, you should delete any of these texts received. You don’t want these malicious links on your phone.
If you have already fallen victim, “take efforts to secure your personal information and financial accounts [and] dispute any unfamiliar charges.“ This might mean contacting your bank or credit card if you’ve already paid, and if you’ve given address details be wary of any new applications for credit or other services in your name.
According to KnowBe4, “similar scams have been reported in other states, including Florida (targeting SunPass users), Texas (North Texas Toll Authority), California, Colorado, Connecticut, Minnesota, and Washington. These phishing attacks often involve realistic-looking websites that mimic official toll authority sites but only function on mobile devices, making them even more convincing to unsuspecting users.”
The likely culprit is thought to be gangs using “updated commercial phishing kits developed by Chinese cybercriminal groups. These kits include templates designed specifically to impersonate toll operators in multiple states.” Beyonds tolls, these gangs “have used similar tactics to impersonate shipping companies, tax agencies, and immigration services, often targeting individuals new to a country or in vulnerable positions. The ultimate goal is to steal payment card details, add them to mobile wallets, and make fraudulent purchases or launder money through shell companies.”
This joins the scourge of other viral scams targeting citizens. To these toll smishing attacks, you can add phantom hacker banking attacks, fraudulent support calls and even make-believe police officers demanding payments to avoid arrest. While some of these attacks are AI-fueled and difficult to detect, as you can see below, the toll scam is stupidly simple, similar to most of the spray smishing campaigns you see.
And such text scams are surging. The example this week of a woman in Florida falling victim to a scammer who “knew her name and convinced her that her phone had been hacked, [who then] instructed her to withdraw thousands of dollars from her bank and deposit it into a secure cryptocurrency account to protect her funds,” is common. And it’s not just the U.S., this is a global problem. Yesterday, an energy company in Europe warned 1 million customers to delete fake SMS messages from the company.
As for the toll scams, new reports are now becoming an almost daily occurrence. As reported by local media, on Friday the Oklahoma Turnpike Authority is the latest to warn of “another round of scam texts, telling people they owe money. The OTA has some simple advice on how to handle them. Just like all these scam texts people get, all they need to do is ignore them and delete them.” Which echoes the FBI advice.
Despite AI enhancements to new phishing and smishing attacks, OTA reports that these toll scams are not overly sophisticated and should be easy enough to spot if you are guarded against them. This is as basic as it comes. There is also another inference that the attacks are being executed from outside the U.S., with China in the crosshairs.
“Multiple News On 6 viewers say they’ve received fake text messages that say they owe a toll and need to click on a link or call a number to avoid having their PikePass turned off. In many cases, the phone number is from overseas. OTA says you can usually spot warning signs right in the text. ‘Usually, you get some signs just by reading the message. If it doesn’t have the correct names or the correct URL, that’s a dead giveaway and you should go ahead and report that as junk or as spam on your phone, and definitely do not click any links on it’.”
This Chinese angle adds spice to the plague of toll scams, and comes just weeks after the FBI and America’s cyber defense agency warned citizens to stop sending texts given Chinese hackers infiltrating U.S. networks. As explained by renowned security investigator Brian Krebs, “the emergence of these SMS phishing attacks coincided with the release of new phishing kit capabilities that closely mimic these toll operator websites as they appear on mobile devices. Notably, none of the phishing pages will even load unless the website detects that the visitor is coming from a mobile device.”
Krebs cites researchers at SecAlliance, which suggest that “the volume of SMS phishing attacks spoofing toll road operators skyrocketed after the New Year, when at least one Chinese cybercriminal group known for selling sophisticated SMS phishing kits began offering new phishing pages designed to spoof toll operators in various U.S. states.”
The SMS phishing kits are distinctive and clearly enable multiple bad actors to operate at once. “The ultimate goal of these kits is to phish enough information from victims that their payment cards can be added to mobile wallets and used to buy goods at physical stores, online, or to launder money through shell companies.”
Consumer Affairs suggests “the selection criteria for targets remain unclear, with MassDOT noting that targeted phone numbers appear random and not linked to toll road usage. Some recipients, like a reader on Mastodon, reported receiving these messages despite not owning a vehicle. Authorities advise ignoring or deleting such messages and reporting them to the FBI’s Internet Crime Complaint Center (IC3) with details of the originating phone number and website.”
The advice is always simple. Don’t take unsolicited calls from banks or tech support. Never agree to install software or move money. Don’t pay cold calling cops asking for cash. And never click on toll links that turn up unexpectedly in text messages. Stick to these basics and you’ll kill any attempts to scam you right at the start.
