A widespread SMS phishing campaign has been targeting toll road users across the United States since mid-October 2024. Cybercriminals are impersonating legitimate toll payment services, such as E-ZPass, to steal credit card information from unsuspecting motorists. The attackers have focused on at least eight states, including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas.
The fraudulent messages inform recipients of an outstanding toll balance, typically under $5, and warn of potential late fees of approximately $35 if payment is not made promptly. These messages include a hyperlink to a spoofed domain that mimics official toll collection services. To create a sense of urgency, the texts threaten penalties or legal action if the recipient fails to pay by a specified date, prompting immediate action from concerned motorists.
Upon clicking the link in the SMS message, victims are directed through a sophisticated phishing flow designed to harvest personal and financial information. First, users encounter a fake CAPTCHA challenge, after which they are redirected to a counterfeit webpage displaying the legitimate toll service’s logo. This page requests the victim’s name and ZIP code, ostensibly to view their bill.
The technical sophistication of the attack lies in its multi-stage approach. After entering initial information, victims are presented with a fraudulent bill displaying their name and an outstanding balance of approximately $4, along with warnings about a $35 late payment fee. When victims click the Proceed Now button, they are redirected to another fake webpage that solicits comprehensive personal information, including name, address, phone number, and credit card details.
The phishing infrastructure utilizes domains created between October 2024 and March 2025, resolving to several IP addresses. Domain names are carefully crafted to impersonate legitimate toll services, enhancing the credibility of the scam. The ongoing registration of new domains as recently as March 2025 indicates that this campaign remains active, highlighting the need for continued vigilance among toll road users nationwide.
