Beware of Smishing Scams: Fake Toll and Delivery Texts Are on the Rise
Cybercriminals are ramping up their efforts to scam unsuspecting individuals through a type of phishing attack known as smishing—a combination of "SMS" and "phishing." The FBI has issued warnings as this scam spreads from state to state, urging iPhone and Android users to delete any suspicious texts immediately.
What Is Smishing?
Smishing occurs when scammers send fraudulent text messages that appear to come from legitimate organizations. These messages often contain malicious links designed to steal personal and financial information. Unlike traditional phishing, which targets victims through email, smishing takes advantage of the trust people place in text messages, making it particularly effective.
How the Scam Works
According to a new report from Palo Alto Networks’ Unit 42, cybercriminals have registered over 10,000 fake domains to impersonate toll payment services and delivery companies. The scam starts with a text message claiming that you have an unpaid toll bill or an undelivered package, urging you to click a link to make a payment.
These links often direct victims to fake websites that look almost identical to the real ones, tricking them into entering sensitive details like credit card numbers or login credentials. Some even prompt users to keep retrying payments with different cards—an effort to collect as many card numbers as possible.
Red Flags to Watch For
Smishing texts follow a predictable pattern. Here’s what to look out for:
- Urgent payment requests for unpaid tolls, delivery fees, or fines.
- Suspicious links with extra characters, hyphens, or domains that don’t match official websites (e.g., "usps.com-tracking-helpsomg[.]xin").
- Instructions to manually copy and paste a link into your browser—this is often used to bypass security features like iMessage link blocking.
- Spelling errors or incorrect formatting, such as a dollar sign appearing after the amount (e.g., "50$" instead of "$50").
How to Protect Yourself
Authorities, including the FTC and local law enforcement agencies, have issued the following recommendations:
- Do not click on any links in unsolicited text messages.
- Verify directly with the service provider by visiting their official website or calling their customer support line.
- Report the scam by forwarding the message to 7726 (SPAM) or filing a complaint with the Internet Crime Complaint Center (IC3) at www.ic3.gov.
- Delete the message immediately to avoid accidental clicks.
- Monitor your financial statements for unauthorized transactions if you suspect you’ve entered your details on a fraudulent site.
Smishing Attacks Are Spreading Rapidly
Authorities across multiple states, including Louisiana, Michigan, Virginia, and Maryland, have issued alerts as more victims report falling for these scams. A news station in Detroit received over 4,300 comments from concerned residents who had received these fake toll payment texts.
McAfee has identified the top most targeted cities for toll payment scams, including:
- Dallas, TX
- Atlanta, GA
- Los Angeles, CA
- Chicago, IL
- Orlando, FL
- Miami, FL
- San Antonio, TX
- Las Vegas, NV
- Houston, TX
- Denver, CO
Stay Vigilant and Spread the Word
With scammers continuously adapting their tactics, it's crucial to remain cautious. If you receive a suspicious text, don’t rush to respond—take a moment to verify its legitimacy. By staying informed and sharing this information with family and friends, you can help prevent more people from falling victim to these dangerous scams.
