- US Smishing Fidus claims that unpaid toll fees are due
- SMS messages include a fake link to make an online payment
- Cyber criminals use more than 10,000 domains to fool recipients
A widespread SMS scam is aimed at thousands of smartphone users in the United States. Scammers send false texts that require payment for unpaid tolls. Their goal is not only to scam innocent recipients out of their money, but also their personal and financial information.
Reports about the smashing scam first appeared last year. In April 2024, the FBI’s Claim Center for Internet Crime Center (IC3) issued a message on Fake Toll Service text messages after receiving more than 2,000 complaints from US citizens.
Since then, it seems that the extent of the scheme has grown. Cities in several US states have now issued warnings including Boston, Denver and San Francisco. McAfee has also highlighted cities most affected by the scheme: The top three are Dallas, Atlanta and Los Angeles.
How the smashing scam works
Based on screens we have seen, text messages in the toll all appear to follow a similar structure. Each SMS claims to be from a legitimate toll and says there is an unpaid fee. Then the recipient instructs to pay the outstanding toll within a specified period of time to avoid late fees and a reference to DMV. Then a URL is delivered that directs uses to a false payment page.
This page is designed to look convincingly as a legitimate payment site. It will often include a logo, business name and street address. It will also indicate the supposed time and date of the unpaid fee.
A threat actor utilizing the same naming pattern has recorded 10K+ domains for different #smaning fraud. They form as toll services for US states and packing delivery services. Root-domain names start with “com-” as a way of fooling victims. More info at pic.twitter.com/7cbkvwywxoMarch 7, 2025
If you click on the Payment Link, the site will ask for payment information. Sometimes it will also request sensitive personal information, such as your driver’s license number. If you submit this information, you actually give them to the scammers and expose yourself to identity theft.
The fusure uses the same tactics as most phishing fraud and creates a feeling of urgent speed by requiring payment within a short period of time. The threat of litigation increases the likelihood of an emotional reaction, which can cause users to overlook inconsistencies in the original SMS or affiliated payment page.
The fusure uses the same tactics as most phishing fraud and creates a feeling of urgent speed by requiring payment within a short period of time.
Reports also suggest that there are variations of scam. In some cases, it seems that cyber criminals have varied the content of SMS and the payment page to target users in specific conditions. A screenshot we’ve seen claims to be from the city of New York. For some recipients, this can make the message more credible than a generic alarm.
Recent intelligence from Palo Alto Networks’ Unit 42 reports that scammers have registered more than 10,000 domain names. Each of these is designed to be ambiguous enough that a relaxed look may not reveal deceived. Not only do the new domains suggest that scam is still ongoing, but certain URLs indicate that it could be expanded to include false messages from delivery companies – an increasingly common tactic.
Here are a few of the domains listed in the message:
- dhl.com-new[.]Xin
- Drive.com-jds[.]Xin
- ezdrive.com-2H98[.]Xin
- ezdrivema.com-citimination — eteC[.]Xin
- ezdrivema.com-securetta[.]Xin
- e-zpassiag.com-Courtfees[.]Xin
- e-zpassny.com-ticketd[.]Xin
- FedEx.com- Fedexl[.]Xin
- getipass.com-tickeuz[.]Xin
- Sunpass.com ticketap[.]Xin
- Thetolloads.com-fastrakeu[.]Xin
- USPS.COM-TRACKING- HELPSOMG[.]Xin
How to remain safe
As with any smishing or phishing -fidus, the best way to remain in safety is to exercise caution. If you receive an unexpected SMS about unpaid toll fees, there is a good chance that it is a scam. Pause before shopping for information in the message and do not click links.
Pay attention to the details of the message. Fidus texts will often have grammatical errors or formatting of discrepancies, such as puncture placement. A closer look at the URL will often reveal that it is also unclear.
If in doubt, contact the true toll service in question. Never click on the link in SMS. Instead, find the service’s right site or contact number using a trusted search engine and reach out to clarify.
The fusure is now so extensive that the US Federal Commerce Commission has issued advice for the same effect, just as the FBI. If you discover a fake or suspicious SMS, the instructions from both agencies are the same: reports and delete the messages. You can do this on the IC3 site.
