In a novel attempt to steal individuals’ credit card information, cyber criminals are posing as local toll services in multiple states across the USA.

About the smishing campaign

According to the FBI, this spring over 2,000 people have filed reports with the Internet Crime Complaint Center (IC3) stating they were targeted in an SMS phishing campaign (also known as a “smishing” attack). So far, the campaign has been active in three different states, with attackers sending text messages to random phone numbers claiming that recipients owe money for using certain turnpikes or toll roads. At the end of the messages, they include a malicious link to a website where the debt can supposedly be paid. As the PSA released by the FBI on April 12, 2024, related:

“The texts claim the recipient owes money for unpaid tolls and contain almost identical language [across states]. The ‘outstanding toll amount’ is similar among the complaints reported to the IC3. However, the link provided within the text is created to impersonate the state’s toll service name, and phone numbers appear to change between states.”  

What to do if you’re a target

Some of the toll service locations impacted have released statements warning the public about the attacks, but it remains unclear who is behind them. Additionally, the FBI also requested that those who receive a malicious text message take the following measures to ensure their private information is secure:

1. File a complaint with the IC3 at www.ic3.gov and include the scammer’s phone number and the website listed within the text.

2. Check their account using the toll service’s legitimate website.

3. Contact the toll service’s customer service phone number.

4. Delete any smishing texts received.

5. If they click any link or provide your information, make efforts to secure your personal information and financial accounts. They should also ensure that all unfamiliar charges are disputed immediately.