A widespread and aggressive phishing campaign is hitting mobile users across the U.S., posing as trusted toll agencies like E-ZPass, The Toll Roads, FasTrak, and various state DMVs.
The Scam: Familiar, Aggressive, And Hard To Stop
Victims are receiving text messages that look like official toll notices. The messages typically warn of unpaid tolls, fines, or license suspensions if payment is not made immediately. The scam relies on urgency: deadlines are tight, consequences sound severe, and the message includes a link to a toll payment page that looks legitimate.
Click the link, and you land on a mobile-only phishing website designed to steal personal and financial information. These sites closely mimic real toll agency portals—the same layout, the same colors, and even the same language. The only giveaway is the web address, which often uses suspicious or misspelled domains.
What is different about this campaign is the intensity. Some users report getting up to seven of these texts in a single day. The messages often come from random email addresses, which helps them sneak past spam filters.
Example scam text:
‘Your toll payment for E-ZPass Lane must be settled by April 4, 2025. To avoid fines and the suspension of your driving privileges, kindly pay by the due date.’
Scammers are also exploiting features in Apple’s iMessage and Android’s RCS messaging systems. For example, iMessage disables links in messages from unknown senders. To bypass this, scammers prompt users to reply—once they do, the link becomes clickable.
The phishing pages themselves are mobile-only. That means if someone opens the link on a desktop browser, the fake site does not load. It is a tactic designed to avoid detection by security tools that monitor traffic from corporate or desktop environments. This makes it harder for cybersecurity professionals to analyze and shut these sites down quickly.
Technical Sophistication Behind The Attack
This is not a DIY job by a lone scammer. There is growing evidence that this wave is powered by phishing-as-a-service (PhaaS) operations like Lucid and Darcula. These platforms sell complete phishing kits—web hosting, SMS delivery systems, fake landing pages, encryption tools—to other cybercriminals who want to run scams at scale.
Lucid and Darcula make it easy for even low-skilled criminals to launch large campaigns. They offer support, updates, and even dashboards for tracking how many victims clicked or submitted data. Their infrastructure is robust, capable of sending thousands of encrypted messages in minutes, often through iMessage or RCS, avoiding the costs and restrictions tied to traditional SMS delivery.
Cybersecurity Implications
This is part of a broader trend in cybercrime: professionalization. Scams today are more organized and better resourced than ever. Platforms like Lucid essentially allow phishing to run like a business—one with marketing, automation, customer service, and global reach.
This scam is also part of a growing trend: multi-platform phishing attacks. While email phishing remains common, attackers are increasingly targeting smartphones where users are more likely to act quickly and overlook red flags. With smartphones being central to everything from banking to ID verification, a single phishing link can compromise much more than a credit card.
How Consumers Can Protect Themselves
Let’s go beyond the basics. Here is how to truly minimize your risk:
1. Assume all unsolicited payment texts are scams
Toll authorities do not send payment demands via text with links. Period. Go to their official website or app directly.
2. Do not respond or click
Replying—even with “Stop” or “Who is this?”—tells scammers your number is active. That means more scams later.
3. Use a call/text firewall app
Apps like Hiya, Truecaller, or Robokiller can flag and block suspected scam texts based on crowd-sourced reports and behavior patterns.
4. Use Apple’s and Android’s built-in tools
- On iPhone, go to Settings > Messages and enable Filter Unknown Senders. Tap “Report Junk” for spam iMessages.
- On Android, enable Spam Protection in Google Messages and Caller ID & Spam in the Phone app settings.
5. Check for real toll balances via official apps or websites
Use verified sources like:
Bookmark them. Never trust a link in a text.
6. Freeze your credit
If you suspect your personal info was exposed, freeze your credit with Equifax, Experian, and TransUnion. It is free and prevents new accounts from being opened in your name.
7. Monitor your bank and credit statements weekly
Look for tiny “test” charges. Fraudsters may test stolen cards with $1 purchases before more significant fraud.
8. Report the scam
The more reports, the faster platforms can block the campaign.
