A widespread SMS scam is targeting thousands of smartphone users in the US. Fraudsters are sending bogus texts demanding payment for unpaid road tolls. Their goal isn’t just to swindle innocent recipients out of their money, but also their personal and financial information.

Reports of the smishing scam first surfaced last year. In April 2024, the FBI’s Internet Crime Complaint Center (IC3) issued a notice about fake toll service text messages, after receiving more than 2,000 complaints from US citizens.

Since then, the scale of the scheme appears to have grown. Cities in several US states have now issued warnings, including Boston, Denver and San Francisco. McAfee has also highlighted cities most affected by the scheme: the top three are Dallas, Atlanta and Los Angeles.

How the smishing scam works

Based on screenshots we’ve seen, text messages in the toll scam all appear to follow a similar structure. Each SMS claims to be from a legitimate toll service and states that there is an unpaid fee. It then instructs the recipient to pay the outstanding toll within a set time period to avoid late fees and a referral to the DMV. A URL is then provided, which directs uses to a bogus payment page.

This page is designed to look convincingly like a legitimate toll service payment website. It will often feature a logo, business name and street address. It will also state the supposed time and date of the unpaid fee.

A threat actor leveraging the same naming pattern has registered 10K+ domains for various #smishing scams. They pose as toll services for US states and package delivery services. Root domain names start with "com-" as a way to trick victims. More info at https://t.co/drBEuvGoJj pic.twitter.com/7CBkvwYWxoMarch 7, 2025

If you click the payment link, the website will then ask for payment information. Sometimes it will also request sensitive personal information, such as your driving license number. If you submit this information, you’re actually giving it to the fraudsters, exposing yourself to identity theft.

The scam uses the same tactics as most phishing scams, creating a sense of urgency by demanding payment within a short time period. The threat of legal action increases the likelihood of an emotional reaction, which could cause users to overlook inconsistencies in the original SMS or linked payment page.

Reports also suggest that there are variations of the scam. In some instances, it appears that cybercriminals have varied the contents of the SMS and payment page to target users in specific states. One screenshot we’ve seen claims to be from the City of New York. For some recipients, this could make the message more believable than a generic alert.

Recent intelligence from Palo Alto Networks’ Unit 42 reports that scammers have registered more than 10,000 domain names. Each of these is designed to be ambiguous enough that a casual glance might not reveal the deceit. Not only do the new domains suggest that the scam is still ongoing, but certain URLs indicate that it could be expanding to include fake messages from delivery companies – an increasingly common tactic.

Here are a few of the domains listed in the notice:

dhl.com-new[.]xin

driveks.com-jds[.]xin

ezdrive.com-2h98[.]xin

ezdrivema.com-citations-etc[.]xin

ezdrivema.com-securetta[.]xin

e-zpassiag.com-courtfees[.]xin

e-zpassny.com-ticketd[.]xin

fedex.com-fedexl[.]xin

getipass.com-tickeuz[.]xin

sunpass.com-ticketap[.]xin

thetollroads.com-fastrakeu[.]xin

usps.com-tracking-helpsomg[.]xin

How to stay safe

As with any smishing or phishing scam, the best way to stay safe is to practice caution. If you receive an unexpected SMS about unpaid toll fees, there’s a good chance it’s a scam. Pause before you act on any information in the message and don’t click on any links.

Pay attention to details in the message. Scam texts will often feature grammatical errors or formatting inconsistencies, such as the placement of punctation. A closer look at the URL will often reveal that it’s illegitimate, too.

If in doubt, contact the genuine toll service in question. Never click the link in the SMS. Instead, find the service’s real website or contact number using a trusted search engine and reach out for clarification.

The scam is now so extensive that the US Federal Trade Commission has issued advice to the same effect, as has the FBI. If you do discover a bogus or suspicious SMS, the instructions of both agencies are the same: report and delete the messages. You can do this on the IC3 website.