Embed from Getty Images
Over the past few months, I’ve gotten at least four texts alerting me that I have unpaid E-ZPass tolls and I need to click on a provided link in order to go pay them or risk “penalties or legal action.” Now, the senders, phone numbers they’re sent from, and links themselves are very clearly spam, so I’ve ignored them every time. It’s still super annoying because blocking the contact doesn’t stop it from happening.
This particular scam is now so widespread that the FBI just issued a public service announcement about it. They’re called “smishing” scams. Essentially, it’s your classic email phishing scam, but done via text or SMS messages (hence the ‘smishing’ portmanteau). Their PSA includes common language used, tricks to look out for to determine it’s a scheme, and what to do if you get such a text.
The FBI has issued a public service announcement after widespread reports of “smishing” texts that scam cell phone users into believing they have unpaid road tolls.
The FBI defines “smishing” as “a social engineering attack using fake text messages to trick people into downloading malware, sharing sensitive information, or sending money to cybercriminals.” The term is a combination of SMS (short message service) and phishing.
This month marks one year since the FBI Internet Crime Complaint Center (IC3) began seeing an increase in “smishing” complaints about texts claiming to represent road toll collection services from at least three states, the FBI wrote in the PSA. In the last year, the IC3 reports they’ve received over 2,000 complaints. The road toll collection scam texts claim the recipient carries an “outstanding toll amount” that must be paid immediately to avoid increased charges, the IC3 writes. The link provided in the text message mimics a state’s toll service name and tricks recipients into clicking on it.
An example of the text recipients receive reads: “(State Toll Service Name): We’ve noticed an outstanding toll amount of $12.51 on your record. To avoid a late fee of $50.00, visit https://myturnpiketollservices.com to settle your balance.”
Palo Alto Networks’ Unit 42 explains the scammer’s new campaign “entices users to reveal personal and/or financial information, including credit or debit card and account information.”
The Federal Trade Commission (FTC) warns users who receive a text regarding an unpaid toll that “it’s probably a scam” and these scammers are working “coast to coast.”
“Not only is the scammer trying to steal your money, but if you click the link, they could get your personal info and even steal your identity,” the FTC warns.
The text messages follow a similar format relying on urgency within the message, claiming recipients will accrue even higher costs if they don’t pay right away. Scammers craft a new domain that provides a link to the payment site, Forbes reported.
While Apple iMessage provides a layer of protection from scammers by disabling links from unknown senders, scammers found a way to bypass this by asking users to reply with “Y” and reopen the message. This action by users enables links to be received from “smishing” texts, according to Unit 42.
A trick for users to check whether or not the link is legit is by looking at the domain name that usually includes the Chinese .XIN TLD, Unit 42 advises. This is a toolkit built by Chinese cybercrime groups, Forbes reports. Examples of domains to keep an eye out for include:
dhl.com-new[.]xin
driveks.com-jds[.]xin
ezdrive.com-2h98[.]xin
ezdrivema.com-citations-etc[.]xin
ezdrivema.com-securetta[.]xin
e-zpassiag.com-courtfees[.]xin
e-zpassny.com-ticketd[.]xin
fedex.com-fedexl[.]xin
getipass.com-tickeuz[.]xin
sunpass.com-ticketap[.]xin
thetollroads.com-fastrakeu[.]xin
usps.com-tracking-helpsomg[.]xinThe IC3 advises recipients of these “smishing” scam messages to take action by first filing a complaint with them which includes reporting the phone number from the road toll collection service impersonator as well as the website linked in the message.
The FBI recommends “smishing” scam recipients to delete all questionable messages they receive. And if recipients happen to click on any links sent or provide their personal information, they should take immediate action to secure personal information, especially financial accounts.
