Tolling agencies throughout the United States are battling an escalating cybersecurity threat that is causing deceptive text message scams, which are often called smishing, to escalate. As a result of these fraudulent campaigns, unsuspecting motorists are lured into clicking harmful links and sending unauthorized payments by impersonating legitimate toll payment notification emails.
The main issue is that the tolling infrastructure does not contain system intrusions or data breaches, contrary to common misconceptions. As a result, bad actors are exploiting widely recognized tolling practices as a means of deceiving individuals into engaging with malicious content, which is in direct contravention of public trust.
A critical line of defense against these fraudulent activities, which toll operators are strengthening their collaboration with cybersecurity experts and law enforcement agencies, remains public awareness. Communication professionals within these organizations play a crucial role in proactively informing and educating their consumers regarding these fraudulent activities.
It is imperative that outreach and messaging are clear and consistent so that individuals can recognize legitimate correspondence and avoid falling victim to sophisticated digital deception.
To combat this growing threat, we need not only technological measures but also a comprehensive communication strategy centred on transparency, vigilance and trust. As part of the increasing prevalence of digital fraud, deceptive text messages alleging that toll charges have not been paid are becoming increasingly prevalent.
There is a tactic in practice known as "smishing," a combination of short message service (SMS) and email fraud, which involves the use of text messaging platforms to deceive users into disclosing sensitive personal or financial information, or unintentionally install malicious software, which is referred to as smishing. While this fraudulent premise may seem straightforward, the impact it has is tremendous.
As well as suffering direct financial losses, victims may also compromise the security of their devices, allowing them to be vulnerable to identity theft and data breaches.
A Chinese cybercrime syndicate known as Smishing is responsible for an increase in toll-related scams, a trend which is associated with a marked increase in smishing attacks.
A group called Triath has begun launching highly coordinated fraud campaigns that target consumers in the United States and the United Kingdom, with indications that the fraud might expand globally in the coming months. The deceptive messages are often misconstrued as legitimate toll service notifications, citing recognizable platforms such as FasTrak, E-ZPass, and I-Pass as a means of convincing the reader that the message is legitimate.
There is a strong correlation between these operations and the group's previous international fraud patterns, which suggests that the group is seeking to exploit tolling systems across various regions as a larger strategic initiative. By exploiting an E-ZPass account credential harvesting scheme, cybercriminals are targeting an increasing number of E-ZPass users across multiple states. Scammers are sending fraudulent text messages posing as official tolling authorities to alert victims to the fact that there is an outstanding toll balance on their accounts.
It is common for these messages to contain false claims that the account has expired or is delinquent, prompting the user to make an urgent payment to avoid penalties. As for the requests, typically they range between $3.95 and $12.55 — sums that are low enough to avoid raising suspicions, but high enough to be exploited at scale.
By utilizing a minimal financial impact, it is more likely that the recipient will comply since such minor charges may not be scrutinized by the recipient.
When an attacker entices their users to click embedded links, they redirect them to counterfeit portals that steal sensitive information like logins or payment information, which in turn compromises the users' data under the guise of a routine toll notification, which can then compromise their personal information.
The most insidious part of these campaigns is the sophisticated spoofing of Sender IDs, which makes it seem as if the messages are from official sources, making them seem particularly dangerous.
There are various instant messaging platforms available today that offer relatively limited spam protection, compared to email-based phishing, which is increasingly mitigated by advanced filtering technologies. These platforms, such as SMS, iMessage, and similar services, offer comparatively limited spam protection, compared to email-based phishing.
The perception of urgency embedded in the communication often provokes immediate action as well, since they are highly trusted by their users.
Those scams that combine technical evasion with psychological manipulation are highly effective, outperforming the effectiveness of traditional phishing vectors such as email and search engine manipulation in terms of success rates.
With the widespread adoption of cashless tolling systems and the increasing use of mobile devices for routine transactions, there is a ripe environment for the exploitation of these devices.
These evolving digital habits are exploited by fraudsters by impersonating legitimate agencies and utilizing the appearance of urgency to induce immediate action, often uncritical, from the target group.
According to the Federal Bureau of Investigation's Internet Crime Complaint Center, over 60,000 reports involving such scams were received during 2024, indicating the alarming nature of the problem.
There is a trend among text-based fraud that includes toll-related schemes, but it is also a common occurrence.
Text-based fraud can be based on overdue phone bills, shipping notifications, or even fake cybersecurity alerts. Attacks like these are often carried out by increasingly organized international criminal networks by using automated systems able to target thousands of individuals at the same time.
The federal and state governments, along with the transportation agencies, have responded to the situation by issuing public advisories to raise awareness and encourage vigilance. Although specific actors have not yet been officially identified, it has become increasingly apparent that cybercrime syndicates are engaged in these toll-related smishing campaigns due to their scope and precision.
Recent developments in emerging intelligence have revealed several important developments, including:
In a recent report, it has been reported that criminal groups based in China are selling ready-made pre-compiled phishing kits, making it easier for fraudsters to impersonate toll agencies with the highest degree of accuracy and with the least amount of technical knowledge.
The attackers registered thousands of fake domain names that appear to be legitimate toll websites and made them appear as if they were legitimate toll websites from multiple states, including Massachusetts, Florida, and Texas.
Fraudsters are actively exploiting the names of well-known toll systems to mislead the public into believing that they are dealing with a genuine problem and coerce them into clicking malicious links or disclosing personal information.
“The rise of these sophisticated road toll scams is catching many people off guard, highlighting the evolving nature of cybercrime. What we're seeing is a well-organized and potentially lucrative operation,”
— Gene Kingsley, Special VP, Board of Directors, InfraGard National Members Alliance; Chairman, American Security and Resilience Foundation
A more effective way of deterring crime is to raise public awareness about it through the following methods:
This level of sophistication emphasizes the pivotal role public education plays as the first line of defence against such threats. The aim is to raise individuals' awareness about these types of tactics, to enable them to recognize and report suspicious messages.
As a precautionary measure against the potential risks, the Federal Bureau of Investigation (FBI) recommends the following protective measures:
Do not respond to unsolicited text messages seeking personal and financial information.
Do not click on links that appear in unexpected messages, as these may lead to fake websites that are designed to steal users' personal information. The toll agency can be contacted directly through official channels to verify the message.
The FBI Internet Crime Complaint Center can be contacted at www.ic3.gov, where users can report fraud along with the sender's name and suspicious links. Once they report the scam, delete any fraudulent messages to prevent unintentional interaction with the sender.
To disrupt these fraudulent operations and protect their digital identity, consumers must follow these steps and remain sceptical when it comes to unsolicited communications.
