A widespread SMS toll fee scam is currently targeting thousands of smartphone users across the United States. Cybercriminals are sending fraudulent text messages demanding payment for unpaid road tolls, aiming to steal both money and sensitive personal information.
FBI Warns of Growing Smishing Scam
The FBI’s Internet Crime Complaint Center (IC3) first issued a warning in April 2024 after receiving over 2,000 complaints regarding fake toll service text messages. Since then, the scam has escalated, prompting alerts from city officials in Boston, Denver, and San Francisco. According to cybersecurity firm McAfee, the cities most affected are Dallas, Atlanta, and Los Angeles.
How the Toll Scam Works
The fraudulent text messages follow a similar pattern: they claim to be from an official toll service provider and notify recipients of an outstanding toll balance. To avoid late fees or DMV referrals, users are urged to make an immediate payment via a link provided in the SMS.
However, the link directs victims to a phishing website disguised as an authentic toll payment portal. These fake sites often include:
- Official-looking logos and branding
- A business name and street address
- Supposed time and date of the unpaid toll
Once users enter their payment details or personal information (such as driver’s license number), scammers can exploit them for identity theft and financial fraud.
Tactics Used in the Scam
The scam operates on classic phishing tactics, including:
- Creating urgency: Scammers pressure recipients into paying quickly by threatening penalties.
- Appearing credible: Some messages reference specific cities (e.g., New York City) to enhance believability.
- Using deceptive domains: According to Palo Alto Networks’ Unit 42, cybercriminals have registered over 10,000 fake domains to make their scam appear more legitimate. These domains mimic official websites, using misleading variations such as:
- dhl.com-new[.]xin
- ezdrivema.com-securetta[.]xin
- fedex.com-fedexl[.]xin
- sunpass.com-ticketap[.]xin
- usps.com-tracking-helpsomg[.]xin
Additionally, experts warn that scammers may be expanding their smishing operations to include fake delivery service alerts from companies like FedEx, USPS, and DHL.
How to Protect Yourself from SMS Toll Scams
To avoid falling victim to smishing scams, follow these cybersecurity best practices:
- Verify the Source: If you receive a suspicious text regarding unpaid tolls, contact the toll service directly via their official website or customer service number.
- Never Click on Links in Unsolicited Texts: Manually enter the web address of toll payment services to ensure authenticity.
- Check for Red Flags: Scam messages often include spelling mistakes, formatting errors, or suspicious URLs.
- Report and Delete: If you receive a scam message, report it to the FBI’s IC3, the FTC, or your mobile carrier, then delete it immediately.
Government Agencies Issue Warnings
Given the scale of this SMS toll scam, both the Federal Trade Commission (FTC) and the FBI have issued official warnings advising the public to stay vigilant. These agencies emphasize the importance of reporting fraudulent texts to help combat online scams and protect personal data.
By staying informed and practicing cybersecurity awareness, you can protect yourself from this and other emerging phishing scams targeting U.S. consumers.
