E-ZPass toll

On Friday, the Federal Bureau of Investigation warned of a massive ongoing wave of SMS phishing attacks targeting Americans with lures regarding unpaid road toll fees.

These attacks started last month, and the federal law enforcement agency says thousands of people have already reported that the scammers have targeted them.

"Since early-March 2024, the FBI Internet Crime Complaint Center (IC3) has received over 2,000 complaints reporting smishing texts representing road toll collection service from at least three states," the FBI explained in a public service announcement published today.

While the mobile phishing campaign has yet to reach some U.S. regions, this can be explained by the fact that complaint information collected so far by IC3 indicates the scam may be moving from state to state.

The FBI says the malicious text messages claim the recipient owes money for unpaid tolls and contain almost identical language.

For instance, all reports mention the attackers using "outstanding toll amount" to trick the targets into clicking an embedded hyperlink.

"However, the link provided within the text is created to impersonate the state's toll service name, and phone numbers appear to change between states," the FBI explains.

Road toll debt SMS phishing message
Road toll debt SMS phishing message (Pennsylvania State Police)

​Pennsylvania Turnpike, one of the road toll services whose customers were targeted in these attacks, cautioned those receiving the phishing messages not to tap the links.

"Some customers have received phishing-attempt text messages claiming to be from the PA Turnpike's toll services. If you receive such a text, providing you with a link to pay an outstanding toll, do not click on the link, and delete the text," the service said on Monday.

"BE AWARE: We have received multiple concerns regarding the attached scam text message in our area. This link will send you to a fake Turnpike website and collect your information!" the Pennsylvania State Police also warned.

While the FBI did not mention E-ZPass in today's PSA (a toll collection system used across Eastern, Midwestern, and Southern United States), BleepingComputer is aware that the threat actors have also been targeting E-ZPass customers since March.

The FBI asked those who receive one of these SMS phishing messages to:

  1. File a complaint with the IC3 at www.ic3.gov and include the scammer's phone number and the website listed within the text.
  2. Check their account using the toll service's legitimate website.
  3. Contact the toll service's customer service phone number.
  4. Delete any smishing texts received.
  5. If they click any link or provide your information, make efforts to secure your personal information and financial accounts. They should also ensure that all unfamiliar charges are disputed immediately.

Related Articles:

CISA urges software devs to weed out SQL injection vulnerabilities

US govt shares cyberattack defense tips for water utilities

CISA cautions against using hacked Ivanti VPN gateways even after factory resets

FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks

Russian hackers shift to cloud attacks, US and allies warn