Update: Republished on April 17 with a new government report showing a 500% increase in text-based attacks and further analysis on this soaring threat.
iPhone and Android users across the U.S. and elsewhere are now under attack from organized networks of Chinese criminals. These attacks come at you by text, and while they may seem trivial — a few dollars for an undelivered package or unpaid toll, they will steal your credit card details, your passwords and even your identity.
New research into one such gang — Smishing Triad — warns that there has been a “massive fraud campaign expansion” since the beginning of 2025, using more than 60,000 different web domains, “making it difficult for platforms like Apple and Android to block fraudulent activity effectively.” This is why you will have seen so many news articles on the spate of toll fraud sweeping across America.
Zimperium’s Kern Smith told me that “the latest wave of mobile SMS scams is a stark reminder that mobile devices and apps are uniquely vulnerable — and often under protected — against attackers,” while the new reports “show the continued investment by cybercriminals in targeting mobile users.”
Each dangerous text includes a lure — the unpaid toll for example — and a link. The text will pretend to come from a brand or goverment agency and the link will be crafted to match the lure, likely a long URL with the right keywords contained within.
Even if the text itself seems plausible, the link is a telltale red flag. It will usually use a top level domain (TLD) from outside the U.S., and it will not match the core domain you would associate with the brand or agency.
To get around that problem, attackers are using dashes to trick users into thinking this is a legitimate link using that core domain. And the most dangerous dash follows a “.com”. That makes you think it links the normal .com domain to a subdomain, but that’s not the case. It’s a ruse to hide a full legitimate domain within a malicious link.
This trick is flying. The latest quarterly report from SpamHaus lists the top-2o phishing terms included in malicious links, warning that “com-track” is a new entry that has gone straight to number one on its list. This would allow an attacker to copy delivery or ecom brand followed by its usual .com, but with an added “-track” after the legitimate URL.
If you ever see “com-track” in a link, delete the text immediately per the FBI’s advice. It’s a scam. Similarly, “com-toll” is another new entry on the list and you can expect more of the same to be added quickly as these others take hold.
The other telltale warning sign is a Chinese TLD — albeit you won’t realize it’s Chinese from the TLD itself. Look out for “.TOP” in particular as that’s the TLD favored by cybercriminals and again is cause on its own for you to delete a text.
According to the Anti-Phishing Working Group (APWG), a Chinese top level domain is “one way to spot these scam messages.” Look for “lesser-known TLDs such as .TOP, .CYOU, and .XIN.” The .TOP domain in particular “has a notable history of being used by phishers.” APWG says “ICANN issued a breach letter to .TOP Registry in July 2024, citing .TOP’s failures to comply with abuse reporting and mitigation requirements, and as of March 2025 the case is still listed as unresolved on ICANN’s Web site.”
Unsurprisingly, the problem is quickly getting worse. America’s Federal Trade Commission (FTC) has just reported that new data “shows that in 2024, consumers reported losing $470 million to scams that started with text messages.” And while “the most commonly reported type of text scam was fake package delivery,” others included “fake ‘fraud alert’ messages sent to consumers warning about a suspicious purchase or an issue with their bank; warnings about fake unpaid tolls with a link to pay them; and ‘wrong number’ scams that start as a seemingly misdirected message.”
According to Silent Push, one Chinese phishing gang alone, Smishing Triad, “generated over one million page visits within a period of only 20 days, averaging 50,000 per day. Based on this data, we believe the actual number of messages sent may be significantly higher than the current public estimates of 100,000 SMS messages sent per day.”
Don’t take any risks. Don’t click links in texts. These scams have been industrialized and are fast becoming the most likely way you’ll be defrauded.
