Stop sending texts, the FBI told Americans in December, as Chinese hackers marauded through U.S. networks. But the bureau warns there’s another text threat now sweeping across America “from state to state,” and this one is more likely to get you, stealing your money, maybe even your identity. And it’s also made in China.
We’re talking the “smishing” texts now targeting iPhone and Android phones across America with links to fake road toll bills. The FBI tells users to delete all these texts immediately. And there are lots of them. The scale of this is now “astronomical,” with one cyber expert suggesting “it would be so alarming to know what the true, the true cost is.” It’s certainly beyond just a scam, it’s an attack, says Trend Micro.
In a new report, the Anti-Phishing Working Group (APWG) paints a bleak picture. “Residents of the U.S. are being bombarded with text messages from Chinese phishers, purporting to come from U.S. toll road operators, including the multi-state EZPass.” Don’t dismiss this as just toll fraud. The same kits drive package delivery and other fake messages with the same concept of operations, just different text and links. This can be tuned to any lure. It’s an infrastructural attack on our phones, not a single campaign.
And don’t dismiss this as a trick to steal a few dollars — that’s not the point at all. “They don’t care about the seven bucks,” says Aidan Holland from Censys, “they want your credit card number.” The FTC says it’s even worse, that your identify could be stolen.
“The texts,” says the FBI, “claim the recipient owes money for unpaid tolls and contain almost identical language. The ‘outstanding toll amount’ is similar. However, the link provided within the text is created to impersonate the state’s toll service name, and phone numbers appear to change between states.”
The reason those links are different is that the attackers are registering tens of thousands of domains to mimic state and city toll agencies and lure clicks. And the reason the texts all seem similar is that they’re crafted by “an upgraded phishing kit sold in China, which makes it simple to send text messages and launch phishing sites that spoof toll road operators in multiple U.S. states.”
That’s the crux of APWG’s warning, which points out that “the phone numbers that the phishers send the messages to are usually random — they are sometimes sent to people who do not use toll roads at all, or target users in the wrong state. Some of the text messages are sent from phone numbers in countries other than China.”
But the top level domains are almost always Chinese, which is “one way to spot these scam messages.” Look for “lesser-known top-level domains such as .TOP, .CYOU, and .XIN.” The .TOP domain in particular “has a notable history of being used by phishers.”
This is where it gets interesting. APWG says “the .TOP Registry has long-running compliance problems. ICANN issued a breach letter to .TOP Registry in July 2024, citing .TOP’s failures to comply with abuse reporting and mitigation requirements, and as of March 2025 the case is still listed as unresolved on ICANN’s Web site.”
It should be fairly easy to stop, right? Surely the networks or phone OS makers can block texts with these links or provide new anti-scam measures to stop them hitting phones. Wrong. SMS and now RCS are open protocols, and while anti-spam measures are supposedly in place they’re not working. This should be easy—it clearly isn’t.
Trend Micro has a whole section on its website dedicated to toll scams. The company’s Jon Clay told CNBC this week that “Apple doesn’t do anything about it… Android will add it to their spam list so you won’t get texts from the same number, but then the scammers will just change numbers. Apple has done a wonderful job of telling everyone their phone is secure, and they are, but not from this kind of attack.”
APWG says recipients of such scam texts — of which there are now likely hundreds of thousands — can “help update alerting/blocking mechanisms that protect billions of devices and software clients worldwide” by reporting these to the FBI’s IC3.gov or directly to them at apwg.org/sms.
Meanwhile, the FBI says “check your account using the toll service’s legitimate website, contact the toll service’s customer service phone number, [and] delete any smishing texts received.” If you do click the link and provide information, check your accounts and change your key passwords even if you haven’t made a payment.
