This viral scam is spreading fast across America.
Anadolu Agency via Getty Images
Republished on February 7 with news of further attacks this week and reports into the involvement by Chinese cybercriminals targeting Americans.
Beware — there’s a nasty new threat working its way across America. The FBI warns that “the scam may be moving from state-to-state,” and users need to delete any such texts they have received. To be clear, if it isn’t already in the city where you live, chances are it will be soon and it’s all too easy to be duped. Here’s what you need to know.
If you have received a text warning you owe money for unpaid road tolls, “it’s probably a scam,” the FTC says. “Scammers are pretending to be tolling agencies from coast to coast and sending texts demanding money.” And the consequences are dire. “Not only is the scammer trying to steal your money, but if you click the link, they could get your personal info (like your driver’s license number) — and even steal your identity.”
The scam is stupidly simple, a text pretending to be from the local agency with a dollar amount and a link to pay. This is a phishing attack — or a smishing attack to be more exact, given this is almost always a text rather than an email.
Last month alone, there were media reports from Massachusetts, California, North and South Carolina, Illinois, Colorado, Florida and more. It’s always the same style of text and it’s always a scam. This has become a national level issue. A viral threat.
Toll scam warning
FTC
The FBI says it began receiving reports of the scam in March 2024, with thousands of citizens “reporting smishing texts representing road toll collection services” since then. The texts, the bureau says, “claim the recipient owes money for unpaid tolls and contain almost identical language. The ‘outstanding toll amount’ is similar… However, the link provided within the text is created to impersonate the state’s toll service name, and phone numbers appear to change between states.”
The latest city to warn of the scam is Great Falls, which posted its alert on X on Thursday, telling citizens “This is a SCAM and is not coming from the City of Great Falls. Please do not click the link in the message.”
The FBI’s advice is simple and it will ensure you don’t join the thousands already duped. “Check your account using the toll service’s legitimate website [or] contact the toll service’s customer service phone number.” And then, critically, you should delete any of these texts received. You don’t want these malicious links on your phone.
If you have already fallen victim, “take efforts to secure your personal information and financial accounts [and] dispute any unfamiliar charges.“ This might mean contacting your bank or credit card if you’ve already paid, and if you’ve given address details be wary of any new applications for credit or other services in your name.
According to KnowBe4, “similar scams have been reported in other states, including Florida (targeting SunPass users), Texas (North Texas Toll Authority), California, Colorado, Connecticut, Minnesota, and Washington. These phishing attacks often involve realistic-looking websites that mimic official toll authority sites but only function on mobile devices, making them even more convincing to unsuspecting users.”
The likely culprit is thought to be gangs using “updated commercial phishing kits developed by Chinese cybercriminal groups. These kits now include templates designed specifically to impersonate toll operators in multiple states.” Beyond tolls, these criminal gangs “have used similar tactics to impersonate shipping companies, tax agencies, and immigration services, often targeting individuals new to a country or in vulnerable positions. The ultimate goal is to steal payment card details, add them to mobile wallets, and make fraudulent purchases or launder money through shell companies.”
This joins the scourge of other viral scams targeting citizens. To these toll smishing attacks, you can add phantom hacker banking attacks, fraudulent support calls and even make-believe police officers demanding payments to avoid arrest.
Text scams in particular are surging. The example this week of a woman in Florida falling victim to a scammer who “knew her name and convinced her that her phone had been hacked, [who then] instructed her to withdraw thousands of dollars from her bank and deposit it into a secure cryptocurrency account to protect her funds,” is common. And it’s not just the U.S., this is a global problem. Yesterday, an energy company in Europe warned 1 million customers to delete fake SMS messages from the company.
The advice is always simple. Don’t take unsolicited calls from banks or tech support. Never agree to install software or move money. Don’t pay cold calling cops asking for cash. And never click on toll links that turn up unexpectedly in text messages. Stick to these basics and you’ll kill any attempts to scam you right at the start.
