Update: Republished later on April 11 with reports into new tariff related attacks.
The latest FBI unpaid toll scam warnings in Las Vegas and Phoenix will leave millions of Americans asking why there appears to be no solution to these malicious texts. The bureau first warned about this smishing attack almost exactly a year ago, and yet the plague of malicious messages is now spiralling out of control with no signs of stopping.
Resecurity has just warned that the toll payment scam is undergoing a “massive fraud campaign expansion,” and that “the campaign has utilized over 60,000 domain names, making it difficult for platforms like Apple and Android to block fraudulent activity effectively.” A “significant spike” in Q1 has seen “millions of consumers targeted.”
“These attacks,” says Black Duck’s Thomas Richards, “are very complex and show deep technical capabilities at such scale. While attackers abuse encrypted communications to evade eavesdropping by the carriers, it should still set off alerts within the networks when a single phone number sends thousands of text messages to users outside their geographic area when they aren’t a registered short code or business.”
As I’ve reported before, this is not a nuisance scam chasing you for a few dollars. It is organized crime, a concerted attack that leverages a complex and extensive ecosystem built and operated out of China. The attackers don’t want your $4 or $5. They want to steal your credentials, your credit card details and maybe even your identity.
And according to SlashNext’s J Stephen Kowski, the Chinese gangs “have evolved from targeting toll road and shipping customers to directly attacking international financial institutions, using sophisticated smishing techniques that bypass traditional security measures. These attackers are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google.”
The Smishing Triad group behind these attacks made its name pushing undelivered package messages through compromised iMessage accounts. But it’s now much wider. And it’s ongoing. In a new report, Talos warns that “as of March 2025, [we are]
still seeing new domains registered by the threat actors for the toll road scams.” And it shares details on the channels — mainly Telegram — used to sell these phishing kits.
In another new report this week, the threat hunters at Silent Push say they have “determined that portions of [Smishing Triad’s]
infrastructure generated over one million page visits within a period of only 20 days, averaging 50,000 per day. Based on this data, we believe the actual number of messages sent may be significantly higher than the current public estimates of 100,000 SMS messages sent per day.”
Three weeks ago, the threat actors behind Smishing Triad started sharing a new “Lighthouse” phishing kit aimed at banks and financial institutions. This is an industrialized attack. “Smishing Triad boasts it has ‘300+ front desk staff worldwide’ supporting the Lighthouse kit,” as it “sells its phishing kits to other threat actors.”
Threat Stop warns that “we’ve long known that the group referred to as Smishing Triad has been operating on a massive scale, rotating thousands of malicious domains and spoofing major brands worldwide.” This is true, but Silent Push’s findings, that this now targets users in more than 120 countries and operates “tens of thousands of domains” has frightening implications for the scale of what comes next. A kit that targets your bank rather than a toll operator can do much more immediate damage to your finances.
As this threat is mapped, with details on the thousands of domains and hundreds of IP addresses, it will raise questions as to how best to cut this down. What it has done it highlighted the weakness in the openness of SMS/RCS/iMessage in a way that other messaging platforms are not — albeit they’re hit with smishing to a lesser extent.
Zimperium’s Kern Smith told me that “the latest wave of mobile SMS scams is a stark reminder that mobile devices and apps are uniquely vulnerable — and often under protected — against attackers,” while the new reports “show the continued investment by cybercriminals in targeting mobile users.”
While Smishing Triad attacks are the work of cybercriminals rather than state affiliated hackers, this is all unfolding against the backdrop of intensifying U.S. China tensions as the respective governments continue to play their game of tariff chicken. And those tariffs will fuel another wave of scams and attacks, as businesses and shoppers in America and elsewhere react to the newly uncertain climate.
That’s the new warning from BforeAI, which says “cybercriminals have launched a wave of scam and hate campaigns leveraging the ripple effects of tariff interest and coverage. A significant surge totaling 301 domain registrations was seen in the first three months of 2025. Surprisingly, only one typosquat, ‘tarrif’, was identified, indicating the cybercriminals’ preference in taking a more direct approach to support the scams.”
Any time there’s a viral, headline event — be that an election, a trade war, a wild fire or a sporting occasion, you can be certain cybercriminals will ride the wave. Just as with tolls, packages and financial institutions, the telltale sign as to what’s to come can be found in the newly registered domaines, which betray the nature of forthcoming attacks.
BforeAI says its research team “identified several domains covering a mix of pro-trade, anti-tariff, and other politically-charged narratives. Several domains aligning themselves with the current U.S. administration’s political discourse, include references to ‘Trump’ and ‘USA tariffs’. Common registrars include Namecheap, GoDaddy, Dynadot, and Squarespace Domains LLC. A subset of domains suggests possible misinformation or influence operations, particularly those with emotionally charged language engineered to elicit a response resulting in a click.” And there were many domains registered in China, unsurprisingly.
Not all these attacks will be deployed by text, of course; it’s likely most will be sent via emails and social media. But there will be texts — and plenty of them — given the better than average hit rate such campaigns now enjoy.
The FBI’s warning is clear, whether a malicious text relates to road tolls, packages, banking transactions or tariffs. Report the text and the number that sent it to www.ic3.gov, and then delete it from your phone.