A recent smishing campaign is impersonating E-ZPass and other U.S.-based toll agencies and sending fraudulent text messages to individuals. These messages claim that recipients have unpaid tolls and urge immediate payment to avoid penalties or suspension of driving privileges.
The texts include links that direct users to counterfeit websites designed to steal personal and financial information, such as names, addresses, and credit card details.
The campaign is notable for its scale and persistence, with some individuals reporting receiving multiple messages daily. The messages often originate from random email addresses and are crafted to bypass anti-spam filters. To circumvent protections like Apple's iMessage link-blocking feature, scammers may instruct recipients to reply to the message, making the malicious links clickable.
Authorities have been aware of similar scams since at least April 2024, with the FBI issuing warnings about such tactics. The current surge suggests that cybercriminals are employing phishing-as-a-service platforms (PhaaS), like Lucid and Darcula, to automate and expand their fraudulent operations.
Source: Bleeping Computer
This smishing campaign leans heavily on a classic social engineering tactic: create urgency and fear of consequences to prompt immediate action. In this case, that’s the threat of unpaid tolls, late fees, or suspended driving privileges. This is an often-used psychological lever, but what makes this instance notable is its specific and plausible theme.
Using an unpaid payment angle is smart from the threat actor’s perspective because it’s:
This campaign doesn’t require elaborate social engineering profiles. It leverages the ‘spray-and-pray’ method but is believable enough that some percentage of those targeted will likely take the bait. Additionally, with PhaaS platforms like Lucid and Darcula likely being involved, the threat actor can easily scale this campaign with fake domains, spoofed numbers, and convincing templates.
Ultimately, this campaign is much like previous scams that impersonated tax agencies, package delivery services, or parking authorities, and relied on urgency and perceived legitimacy to prompt victim response. As long as these tactics remain effective, similar campaigns—each with slightly different themes tailored to current trends or public behavior—are very likely to continue.
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats to related to phishing. Field Effect MDR users are automatically notified if phishing related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
To help avoid being compromised by this scam, Field Effect recommends that users: