It’s not just you.
Seemingly everyone is getting those text messages that serve as a notification of an unpaid toll road violation. The past due is usually less than $25, but is often paired with threats of excessive penalties, suspended vehicle registrations and threats to report the fare to state motor vehicle agencies.
None of it is legitimate. What is actually occurring is a wide-ranging scam, circulating nationwide on mobile phones, that attempts to trick people into paying the phantom violations. Federal authorities, including the FBI, the Federal Trade Commission and the Federal Communications Commission, are tracking and investigating the scam, noting the social engineering attacks are increasing in frequency and geographic reach.
The framework for the scam isn’t particularly novel: The FBI’s Internet Crime Complaint Center has fielded complaints about fake road toll collection text messages since March 2024. But the inclusion of toll road violations is a new thematic spin to a wave of attacks known as smishing — phishing over SMS or text messages — similar to scam campaigns related to missed package deliveries, threat researchers told CyberScoop.
Scammers know text messages are among the most personal and time-sensitive forms of communication. Combined with the small amounts of money requested in these messages, the scam hits a sweet spot where cybercriminals get the information they are truly after.
“They don’t care about the seven bucks. They want your credit card number,” said Aidan Holland, security researcher at Censys. “It’s just a low-dollar amount that most people will either pay without thinking or not give it a double take.”
Threat researchers attribute the unpaid toll scam to familiar cybercriminals, with the infrastructure and phishing kits originating from China.
“It’s the same folks who are doing all sorts of text-based scams,” said Renée Burton, VP of threat intelligence at Infoblox.
The scams keep spreading in part because the malicious actors are using tens of thousands of URLs and consistently registering new domains.
The malicious sites linked to these attacks often include some variant of a legitimate toll road collection subdomain, but end with uncommon top-level domains that are more commonly associated with cybercrime.
Palo Alto Networks’ Unit 42 said the top subdomains embedded in these URLs include: “ezdrive,” “e-zpass,” “fastrak,” “thetollroad,” “txtag,” “paturnpike,” “ohioturnpike,” “sunpass,” “bayareafastrak,” among others.
Legitimate toll road collection domains are inconsistent, a key factor contributing to the success of this campaign, according to Holland.
“There’s just so many different variants,” he said. “It leaves room for confusion, and that room for confusion is being taken advantage of.”
Holland discovered up to 57,000 malicious URLs earlier this month that were directly associated with the scam.
Unit 42 last week said it found more than 10,000 registered domains for various smishing services posing as toll services for U.S. states and package delivery services. More than two-thirds of these domains use the same two-name servers and resolve to IP addresses from popular hosting providers, according to Unit 42.
While the phishing sites mostly resolve to servers in the United States, Singapore and Japan, almost all of them were hosted on networks owned by China-based firms Tencent and Alibaba, Holland said.
Researchers’ efforts to take these domains offline are ongoing, yet gaining the upper hand against this cybercrime group is unwieldy.
“If we get a thousand domains taken down, they can register 40,000 tomorrow,” Burton said. “That amount of domains they have tells you that they are making money off it.”
Most of the malicious texts Holland observed were delivered via iMessage from email accounts registered to burner phones running SIM cards with numbers based in the United Kingdom and the Philippines. He suspects cybercriminals are deploying this tactic because emails are cheaper than phone numbers, even those originating from countries with inexpensive disposable SIM cards.
The campaign is not exclusive to Apple devices, however. Holland also observed toll road text scams on Android-based phones.
Cybercriminals are also deploying tactics to try to circumvent wireless network-based spam controls. While wireless carriers can view regular text messages that pass through their network infrastructure filters, messages sent via platforms like iMessage and the industry-standard rich communication services (RCS) protocol are transmitted over the internet and outside their direct purview.
“As bad actors evolve their tactics from targeting traditional text platforms to focusing more on over-the-top internet-based platforms like iMessage and RCS, wireless providers, others in the messaging ecosystem and law enforcement need to partner to combat these tactics,” said a spokesperson for CTIA, the U.S.-based wireless industry association.
Federal authorities previously said this toll road text scam is moving from state to state. Earlier this month, researchers said they observed malicious activity in at least a dozen states and one Canadian province.
The FBI, FCC and FTC advise users who receive these text messages to exercise caution, not click links in unexpected texts, file complaints and delete the messages. Users are also encouraged to report unwanted texts as spam, block the number and forward the message to 7726 or “SPAM” to report them to their wireless provider.
Whether it’s toll roads, package notifications, or other rudimentary notes tied to everyday life, these scams continue to pop up because social engineering attacks work. Yet, the way to avoid them, no matter the subject, is to practice vigilance and treat messages from unknown or unconfirmed senders with skepticism.
“These scams are somewhat easy to spot as fraud if you’re paying attention,” said Chester Wisniewski, director and global field chief technology officer at Sophos. “Remain vigilant for non-U.S. country codes and look for unusual top-level domains — which are often a tell for suspicious activity.”
