The FBI warns people about the spread Phishing via SMS (smishing) “state-to-state” campaign that lures people in with messages informing them they have unpaid tolls to resolve. The scam aims to steal their credentials and defraud them.
There is also evidence that the campaign – which has so far been reported by people in three states, according to a public service notice by the FBI’s Internet Crime Complaint Center (IC3), hit other parts of the world before reaching US shores.
The campaign, active in the United States since at least early March and reported by more than 2,000 people, sends users a text message that appears to come from their specific states’ toll collection service, claiming that they owe money for unpaid highway tolls.
“We noticed an outstanding toll amount of $12.51 on your record,” reads the text of one such message. “To avoid a $50.00 late fee, please visit https://myturnpiketollservices.com to pay your balance.”
The old social engineering trick remains effective
While sensational scams they are not new at all, they continue to be used by attackers because they still have the potential to trick users into giving up valuable credentials that allow cybercriminals to profit. The FBI warning alone is a sign that the unpaid toll campaign is likely to increase, and it is concerning enough to warrant vigilance on the part of potential victims.
The texts “contain nearly identical language” and use similar amounts for so-called back tolls. What changes from state to state is that the malicious link provided within the text is created to impersonate the name of the state’s toll service, “and phone numbers appear to change from state to state,” according to IC3.
The link takes users to what look a lot like legitimate toll service websites, asking them to enter information under the guise of paying the toll. Instead, attackers collect victim payment credentials and other sensitive data that could potentially be shared with other cybercriminals and/or used in future social engineering attacks.
Toll scam spreads across the United States
The FBI has not specified which states are currently affected by the wave of toll-related attacks, but a quick analysis of social media platform X, formerly Twitter, found evidence that the scam affected at least users in Pennsylvania.
The Pennsylvania Turnpike (@PA_Turnpike), the toll road and related services that run through the state, posted a notice on the social media platform X to inform users of the campaign and encourage them to report any scam messages to IC3.
“Some customers have received text messages containing phishing attempts claiming to be from PA Turnpike Toll Services,” according to the mail. “If you receive such a message providing you with a link to pay an owed toll, do not click on the link and delete the text.”
The scam may be related to a similar one that previously hit Australia, as people in states in both the eastern and western parts of the country in 2022 and 2023 respectively, reported on X that they had received smishing messages related to tolls roads.
In August 2022, user X Antonio Campisini posted about a toll scam associated with City Link, a tolled highway service in the southeastern Australian city of Melbourne, which also tried to lure users in the region with a message about unpaid tolls. Less than a year later, in March 2023, another user
“How do I know they are scams?” the user, @EMacskasywhich bears the name X of “Evan Stop the Killing”, published. “Here in WA = we have no tolls on our roads.”
Stay alert
EMacskasy’s observation is a good example of how people targeted by the scam can avoid being compromised by it: by taking a moment to rationalize whether they might owe money on tolls before having a knee-jerk reaction and immediately engaging with the message . .
The IC3 advises people to make a complaint to the IC3 the agency’s website if they receive one of the messages and include the following information: the phone number from which the text originated and the website listed in the text.
Individuals should also check any toll service accounts they hold by going separately and directly to the legitimate service’s website, to ensure their accounts are in order, and/or contact the legitimate service’s customer service phone number to check the account and let them know about the scam. As mentioned above, people should also delete the texts.
In the event that someone has already used the link or provided information, they should make an effort to protect their personal information and financial accounts and dispute any unknown allegations that may show evidence of cybercriminal activity.