Listen to this Post
A dangerous wave of SMS phishing scams targeting toll road users has resurfaced across the United States. Disguised as urgent payment requests from legitimate toll agencies like E-ZPass or SunPass, these messages are stealing payment credentials and personal data from unsuspecting users. Here’s how to spot them—and what you can do to stay safe.
A New Wave of Toll Fee Scams
Back in August 2024, cybersecurity experts flagged a new breed of smishing (SMS phishing) scams targeting drivers with fake toll fee payment alerts. Fast forward to 2025, and this threat has evolved, spreading rapidly across multiple U.S. states. These scam messages impersonate toll authorities such as:
– E-ZPass
– The Toll Roads
– SunPass
– TxTag
The messages typically contain alarming language—warning of fines, suspended driving privileges, or urgent deadlines. A sample message might look like:
“Your toll payment for E-ZPass Lane must be settled by [urgent date]. Pay here: [malicious link]”
Scammers use sophisticated tricks to make these fake URLs look legitimate. For example, by nesting real-looking domains inside fake ones like e-zpass.com-roadioe[.]cc. Victims are being flooded with up to 7 messages a day, according to some reports.
Government Agencies Respond
Multiple state agencies are now issuing public alerts:
- Wisconsin DMV warns residents about these phishing texts.
- Arizona DOT clarified that their state doesn’t even operate toll roads—yet people are still receiving fake toll texts.
How to Protect Yourself
Cybersecurity experts and state agencies recommend the following precautions:
- Check the source of the message. If the number is international or looks suspicious, don’t trust it.
- Scrutinize URLs. Compare the link with the official toll agency’s website. Even minor differences matter.
- Don’t interact with the message. Even replying “Stop” can confirm your number is active.
- Validate the claim directly on the official website if you think the toll charge might be real.
- Report it to the FBI’s Internet Crime Complaint Center (IC3) with full details.
Known Malicious Domains
These domains have been tied to ongoing smishing toll fee scams:
– `com-roadioe[.]cc`
– `sunpass-verification[.]top`
– `paytollrbzx[.]vip`
– `etc-tollad[.]xin`
– `roadetctre[.]xin`
– …and many more.
Security tools like Malwarebytes for Mobile can help by scanning your messages in real-time and blocking access to malicious domains.
What Undercode Say:
Smishing campaigns like these are no longer amateur operations—they’re part of a growing global phishing economy targeting mobile users at scale. Let’s dig deeper into the technical and social engineering aspects behind this toll fee scam surge:
Smishing as a Vector: Still Underestimated
Most users associate phishing with emails, but SMS phishing has higher open and click rates. With people more inclined to trust texts from government-sounding agencies, scammers exploit this trust factor heavily.
Domain Spoofing: A Psychological Tactic
Scammers know that most users glance quickly at URLs on mobile. They rely on human error, using tactics like subdomain spoofing (e-zpass.com-roadioe.cc) to appear legitimate. One misplaced hyphen or unfamiliar TLD (like .vip or .top) is all it takes to trick someone.
Spam Volume: Playing the Numbers Game
Sending 7+ texts a day isn’t accidental—it’s part of a calculated plan. The more noise, the more chances to catch someone at a weak moment—when they’re busy, distracted, or already worried about unpaid bills.
Fake Urgency = Real Panic
Every fake toll message uses language designed to induce panic: “settle by tomorrow,” “license suspension,” “fines.” These are classic social engineering triggers. Fear overrides logic.
State-by-State Inconsistencies
What’s fascinating is how scammers exploit the lack of centralized toll systems in the U.S. They send fake E-ZPass alerts to people in states where E-ZPass isn’t even used, betting most won’t notice. Arizona’s DOT reminder that their highways are toll-free is a key example of how fragmented infrastructure aids attackers.
IoC Clustering and Domain Analysis
Domains listed in this campaign show clear patterns: many use:
– .vip, .xin, .top TLDs (commonly used by malicious actors due to lax registration rules).
– “com-” prefixes to create pseudo-legitimacy.
- Words like “tollbill”, “sunpass”, “etc” to mimic authority.
This suggests a centralized phishing-as-a-service backend, possibly operating internationally.
Malwarebytes and Real-Time Protection
Tools like Malwarebytes Mobile are increasingly essential—not just for antivirus, but for phishing link detection, SMS scanning, and blocking command-and-control domains. Their proactive filtering can prevent a click before it happens.
What You Should Do Next
– Update your mobile security apps.
– Manually verify tolls through official websites only.
- Encourage friends and family to report suspicious texts.
– Block and report scam numbers immediately.
This is not just about protecting yourself—reporting smishing texts helps authorities map out attack patterns and dismantle infrastructure before it reaches others.
Fact Checker Results
- No U.S. toll agency sends payment alerts via unsolicited SMS.
- Arizona has no toll roads at all—any toll-related message is automatically fake in that state.
- Domains using
.vip,.xin, and.topTLDs have high malicious reputations across threat intelligence databases.
References:
Reported By: www.malwarebytes.com
Extra Source Hub:
https://www.pinterest.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





