Urgent FBI Warning: Phishing Texts Targeting Toll Payments Surge in U.S.

WASHINGTON, March 23, 2025 — Smartphone users across the United States are facing a rising threat from fraudulent text messages that impersonate toll road operators. The FBI has issued an urgent warning regarding these scams, which target both iPhone and Android users. The messages claim recipients owe unpaid tolls and direct them to malicious websites designed to steal personal and financial information.

In a statement released this week, the FBI noted, “Have you received a text suggesting you may owe unpaid tolls on your vehicle? There is a good chance it’s a fraudster trying to get your personal information.” With cybercriminals increasingly sophisticated in their tactics, the FBI and the Anti-Phishing Working Group (APWG) have raised alarms over the prevalence of these scams.

The APWG reported that scammers are utilizing various deceptive domains to mirror established state toll operators such as EZPass. According to reports, hackers are registering thousands of fraudulent domains, often using lesser-known Chinese top-level domains, including .TOP, .CYOU, and .XIN, to ensnare unsuspecting victims. These phishing efforts reflect a broader strategy seen in other scams, such as fake package deliveries.

“Public safety is my top priority, which is why I’m urging New Yorkers to take caution against senseless scammers sending fake E-ZPass text messages in an attempt to collect money for fake unpaid tolls,” said New York State Governor Kathy Hochul.

Authorities are urging the public to report any suspicious messages, delete them immediately, and verify toll charges through official channels. A typical scam message often includes threatening language that prompts immediate action, such as: “City Department of Transportation Final warning: $6.99 owed. Must pay by 03/17 to close case or face court summons.”

Aidan Holland from Censys emphasized that the attackers are primarily after sensitive information rather than small toll fees. “They don’t care about the seven bucks; they want your credit card number,” he stated, underscoring the serious risks of identity theft associated with such scams.

The Federal Trade Commission (FTC) supports this warning, cautioning consumers that succumbing to these demands could result in significant financial losses. The magnitude of the issue is significant; Robokiller reported over 19 billion spam texts sent in the U.S. in February alone. The similarity in the scam texts indicates a coordinated effort by cybercriminals, suggesting a systemic threat rather than isolated cases of fraud.

Despite existing warnings, many individuals continue to fall victim to these scams. Issues with compliance by domain registries, such as the .TOP Registry, remain a major concern. ICANN issued a breach letter in July 2024, citing failures to meet abuse reporting standards, and as of March 2025, the case is still unresolved.

Norton has recommended several precautionary measures for users. They advise being suspicious of unexpected notices regarding toll payments, as legitimate toll agencies typically send official invoices rather than sudden alerts via text. Signs of potential scams include urgent language, misspellings in domain names, and requests for personal information.

Jon Clay of Trend Micro noted that tech companies must do more to combat these threats. While Android devices can add known scams to their spam list, Apple’s current lack of action against such threats leaves users vulnerable. The ongoing evolution of scams, paired with the scalability of phishing kits, complicates prevention efforts.

As fraudulent messages continue to rise, cybersecurity experts warn of a potential shift in tactics once toll fraud diminishes in effectiveness. Therefore, law enforcement agencies and cybersecurity professionals advise users to remain vigilant and report fraudulent messages to the FBI’s Internet Crime Complaint Center at IC3.gov and through APWG at apwg.org/sms.

The FBI further emphasizes the importance of thorough account reviews if users believe they have clicked on malicious links or provided sensitive information. Changing passwords and promptly disputing unauthorized charges are vital steps in enhancing personal security.