Update: Republished on March 22 with a new twist on this surging Chinese threat and additional advice on what to watch for and how to stay safe.
Stop sending texts, the FBI told Americans in December, as Chinese hackers marauded through U.S. networks. But there’s another text threat that’s now rapidly sweeping across America “from state to state,” and this one is more likely to get you, stealing your money, maybe even your identity. And it’s also made in China.
“Have you received a text suggesting you may owe unpaid tolls on your vehicle?” the bureau warned again this week. “There is a good chance it’s a fraudster trying to get your personal information.” We’re talking the smishing texts now targeting iPhone and Android phones across America with fake toll bills. The FBI tells users to delete these texts immediately, and there are lots of them.
In a new report, the Anti-Phishing Working Group (APWG) paints a bleak picture. “Residents of the U.S. are being bombarded with text messages from Chinese phishers, purporting to come from U.S. toll road operators, including the multi-state EZPass.” Don’t dismiss this as just toll fraud. The same kits drive package delivery and other fake messages with the same concept of operations, just different text and links. This can be tuned to any lure. It’s an infrastructural attack on our phones, not a single campaign.
The scale of this is now so “astronomical,” one cyber expert suggests, that it would be “alarming to know what the true cost is.” It’s certainly more than a scam, it’s an attack, says Trend Micro. And it’s spiralling out of control. According to Robokiller, more than 19 billion spam texts were sent in the U.S. in February alone.
And don’t dismiss this as a trick to steal a few dollars — that’s not the point at all. “They don’t care about the seven bucks,” says Aidan Holland from Censys, “they want your credit card number.” The FTC says it’s even worse, that your identify could be stolen.
“The texts,” says the FBI, “claim the recipient owes money for unpaid tolls and contain almost identical language. The ‘outstanding toll amount’ is similar. However, the link provided within the text is created to impersonate the state’s toll service name, and phone numbers appear to change between states.”
The reason those links are different is that the attackers are registering tens of thousands of domains to mimic state and city toll agencies and lure clicks. And the reason the texts all seem similar is that they’re crafted by “an upgraded phishing kit sold in China, which makes it simple to send text messages and launch phishing sites that spoof toll road operators in multiple U.S. states.”
That’s the crux of APWG’s warning, which points out that “the phone numbers that the phishers send the messages to are usually random — they are sometimes sent to people who do not use toll roads at all, or target users in the wrong state. Some of the text messages are sent from phone numbers in countries other than China.”
But the top level domains are almost always Chinese, which is “one way to spot these scam messages.” Look for “lesser-known top-level domains such as .TOP, .CYOU, and .XIN.” The .TOP domain in particular “has a notable history of being used by phishers.”
This is where it gets interesting. APWG says “the .TOP Registry has long-running compliance problems. ICANN issued a breach letter to .TOP Registry in July 2024, citing .TOP’s failures to comply with abuse reporting and mitigation requirements, and as of March 2025 the case is still listed as unresolved on ICANN’s Web site.”
It should be fairly easy to stop, right? Surely the networks or phone OS makers can block texts with these links or provide new anti-scam measures to stop them hitting phones. Wrong. SMS and now RCS are open protocols, and while anti-spam measures are supposedly in place they’re not working. This should be easy—it clearly isn’t.
Norton has issued advice for Americans to stay safe against this deluge of Chinese texts:
- “Unexpected notices – If you don’t remember missing a toll, be skeptical of any sudden violation notice. Legitimate agencies usually send invoices via official mail, not random emails or texts.
- Urgent or threatening language – Messages that pressure you to pay immediately or threaten fines and legal action are often scams.
- Unusual sender email or website links – Look closely at email addresses and URLs. Scammers often use misspelled domain names or extra characters (e.g., “Toll-Authority123.com” instead of “TollAuthority.com”).
- Suspicious links or attachments – Never click on links in unsolicited emails or texts. Hover over them to check the URL first—if it doesn’t match the official toll agency’s website, it’s a scam.
- Requests for personal information – Legitimate toll agencies don’t ask for sensitive details like Social Security numbers or full credit card info via email or text.”
Trend Micro has a whole section on its website dedicated to toll scams. The company’s Jon Clay told CNBC this week that “Apple doesn’t do anything about it… Android will add it to their spam list so you won’t get texts from the same number, but then the scammers will just change numbers. Apple has done a wonderful job of telling everyone their phone is secure, and they are, but not from this kind of attack.”
Trend Micro has also just warned of a new twist to this scam. “Unlike many other toll scams that target drivers in specific states, this scam is very generic, appearing to come from the vague-sounding ‘City Department of Transportation.’ It threatens drivers with a court summons if they do not pay the fee by a certain date.”
That urgency is a typical tactic. The new text reads something like: “City Department of Transportation Final warning: $6.99 owed. Must pay by 03/17 to close case or face court summons. Settle now: <URL> Thank you for your cooperation.”
APWG says recipients of such scam texts — of which there are now likely hundreds of thousands — can “help update alerting/blocking mechanisms that protect billions of devices and software clients worldwide” by reporting these to the FBI’s IC3.gov or directly to them at apwg.org/sms.
Meanwhile, the FBI says “check your account using the toll service’s legitimate website, contact the toll service’s customer service phone number, [and] delete any smishing texts received.” If you do click the link and provide information, check your accounts and change your key passwords even if you haven’t made a payment.
Again, don’t just look out for toll texts, the lure could be anything, it just so happens that these Chinese attacks are mining a successful multi-state seam right now. But eventually that will shift to something else.
For the time being this threat continues to surge — be careful out there.