Like I said before, I’ve gotten a variation of this text scam at least four times between February 12 and March 13. I had them on my phone still because I just ignored them, but I did delete them all after I read that recommendation to do so. I use E-ZPass somewhat regularly and do get text notifications from them. So, although I was 98% sure it was a scam the first time, I still had to stop and re-examine it closer before being certain. I can see how someone who is not as technologically savvy would fall for something like this. If you ever get a text from a stranger asking you to click on a link to pay for something, don’t do it!
There are other, even scarier scams out there, where people will spoof a certain phone number and pretend that your loved one is in trouble or that you have an outstanding warrant for missing jury duty or something. I know a few people who have gotten both of these types of calls. Even though none of them have fallen for it, they were still really, really shaken by the blatant emotional manipulation and scare tactics. The common thread with all three of their scam calls was the ask to deliver $10,000 in cash to a drop-off point, despite the calls being from the “police.” Taking advantage of people in these ways is so gross. I hope they catch whoever is behind these operations and put them in jail.
Ah, smishing, the latest ‘ishing’. There’s also qrishing (the qr-codes are a favorite these days for malicious sites too).
In short: Being paranoid about clicking links from sms’s on your phone is a good thing.
About the QR codes, a friend of mine’s kid is studying IT. The amount of times legit QR codes are replaced (think historical info/ museums) is really concerning. This is a super easy way for lazy criminals to make money–they warned me to stay away from QR codes unless absolutely certain they hadn’t been messed with.
Some good advice: NEVER click on a link, even from a “trusted” site. GO DIRECTLY to the site, or CALL the institution (bank, store, whatever) YOURSELF and ascertain if they, in fact, DID send something. 99.9% of the time, it is a scam.
Also, put a malware/spyware program on your devices (ClamX, Malware Bytes come to mind, as I use them lol) to catch bugs. A good VPN also helps.
I have received two of these text scams and I report and delete. I expect more to come.
Same!!
Same. And I sold my (only) car three years ago.
I have recieved it too, I just delete and junk.
I’ve gotten a few of these in the last month or so. I always block and then report/delete. I don’t know where it’s “reported “ to or if that really means anything. I also have been getting a lot of texts from fake postal service of some kind about undelivered something or other with postage due.. these texts always seem to come in waves..nothing for several weeks then a whole lot in a few days.. annoying.
I too have gotten both the toll and package texts. I was slightly amused to see the package ones have upped their game by including border control in their latest attempts. Has anyone gotten the ones that just say Hello?
Yes, I have.
I’ve also gotten “USPS is holding your package’ texts.
Oh, fake Amazon emails, that my account is overdue and I need to pay up. I knew that was a scam immediately because my personal email has never been used for our Amazon account.
I’ve gotten the amusing border patrol messages.
I’ve gotten a LOT of “personal” messages like that from numbers I don’t recognize. I block and delete. If it IS someone who knows me, they know of alternate ways to reach me if I don’t answer a text.
I knew immediately that the toll SMS texts were scammers because I live hundreds of miles from tolls.
Never used one in my life.
Same.
I was like WTF is a toll?
I fell for it!!! I had just driven back from Boston to Connecticut and got a text saying it was from the Massachusetts Toll Authority or whatever. I was confused because I have an EZPass so I looked up the name of the organization and it was legit. Because it was a text I didn’t see the web address to verify it was real but I did click on it and try to pay. I figured it out super quick and then called to cancel my credit card. It was just a luck of the draw that they sent one from Massachusetts and I had just driven through…and I have a Los Angeles cell number. I felt so dumb.
You’re not alone! I got one, and I actually had gotten a toll bill from a Golden Gate Bridge toll (I had expected it from when I visited family there over the holidays). It puzzled me, as I *knew* I’d already paid it, so W/OUT clicking on it, I went to my emails and found that yes, I had already gone to the SF website and paid it. Obviously I just hit delete/report junk and blocked the number.
It’s not just in the US. We’ve been getting these unpaid toll texts here in Canada too.
Yes, my brother-in-law said he has been getting those for the last 6 months.
Okay…so I’m NOT losing my mind! Because for the last 3 months I’ve been STALKED by these texts!🤬