In recent months, a sophisticated scam has emerged, targeting drivers across the United States with fraudulent text messages about unpaid road tolls. These "smishing" scams—phishing attempts conducted via SMS—aim to deceive recipients into divulging personal and financial information. The FBI, along with state authorities and cybersecurity experts, have issued warnings to the public to remain vigilant against these deceptive tactics.
At the March 12-13 SecureWorld Boston cybersecurity conference, several speakers brought up the road toll scams as examples where clients or family members were targeted—and some taken—by the scams.
Victims receive text messages purportedly from legitimate toll agencies, claiming they have outstanding toll balances that require immediate payment to avoid penalties such as late fees or suspension of driving privileges. These messages often contain links to fake websites designed to collect sensitive information, including credit card numbers and personal identification details. Cybersecurity firm Palo Alto Networks reported that a threat actor has registered more than 10,000 domains to impersonate toll services and package delivery services in at least 10 U.S. states and the Canadian province of Ontario.
"Smishing scams like these follow a predictable yet highly effective, nefarious behavioral blueprint—leveraging urgency, impersonation, and fear to manipulate victims into compliance. By analyzing an attacker's modus operandi through the lens of behavioral profiling and behavioral economics, we see how they exploit cognitive biases like loss aversion—the tendency to fear losing something more than valuing potential gains," said Cameron H. Malin, Cyber Behavioral Profiler at Modus Cyberandi (and retired FBI Behavioral Profiler). "These scams are designed to trigger impulsive decision-making, making victims more likely to comply under the pressure of perceived financial, administrative, or legal consequences—a tactic known as 'loss framing.'"
[RELATED: 5 Emotions Used in Social Engineering Attacks, with Examples]
Malin, who keynoted at SecureWorld Boston last week on " Behavioral Threat Intelligence: Profiling Cyber Attackers," added: "Further, impersonating an official agency is meant to invoke the authority heuristic—complying with the instructions of what appears to be a trusted and credible source. Identifying and understanding these persuasion and deception tactics is key to thwarting these schemes."
While specific perpetrators have not been publicly identified, the scale and coordination of these scams suggest involvement of organized cybercriminal groups. Some reports indicate that Chinese smishing groups are selling SMS phishing kits, enabling scammers to efficiently spoof toll operators and target users in multiple states, including Massachusetts, Florida, and Texas.
"The rise of these sophisticated road toll scams is catching many people off guard, highlighting the evolving nature of cybercrime. What we're seeing is a well-organized and potentially lucrative operation, with thousands of impersonating domains registered across multiple states," said Gene Kingsley, Special VP, Board of Directors, InfraGard National Members Alliance; Chairman, American Security and Resilience Foundation. "This level of sophistication underscores why public education is our first line of defense. By raising awareness about these tactics, we can empower individuals to recognize and report suspicious messages, making it harder for cybercriminals to succeed. It's crucial for everyone to remain skeptical of unsolicited messages, especially those creating a sense of urgency around financial matters, and to verify any unexpected payment requests through official channels."
The FBI has issued several guidelines to help individuals protect themselves from these scams:
-
Do not engage: Avoid responding to unsolicited text messages, especially those requesting personal or financial information.
-
Avoid clicking links: Refrain from clicking on links in unexpected texts, as they may lead to malicious websites designed to steal your information.
-
Verify claims: If you receive a suspicious message about unpaid tolls, contact the toll agency directly using official contact information to verify the claim.
-
Report the scam: File a complaint with the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov and include details such as the originating phone number and the website link provided in the text.
-
Delete suspicious messages: After reporting, delete any smishing texts received to prevent accidental interaction.
Cybersecurity professionals further emphasize the importance of public awareness and proactive measures:
-
Education: Informing the public about the nature of smishing scams is crucial. Understanding that legitimate toll agencies typically do not request payments via text can help individuals recognize and avoid scams.
-
Technological defenses: Utilizing mobile security solutions that can detect and block potential phishing attempts adds an additional layer of protection.
-
Reporting mechanisms: Encouraging victims to report smishing attempts aids in tracking and mitigating the spread of such scams.
State and federal authorities have been proactive in addressing the issue:
-
Public warnings: Officials, including Louisiana Attorney General Liz Murrill and Vermont Attorney General Charity Clark, have publicly highlighted the issue, cautioning residents about the surge in scam road toll collection texts.
-
Law enforcement collaboration: Agencies are working together to investigate the sources of these scams and develop strategies to protect consumers.
-
Resource provision: Authorities are providing resources and guidelines to help individuals identify and avoid falling victim to these scams.
We asked some vendor experts for their take on the scam, its tactics, and smishing in general.
J Stephen Kowski, Field CTO at SlashNext Email Security+, said:
"These toll scam texts have been circulating widely since late 2023/early 2024, rapidly evolving from isolated tests to a full-scale campaign that's now likely part of phishing kits used by multiple threat actors. The sheer volume—with over 10,000 registered fake domains impersonating toll services across at least 10 states—shows how sophisticated and widespread this threat has become. Real-time threat detection that can identify and block these malicious links before users interact with them is essential, especially since these messages are designed to create urgency and bypass traditional security measures. The best defense combines advanced AI-powered protection that works across messaging platforms with basic security practices like verifying claims directly with toll authorities through official channels rather than responding to unexpected texts."
Darren Guccione, CEO and Co-Founder at Keeper Security, said:
"The rapid evolution of AI-powered threats highlights the urgent need for companies to update their cybersecurity practices. 84% of IT leaders globally recognize that phishing and smishing have become harder to detect due to AI-powered tools. This underscores the importance of comprehensive, ongoing employee training tailored to identifying deepfakes and other AI-driven attacks. Regular simulations and updates on emerging threats are essential to help employees recognize and mitigate these risks effectively."
Mika Aalto, Co-Founder and CEO at Hoxhunt, said:
"We continue to see a significant surge in mobile phishing, or smishing, attacks reported by end-users. This isn't entirely surprising as it's getting easier to bypass filters on mobile; and mobile devices are harder to secure. More and more organizations are recognizing this growing threat and requesting smishing training alongside traditional phishing training.
"Our internal data shows that users are four times more likely to click on malicious emails when using mobile devices compared to desktops. What's even more concerning is that mobile users tend to click on these malicious emails at an even greater rate late at night or very early in the morning, which suggests that people are more vulnerable to attacks on mobile when their defenses are down. Attackers are clearly aware of this and are continually evolving their tactics to exploit these vulnerabilities. Organizations need to strengthen their defenses and train users to recognize these threats, no matter which device they're on.
"Enterprises should adopt a Human Risk Management (HRM) platform to tackle the growing sophistication of mobile phishing attacks. Traditional Security Awareness Training (SAT) models are no longer sufficient to address the complexities of today’s threat landscape. HRM, recognized as its own category by analysts, provides a more outcomes-based approach that goes beyond mere awareness. HRM platforms offer greater visibility into threats bypassing technical filters by leveraging human threat intelligence to enhance incident response. When a new attack is reported by an employee, the HRM platform learns to automatically find future similar attacks. By integrating HRM, organizations can create a more resilient security culture where users become active defenders against mobile phishing attacks/smishing."
