Widespread Toll Road Text Message Scam: Experts Warn of Smishing Attacks
A sophisticated text message scam targeting consumers with false claims of unpaid road tolls is currently circulating extensively throughout the United States, prompting experts to issue urgent warnings and encourage heightened vigilance. These deceptive messages, often designed to mimic official communications from state toll services, are a form of "smishing," a type of cyberattack that uses SMS messages to trick individuals into divulging personal information, downloading malware, or sending money to scammers.
The scam typically involves a text message purporting to be from a toll service provider, such as FastTrak in California or E-ZPass in the numerous states that utilize the system. The messages claim that the recipient owes money for unpaid tolls and threaten dire consequences, such as the suspension of their driver’s license, the imposition of additional penalties, reports to the Department of Motor Vehicles (DMV), or even legal action, if the alleged debt is not promptly settled.
While the scam texts often target residents of states with toll roads, a common tactic employed by scammers is to send these messages indiscriminately in the hope that some will find their mark. This means individuals may receive messages claiming to be from toll companies in states they have never even visited.
The content of these fraudulent messages can vary in specificity, but they consistently attempt to create a sense of urgency and fear in the recipient. To illustrate, one example of a deceptive message received by a journalist at USA TODAY reads: "This is a final reminder regarding the unpaid toll from your recent trip on the Maryland toll road. To avoid an additional fee of $35.00, please settle your outstanding balance now by visiting the link below. ez-md.net (Enter the link in your browser to securely access your file)." Another message states: "Please pay your FastTrak Lane tolls by February 20, 2025. To avoid a fine and keep your license, you can pay at https://paytollitua.vip/ezdrivema (Please reply Y, then exit the text message and open it again to activate the link, or copy the link into your Safari browser and open)."
Notably, many of these scam texts are designed to circumvent security measures. Instead of providing a directly clickable link, they instruct recipients to copy and paste the URL into their web browser. This tactic is likely employed to evade detection by automated security systems that scan for malicious links within text messages. The fraudulent links themselves are often crafted to closely resemble legitimate toll service websites, such as the fake address "e-zpass.com-pay," which can easily be mistaken for the real website with URL addresses like "https://www.e-zpassny.com."
Reports indicate that these scam text messages have been circulating persistently since at least January, with journalists in numerous states and cities, including New York, New Jersey, Virginia, Washington D.C., Cincinnati, Miami, and Indianapolis, confirming receipt of various iterations of the scam.
Another common tactic involves creating a false sense of urgency by mentioning dates that have already passed or imposing an artificial deadline for payment. For example, one message reads: "E-ZPass – Toll Violation Notice Dear User, We noticed an unpaid toll balance on your E-ZPass account. To avoid late fees, please make the payment within 12 hours. If payment is not received within this time, additional penalties will apply, and the matter may be reported to the DMV. [Payment Link] HTTP://ezpasshet.top/pay. Reply with ‘Y’, exit the SMS, then reopen it to activate the link. Or copy and paste the link into your browser. Thank you for your prompt attention. E-ZPass Support Team."
While the specific wording and style of these scam texts may vary, they often share common characteristics in their link styles. Scammers frequently employ shortened Bitly links to conceal the full URL text, preventing recipients from readily identifying the potential threat. They also create links that closely resemble legitimate toll service websites, often incorporating "E-ZPass" or similar terms in the URL text to lend an air of authenticity.
McAfee, a prominent cybersecurity company, has compiled a list of prevalent link styles observed in these fraudulent text messages. However, they emphasize that this list is not exhaustive and merely represents a snapshot of common URL types and formats encountered in these scams. McAfee’s research also indicates a high concentration of these scam texts in major cities and metropolitan areas across the United States.
The FBI reported receiving over 2,000 complaints in April, related to "smishing" scams that were pretending to be toll road collection services in only three states. The Federal Trade Commission (FTC) issued a renewed warning in January, emphasizing that scammers are once again impersonating toll agencies from "coast to coast." The FTC advisory states, "Whether you’ve driven through a toll recently or not, you might’ve gotten a text saying you owe money for unpaid tolls. It’s probably a scam. Not only is the scammer trying to steal your money, but if you click the link, they could get your personal info."
"Smishing" is a type of social engineering attack that leverages fraudulent text messages to deceive individuals into downloading malware, sharing sensitive information, or transferring funds to cybercriminals, according to IBM. The term "smishing" is a combination of "SMS" (short message service) and "phishing," an umbrella term for social engineering attacks.
Both the FBI and FTC urge recipients of suspicious toll agency text messages demanding money to exercise extreme caution. They recommend refraining from clicking on any links contained in the messages and instead contacting the toll agency directly through official channels, such as the agency’s website or customer service phone number. It is also crucial to report the scam to the FTC and the FBI’s Internet Crime Complaint Center (IC3). Staying informed about these types of scams is key to protect your personal information and avoid falling victim to these increasingly sophisticated cyberattacks.
