A new wave of text message scams is sweeping the nation, targeting drivers with fraudulent toll road charges. These deceptive messages, often appearing to originate from legitimate toll operators like E-ZPass or SunPass, warn recipients of unpaid tolls and potential fines. Clicking on the provided links leads victims to counterfeit websites designed to steal sensitive financial information, including credit card details and one-time passwords.

Security experts have linked these smishing (SMS phishing) attacks to Chinese groups known for developing and distributing advanced phishing kits. One such kit, "Lighthouse," enables scammers to easily impersonate toll operators across numerous states. These attacks have been reported nationwide, impacting users of various toll systems, including EZDriveMA in Massachusetts, SunPass in Florida, and the North Texas Toll Authority. The deceptive nature of these mobile-optimized phishing pages makes them particularly difficult to detect.

These phishing scams are constantly evolving, utilizing advanced techniques like integration with Apple iMessage and Android's RCS technology to bypass traditional spam filters. This increased deliverability makes it more likely for victims to receive and interact with these fraudulent messages. The dynamic, real-time operation of these phishing sites further complicates detection and shutdown efforts. Worryingly, even individuals without vehicles have reported receiving these messages, suggesting indiscriminate targeting.

Protecting Yourself from Toll Road Text Scams

Here are some crucial steps to safeguard yourself against these scams:

1. Directly Verify with Toll Operators: Never click on links in unsolicited text messages. Instead, contact your toll operator directly through their official website or customer service number to verify any claims of unpaid tolls.
2. Install Robust Antivirus Software: Comprehensive antivirus software provides a crucial layer of defense against malicious links and other online threats.
3. Never Share Personal Information via Text: Legitimate organizations will not request sensitive information like credit card details or one-time passwords via text message.
4. Enable Two-Factor Authentication (2FA): 2FA adds an extra layer of security to your accounts, requiring two forms of verification for access.
5. Be Wary of Urgent Messages: Scammers often use urgency to pressure victims into acting quickly without thinking. Always take a moment to verify the legitimacy of any urgent requests.
6. Report Suspicious Messages: Report suspected phishing attempts to the appropriate authorities, such as the Federal Trade Commission (FTC) or the FBI's Internet Crime Complaint Center (IC3).
7. Consider a Personal Data Removal Service: These services can help minimize your online footprint, making it harder for scammers to target you with personalized scams.