New wave of “smishing” campaign impersonates toll agencies to steal payment data as cybercriminals scale operations across the U.S. and beyond
A fast-growing text message scam impersonating unpaid toll notices is spreading across mobile phones in multiple countries, prompting warnings from cybersecurity experts and federal authorities. The fraudulent messages claim recipients owe small toll balances—often under $25—while threatening fines, license suspension, or vehicle registration issues if payment is not made immediately.
Authorities confirm the messages are part of a coordinated “smishing” campaign, a form of phishing delivered through SMS or messaging apps.
How the Toll Scam Works
Victims typically receive urgent-looking texts stating they have an unpaid toll violation. The message includes a link directing users to a counterfeit payment page designed to capture sensitive financial details such as credit card numbers.
Despite the relatively small amounts demanded, experts say the goal is not the toll payment itself but the theft of financial credentials that can be reused or sold.
Cybersecurity researcher Aidan Holland of Censys explained that scammers rely on urgency and familiarity to trick users. He noted that many victims either pay quickly without verifying the message or overlook warning signs because the requested amount appears insignificant.
Long-Running Scam Tactic with a New Twist
The campaign is not entirely new in structure. The Federal Bureau of Investigation has tracked similar fraudulent text operations for more than a year through its Internet Crime Complaint Center.
However, cybersecurity analysts say the use of toll agencies as a disguise marks an evolution in smishing tactics, building on earlier scams involving missed deliveries or account verification alerts.
The Federal Trade Commission and the Federal Communications Commission are also monitoring the surge, warning that the scale and frequency of these attacks continue to increase.
Massive Domain Networks Fuel the Operation
Researchers report that attackers are operating at an industrial scale, registering tens of thousands of malicious domains designed to resemble legitimate toll services.
Security teams at Palo Alto Networks identified more than 10,000 domains linked to toll and delivery scams. Many of these use recognizable toll-related keywords such as “e-zpass,” “fastrak,” and “sunpass,” combined with deceptive web extensions to appear credible.
Meanwhile, Holland discovered as many as 57,000 malicious URLs associated with the campaign, highlighting how rapidly the infrastructure is expanding.
Despite takedown efforts, experts say the speed of domain replacement makes disruption extremely difficult.
Renée Burton of Infoblox noted that even when thousands of domains are removed, attackers can quickly replace them with tens of thousands more, sustaining the operation’s momentum.
Global Infrastructure and Hosting Patterns
Investigations suggest the scam infrastructure is highly distributed. While many phishing sites appear hosted in the United States, Singapore, and Japan, much of the underlying hosting is linked to providers based in China, according to researchers.
Attackers also reuse naming conventions tied to real toll services, increasing the likelihood of user confusion and successful deception.
Messaging Platforms Used to Evade Detection
Security analysts have observed that many of the scam messages are not sent through traditional SMS channels. Instead, they frequently originate from email-to-text systems or internet-based messaging platforms such as iMessage and Rich Communication Services (RCS).
This shift helps attackers bypass some carrier-level spam filters, since these platforms operate over the internet rather than standard cellular messaging systems.
A spokesperson from CTIA stated that the industry is working with carriers and law enforcement to address abuse across modern messaging platforms, emphasizing the need for coordinated defenses.
Why the Scam Is So Effective
Experts say the success of the toll scam comes down to familiarity and psychological pressure. Messages mimic real-world obligations that many drivers regularly encounter, such as toll payments or vehicle fines.
Chester Wisniewski of Sophos noted that scammers rely on urgency and subtle inconsistencies that many users miss, including unusual web domains or international phone indicators.
Because the amounts requested are small, victims are more likely to comply without verifying legitimacy.
Authorities Urge Caution and Reporting
Federal agencies advise users not to click links in unsolicited messages claiming unpaid tolls. Instead, recipients should verify account status directly through official toll agency websites or customer service channels.
Users are also encouraged to report suspicious messages by forwarding them to “7726” (SPAM) through their mobile carrier and blocking the sender.
Officials emphasize that awareness remains the most effective defense, as these scams depend heavily on user trust and quick reactions.
Conclusion
The toll payment scam highlights how cybercriminals continue to refine simple but highly effective social engineering tactics. By exploiting everyday services and increasing the scale of malicious infrastructure, attackers are making it harder for users to distinguish real notifications from fraud.
As cybersecurity experts warn, vigilance and verification remain the strongest defenses against these increasingly sophisticated smishing campaigns.
