A recent scam has come to light targeting residents across the US with text messages that fake to be from toll road operators. For a lot of who receive these messages, it’s a simple and expensive trap to fall into.
The scam begins when people receive a message claiming they’ve unpaid tolls and should be charged fines. Scammers then ask for card details and a one-time password sent via SMS to steal their money. Security researchers consider that Chinese smishing groups are behind this scam, selling SMS-based phishing kits to 1000’s of scammers.
What it’s good to know concerning the fake toll scam
As reported by KrebsOnSecurity, the scam begins with a text message claiming to be from a toll road operator, reminiscent of E-ZPass or SunPass. The message warns about unpaid tolls and the potential for fines, forcing recipients to act quickly. Victims are directed to a fake website mimicking the toll operator’s site, where they’re asked to supply sensitive information, including payment card details and one-time passwords.
Security researchers have traced the scam to Chinese smishing groups known for creating and selling sophisticated SMS phishing kits. One such kit, “Lighthouse,” makes it easy for scammers to spoof toll road operators in multiple states. These kits are designed to trick users into sharing financial information, which is then used to commit fraud.
Reports of those phishing attacks have surfaced across the U.S., targeting users of toll systems like EZDriveMA in Massachusetts, SunPass in Florida and the North Texas Toll Authority in Texas. Similar scams have been reported in states including California, Colorado, Connecticut, Minnesota and Washington. The phishing pages are mobile-optimized and won’t load on non-mobile devices, making them much more deceptive.
Phishing scams are evolving
Recent advancements in phishing kits include higher deliverability through integration with Apple iMessage and Android’s RCS technology, bypassing traditional SMS spam filters. These methods increase the likelihood of victims receiving and interesting with fraudulent messages. The phishing sites are operated dynamically in real time by criminals, making them harder to detect and shut down. Even individuals who don’t own a vehicle have reported receiving these messages, indicating random targeting.
7 ways to remain secure from toll scam messages
By staying vigilant and following the steps below, you may protect yourself from falling victim to toll scams.
- Confirm directly with toll operators: In case you receive a message about unpaid tolls or fines, don’t click on any links. As a substitute, visit the official website of your toll operator or contact their customer support on to confirm the claim.
- Install strong antivirus software: One of the best solution to safeguard yourself from malicious links is to have strong antivirus software installed on all of your devices. This protection also can provide you with a warning to phishing emails and ransomware scams, keeping your personal information and digital assets secure. Get my picks for the most effective 2025 antivirus protection winners on your Windows, Mac, Android and iOS devices.
- Don’t share personal information: Never provide sensitive details like payment card information, Social Security numbers or one-time passwords via text or unverified web sites. Legitimate toll operators is not going to request such information through SMS.
- Enable two-factor authentication (2FA): Use 2FA on your accounts each time possible. This adds an additional layer of protection by requiring two types of verification, reducing the danger of unauthorized access even when some details are compromised.
- Be wary of urgency in messages: Scammers often create a way of urgency, claiming immediate motion is required to avoid penalties. Take a moment to evaluate the situation and confirm the legitimacy of the message through official channels.
- Report suspicious messages: In case you suspect a phishing attempt, report it to the Federal Trade Commission or the FBI’s Web Crime Grievance Center. Include details just like the sender’s phone number and any links within the message. Moreover, inform your mobile carrier to assist block similar scams.
- Use a private data removal service: Employ a good data removal service to scale back your online footprint and minimize the danger of scammers obtaining your personal information. These services might help remove your data from various data broker sites, making it harder for scammers to focus on you with personalized scams. While no service guarantees to remove all of your data from the web, having a removal service is great if you must continually monitor and automate the means of removing your information from a whole lot of websites repeatedly over an extended time period. Take a look at my top picks for data removal services here.
