FBI: Smishing Campaign Lures Victims With Unpaid-Toll Notices

The FBI is warning people about widespread SMS phishing (smishing) campaign spreading "state to state" that's luring people with messages informing them that they have unpaid tolls to resolve. The scam is aimed at stealing their credentials and defrauding them.

There also is evidence that that the campaign — which has been reported by people in three states so far, according to a public service announcement by the FBI Internet Crime Complaint Center (IC3)—affected other parts of the world before it reached US shores.

The campaign, active in the US since at least early March and reported by more than 2,000 people, sends users a text message that appears to come from the road-toll collection service of their specific states, claiming they owe money for unpaid highway tolls.

"We've noticed an outstanding toll amount of $12.51 on your record," the text of one such message reads. "To avoid a late fee of $50.00, visit https://myturnpiketollservices.com to settle your balance."

Old Social Engineering Trick Remains Effective

While smishing scams are by no means new, they continue to be used by attackers because they still have the potential to fool users into giving up the valuable credentials that allow for cybercriminals to profit. The FBI's warning alone is a sign that the unpaid-toll campaign is likely to escalate, and is worrying enough to warrant vigilance from potential victims.

The texts "contain almost identical language" and use similar amounts for so-called outstanding tolls. What changes from state to state is that the malicious link provided within the text is created to impersonate the state's toll service name, "and phone numbers appear to change between states," according to the IC3.

The link takes users to what looks very much like the toll services' legitimate websites, asking them to enter information on the pretense of paying the toll. Instead the attackers collect the victim's payment credentials and other sensitive data that potentially could be shared with other cybercriminals and/or used in future social engineering attacks.

Toll Scam Spreads Across US

The FBI didn't specify which states are currently being affected by the wave of toll-related attacks, but a quick perusal of social-media platform X, formerly Twitter, found evidence that the scam has at least affected users in Pennsylvania.

The Pennsylvania Turnpike (@PA_Turnpike), the toll road, and related services that spans the state, posted a warning on social platform X to let users know about the campaign, and encouraged them to report any scam messages to the IC3.

"Some customers have received phishing-attempt text messages claiming to be from the PA Turnpike’s toll services," according to the post. "If you receive such a text, providing you with a link to pay an outstanding toll, do not click on the link, and delete the text."

The scam may be related to a similar one that previously swept across Australia, as people in states in both the eastern and western parts of the country in 2022 and 2023, respectively, also reported on X that they received driving toll-related smishing messages.

Back in August 2022, X user Anthony Campisini posted about a toll scam associated with City Link, a toll freeway service in the southeastern Aussie city of Melbourne, that also tried to lure users in the region with a message about unpaid tolls. Less than a year later, another X user in the state of Western Australia (WA) observed in March 2023 that he had been receiving "a lot of scam" SMS messages informing him that he owes money on road tolls.

"How do I know they are scams?" the user, @EMacskasy, who goes by the X name of "Evan Stop the Killing," posted. "Over here in WA = we do not have tolls on our roads."

Stay Vigilant

EMacskasy's observation is a good example of how people being targeted by the scam can avoid being compromised by it — by taking a moment to rationalize if it's even possible that they owe money on tolls before having a knee-jerk reaction and immediately engaging with the message.

The IC3 is advising people to file a complaint with the IC3 on the agency's website if they receive one of the messages and include the following information: the phone number from where the text originated and the website listed within the text.

People also should check any toll-service account that they have by going separately and directly to the service's legitimate website, to ensure that their accounts are in order, and/or contact the legitimate service's customer service phone number to check the account and let them know of the scam. As previously mentioned, people also should delete the texts.

In case someone has already engaged with the link or given information, they should make an effort to secure their personal information and financial accounts, and dispute any unfamiliar charges that may show evidence of cybercriminal activity.