There’s been an astonishing 604% surge in scam texts purporting to be “toll fees” this year, and millions of consumers who use electronic payment services are at risk, a new cybersecurity report says.
Most of the companies included in Guardio’s Q1 Phishing Report's top ten most impersonated brands are well known. The cyber crooks have targeted the likes of Steam, Microsoft, Facebook, WeTransfer, and Netflix.
But scammers have been shifting gears to reach more victims, Guardio, a company providing cybersecurity solutions, says. That’s reflected in the fact that three electronic toll collection websites – SunPass, E-ZPass, and EZDrive Massachusetts – have also joined the top 10.
Scammers are sending fraudulent texts about unpaid toll fees, luring victims to fake websites designed to steal sensitive information, such as usernames, passwords, and credit card numbers.
Guardio’s report saw a 98% spike in such scam texts in March 2025 alone. These highly convincing texts are called smishing messages and have already reached millions of consumers who use electronic toll collection systems.
The text typically claims that a driver has an unpaid toll and that they should settle their bill using the provided link before late fees are applied. In other words, the cybercriminals are playing to a victim’s psyche.
“These scams are particularly dangerous as they exploit the urgency of unpaid tolls, tricking victims into entering payment details on fraudulent sites without thinking twice,” says Guardio.
The company’s advice for consumers is to always verify toll notices through official channels and avoid clicking on unknown links. Officials in Massachusetts recently emphasized that they would never send a bill or any information through a text message.
The scheme has proven to be successful because it collects cash in small amounts and plays on the presumption that some people might not have been aware that they had passed through a toll.
Experts say that the scam usually targets people with phone numbers near tolling authorities. According to Resecurity, another cybersecurity firm, the operation is also active across the United Kingdom.
"One way for individuals to protect themselves from these types of scams is to independently verify any links before clicking on them, especially those claiming to be from financial institutions or government entities. A quick online search can often reveal that the URL doesn’t actually belong to the organization it's impersonating," said Max Gannon, Intelligence Manager at Cofense.
"Another easy indicator or red flag to watch for is whether the message was part of a group text or sent to other people. The last two versions of this scam I received on my personal phone were also sent to other people, making it crystal clear that this message was malicious."
Resecurity researchers also identified the operation as the work of “Smishing Triad,” a China-based threat actor group that has previously conducted similar campaigns against banking institutions and e-commerce platforms.
The technical underpinnings of this campaign leverage underground bulk SMS services that allow for mass-scale message delivery with customized sender identification. Many of the identified domain names are registered in the “.xin” top-level domain, managed out of Hong Kong.
Your email address will not be published. Required fields are markedmarked