Embed from Getty Images
Over the past few months, I’ve gotten at least four texts alerting me that I have unpaid E-ZPass tolls and I need to click on a provided link in order to go pay them or risk “penalties or legal action.” Now, the senders, phone numbers they’re sent from, and links themselves are very clearly spam, so I’ve ignored them every time. It’s still super annoying because blocking the contact doesn’t stop it from happening.
This particular scam is now so widespread that the FBI just issued a public service announcement about it. They’re called “smishing” scams. Essentially, it’s your classic email phishing scam, but done via text or SMS messages (hence the ‘smishing’ portmanteau). Their PSA includes common language used, tricks to look out for to determine it’s a scheme, and what to do if you get such a text.
The FBI has issued a public service announcement after widespread reports of “smishing” texts that scam cell phone users into believing they have unpaid road tolls.
The FBI defines “smishing” as “a social engineering attack using fake text messages to trick people into downloading malware, sharing sensitive information, or sending money to cybercriminals.” The term is a combination of SMS (short message service) and phishing.
This month marks one year since the FBI Internet Crime Complaint Center (IC3) began seeing an increase in “smishing” complaints about texts claiming to represent road toll collection services from at least three states, the FBI wrote in the PSA. In the last year, the IC3 reports they’ve received over 2,000 complaints. The road toll collection scam texts claim the recipient carries an “outstanding toll amount” that must be paid immediately to avoid increased charges, the IC3 writes. The link provided in the text message mimics a state’s toll service name and tricks recipients into clicking on it.
An example of the text recipients receive reads: “(State Toll Service Name): We’ve noticed an outstanding toll amount of $12.51 on your record. To avoid a late fee of $50.00, visit https://myturnpiketollservices.com to settle your balance.”
Palo Alto Networks’ Unit 42 explains the scammer’s new campaign “entices users to reveal personal and/or financial information, including credit or debit card and account information.”
The Federal Trade Commission (FTC) warns users who receive a text regarding an unpaid toll that “it’s probably a scam” and these scammers are working “coast to coast.”
“Not only is the scammer trying to steal your money, but if you click the link, they could get your personal info and even steal your identity,” the FTC warns.
The text messages follow a similar format relying on urgency within the message, claiming recipients will accrue even higher costs if they don’t pay right away. Scammers craft a new domain that provides a link to the payment site, Forbes reported.
While Apple iMessage provides a layer of protection from scammers by disabling links from unknown senders, scammers found a way to bypass this by asking users to reply with “Y” and reopen the message. This action by users enables links to be received from “smishing” texts, according to Unit 42.
A trick for users to check whether or not the link is legit is by looking at the domain name that usually includes the Chinese .XIN TLD, Unit 42 advises. This is a toolkit built by Chinese cybercrime groups, Forbes reports. Examples of domains to keep an eye out for include:
dhl.com-new[.]xin
driveks.com-jds[.]xin
ezdrive.com-2h98[.]xin
ezdrivema.com-citations-etc[.]xin
ezdrivema.com-securetta[.]xin
e-zpassiag.com-courtfees[.]xin
e-zpassny.com-ticketd[.]xin
fedex.com-fedexl[.]xin
getipass.com-tickeuz[.]xin
sunpass.com-ticketap[.]xin
thetollroads.com-fastrakeu[.]xin
usps.com-tracking-helpsomg[.]xin
The IC3 advises recipients of these “smishing” scam messages to take action by first filing a complaint with them which includes reporting the phone number from the road toll collection service impersonator as well as the website linked in the message.
The FBI recommends “smishing” scam recipients to delete all questionable messages they receive. And if recipients happen to click on any links sent or provide their personal information, they should take immediate action to secure personal information, especially financial accounts.
Like I said before, I’ve gotten a variation of this text scam at least four times between February 12 and March 13. I had them on my phone still because I just ignored them, but I did delete them all after I read that recommendation to do so. I use E-ZPass somewhat regularly and do get text notifications from them. So, although I was 98% sure it was a scam the first time, I still had to stop and re-examine it closer before being certain. I can see how someone who is not as technologically savvy would fall for something like this. If you ever get a text from a stranger asking you to click on a link to pay for something, don’t do it!
There are other, even scarier scams out there, where people will spoof a certain phone number and pretend that your loved one is in trouble or that you have an outstanding warrant for missing jury duty or something. I know a few people who have gotten both of these types of calls. Even though none of them have fallen for it, they were still really, really shaken by the blatant emotional manipulation and scare tactics. The common thread with all three of their scam calls was the ask to deliver $10,000 in cash to a drop-off point, despite the calls being from the “police.” Taking advantage of people in these ways is so gross. I hope they catch whoever is behind these operations and put them in jail.