It hasn’t died off yet. Like the Terminator, the toll payment text phishing scam has risen again in a massive wave, with some potential victims receiving as many as seven texts in a day.
The ongoing phishing campaign has been impersonating E-ZPass, The Toll Roads, FasTrak, TX Tags and Florida Turnpike among other toll agencies with the goal of stealing personal information and credit card details from unsuspecting drivers.
If you somehow haven’t heard about it yet or have somehow escaped receiving one of these messages, here’s the gist: A toll agency sends you an iMessage or SMS, with urgent language, indicating that you have an unpaid tolls or fees due. The language often includes a threat or consequence that will occur if the amount goes unpaid – for example, saying your driving privileges may be affected or suspended, you may incur additional fees or charges or that there may be legal repercussions.
While Apple’s iMessages will automatically turn off links from unknown sources specifically in order to keep users safe from SMS phishing attacks, many of the texts sent to Apple users will attempt a workaround by first asking users to reply to the text in order to “make a payment link clickable.” Whether the message initially includes a link, or requires interaction to send one, any link sent by these toll road scammers will lead to an E-ZPass (or toll agency) phishing site.
Aside from the URL, these phishing sites doe admittedly look very much like a legitimate toll agency payment site. However, Bleeping Computer found that this site only opens on mobile devices, and not on desktop browsers. And as a phishing site, it exists simply to scrap and steal your name, email address, physical address and credit card information.
This is by no means a new scam with the FBI reports about such malicious behavior going back to April 2024, however, the recent surge may indicate that it's sticking around because it's working.
It also may be linked to the rise in popularity of platforms like Lucid, which Bleeping Computer points out is a phishing-as-a-service style platform that has been linked to these types of large, automated levels of attacks. Another platform, Darcula, also uses encrypted iMessage and RCS messaging in large bulk volumes and is able to bypass anti-spam filters. The combination of random email addresses being used as the sender and the large scale of texts make this latest round appear to be an automated attack.
How to stay safe
We cannot be more clear here: do not respond to these texts. Never, ever click on links from unknown sources. If you use a toll service and receive a text of this nature, ignore it entirely. Go to the company’s website directly and log in to your account independently and verify your balance without ever interacting with this text.
Additionally, if you receive these types of iMessages, block and report the number so it can be reported to Apple. You can also report the number or file a complaints at the IC3 portal.
As always, follow the usual rules to protect against phishing: be wary of anything that claims it needs to be paid urgently, uses threats or consequences, or comes from an unknown source. Know which toll agencies are local to you, what their websites are and how they usually ask for payment.
For an additional layer of protection, some of the best antivirus programs include features that can also cover your mobile devices, so make sure you’ve checked out your antivirus suite for additional security features and licenses. Likewise, the best identity theft protection can help you recover your identity as well as any funds lost to fraud after an incident like this one.
More from Tom's Guide
- I put Trend Micro and McAfee antivirus in a head to head showdown – here’s how it went
- Stop everything and update your iPhones, iPads and Macs — Apple issues critical fix for zero-day exploits
- Fake Zoom installer tries to trick users into installing dangerous ransomware – here’s how to stay safe
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
