White man in gray sweatshirt
Mart Production/Pexels

A sophisticated scam has taken hold across the United States, prompting the FBI to issue an urgent warning over a widespread phishing campaign disguised as toll payment requests. The so-called 'E-ZPass scam' involves fraudulent text messages sent to mobile phone users, claiming they owe money for unpaid tolls. Victims who click the embedded links risk having their personal and financial data stolen.

According to Forbes, the scam is being driven by Chinese cybercrime groups using SMS phishing tactics, or 'smishing'. Messages claim the recipient owes as little as USD 6.99 (GBP 5.50) in outstanding tolls, then direct them to fake websites mimicking legitimate toll services such as E-ZPass. The FBI is now urging recipients to delete these messages immediately and not to interact with the links under any circumstance.

The Anti-Phishing Working Group (APWG) has described the campaign as an 'infrastructural attack' that has blanketed the country. With more than 19 billion spam texts sent in the US during February alone, according to Robokiller, this is no ordinary scam—it is a full-scale digital assault.

The Mechanics Behind the Attack

The fraudsters use sophisticated phishing kits originating from China, which automate both the sending of scam texts and the creation of fake websites. According to CNBC, these kits allow criminals to impersonate toll agencies across multiple states, often using deceptive top-level domains like .TOP, .CYOU and .XIN. The .TOP domain has drawn specific scrutiny, with ICANN issuing a breach notice in July 2024 due to non-compliance with anti-abuse measures.

'They don't care about the seven dollars,' said cybersecurity researcher Aidan Holland. 'They want your credit card number.' The US Federal Trade Commission (FTC) has also warned that even minimal interaction with these scam sites could lead to identity theft.

Why These Texts Are Hard to Block

Despite the scale of the attack, experts warn that preventing it is far more complicated than it seems. SMS and RCS are open protocols, which means scammers can rotate through thousands of phone numbers to bypass spam filters. Even tech giants like Apple and Google are struggling to implement reliable safeguards.

To make matters worse, the texts are increasingly convincing. Some appear to come from familiar senders, due to a tactic called 'sender ID spoofing', where fake texts are inserted into the same conversation thread as legitimate messages. In one recent example, scammers impersonated a 'City Department of Transportation', demanding payment of USD 6.99 (GBP 5.50) and threatening a court summons if the recipient didn't act quickly.

How To Identify the Scam

Norton and other cybersecurity firms have issued guidance to help consumers spot these fraudulent texts. Key red flags include:

  • Urgent or threatening language.
  • Messages from unknown or suspicious numbers.
  • Misspelt domains or unusual URLs.
  • Requests for personal or financial details.
  • Links directing users to unofficial websites.

Victims are advised not to click any links, and instead manually type the legitimate toll agency's website into their browser. Reports can be filed with the FBI at ic3.gov or the APWG at apwg.org/sms.

If you've already clicked a suspicious link or entered personal information, Norton recommends:

  • Contacting your bank or credit card provider immediately.
  • Disputing any unauthorised charges.
  • Replacing affected cards.
  • Changing passwords and enabling two-factor authentication.
  • Reporting the incident to your local toll agency and the FTC.

This Scam Is Part of a Wider Trend

Experts stress that the E-ZPass scam is just one of many smishing campaigns targeting Americans. Fake messages now extend to missed deliveries, unpaid utility bills and even crypto wallet breaches. According to CNBC, international crime rings are often behind these operations, making them incredibly difficult to prosecute.

John Goodwin, assistant director of communications at the Metropolitan Transportation Commission in California, said the toll scam has been evolving since early 2024. 'The scamsters mutate every few weeks with different messages,' he explained. 'The messaging has become more sophisticated and more aggressive.'

J. Michael Skiba, a cybercrime investigator who has worked with Interpol and the FBI, believes the true scale of losses is vastly underreported. 'Many victims are too embarrassed to report it, or they don't think it's worth the trouble,' he said. 'But the financial damage is astronomical.'

Staying One Step Ahead

The FBI's advice is clear: if you receive a suspicious text about unpaid tolls, don't trust it. Visit the toll agency's official website directly, and never share personal information via text. Even if the requested amount is trivial, the consequences could be devastating.

Cybersecurity experts also urge consumers to:

  • Register for an official electronic toll account.
  • Use credit cards instead of debit cards for stronger fraud protection.
  • Turn on scam alerts with mobile carriers and banks.
  • Stay informed by following local consumer protection agencies.

As this wave of text-based scams continues to evolve, vigilance remains the best defence. For now, what appears to be a harmless toll reminder could in fact be the beginning of a serious financial compromise.

Writer's pick