The Smishing Triad: Rising Threats from China-Based Cybercriminals Targeting Toll Service Users

Smishing, a form of phishing carried out through text messages, has become a growing concern, especially as cybercriminal groups develop increasingly sophisticated methods to deceive their victims. One such alarming trend involves the Smishing Triad, a China-based cybercriminal group that has been sending fraudulent messages impersonating toll service providers in the US and UK. As their operations expand globally, these attackers are putting millions of users at risk of financial loss and data theft. This article delves into the rise of these smishing campaigns, how they work, and what individuals and organizations can do to protect themselves.

The Rise of Smishing Campaigns

The Smishing Triad, a well-organized cybercriminal group operating from China, has significantly ramped up its operations in recent months. Their primary method involves sending deceptive SMS and iMessage messages that appear to come from legitimate toll service providers such as FasTrak, E-ZPass, and I-Pass. These fake messages falsely claim that the recipients have unpaid toll bills and urge them to take immediate action to resolve the issue.

The perpetrators behind these scams use spoofed sender IDs to make the messages appear genuine, playing on the trust users place in communications from trusted service providers. Once the victim clicks on a link or responds to the message, they are directed to a phishing website designed to harvest sensitive personal information, including credit card details and login credentials.

What makes these smishing attacks particularly dangerous is their ability to evade traditional spam filters, which are often ineffective at blocking text messages. Furthermore, people tend to trust messages that come through SMS and iMessage more than emails, making them more susceptible to phishing attacks. The urgency often conveyed in these messages increases the likelihood that victims will fall for the scam, leading to higher success rates for the criminals.

How the Scam Works

The scam begins when the victim receives a message that appears to be from a legitimate toll service provider, warning them of an unpaid toll bill. These messages typically include a call to action urging the recipient to pay immediately to avoid penalties. However, the links provided in these messages direct users to phishing websites that look remarkably similar to legitimate toll payment sites.

Once on the fraudulent site, victims are asked to enter sensitive information, such as credit card numbers or login credentials, which is then captured by the criminals for later use. The scam is powered by a service known as “Oak Tel,” operated by Chinese cybercriminals. Oak Tel enables cybercriminals to:

Manage and automate smishing campaigns through a web-based dashboard
Spoof sender IDs, making messages appear as though they are from trusted sources like the US Postal Service or Chase Bank
Scale attacks using APIs and upload data to target specific regions or behaviors
All of this is available for as little as $8 per 1,000 messages, with the service being sold through Telegram channels.

The sheer scale of this operation is staggering, with over 60,000 domains registered to support these smishing campaigns, many of which are hosted under the “.xin” domain managed by a Hong Kong-based company. The most significant surge in smishing activity occurred at the start of Q1 2025, with millions of fraudulent messages being sent.

Mitigation and Consumer Warnings

While it is difficult to completely prevent smishing attacks, there are several steps individuals can take to protect themselves. Authorities urge consumers to be vigilant when receiving unsolicited messages, especially those claiming to be from toll service providers or other trusted institutions. It is important not to click on any links in these messages but to visit official websites directly to verify any claims.

Government agencies and consumer protection organizations have also stressed the need for instant messaging platforms to implement stronger protections against smishing. By adopting best practices and adapting them to the unique nature of instant messaging services, these platforms could increase the cost and difficulty of running smishing campaigns, ultimately reducing the scale and effectiveness of these attacks.

What Undercode Says:

Smishing campaigns have been an ongoing threat for some time, but the rise of more sophisticated tactics, like those employed by the Smishing Triad, marks a significant shift in how cybercriminals approach phishing. The key differentiator with smishing compared to traditional phishing is the use of text messaging, which remains a more trusted form of communication for most users. This makes it harder for individuals to recognize fraudulent messages.

One of the major challenges with smishing attacks is the spoofing of sender IDs, a tactic that enables criminals to mimic trusted organizations, making their messages appear legitimate. This kind of deception is difficult to counter because SMS and iMessage are often considered secure forms of communication, and people are generally less suspicious of them than emails.

The scale of this issue is concerning, especially with the increased use of services like Oak Tel, which enable cybercriminals to automate and scale these attacks. The fact that these attacks are often marketed for a small fee makes them accessible to a broader range of malicious actors, further exacerbating the threat.

Given the sophistication of these smishing operations, it is clear that both consumers and service providers must be more proactive in their efforts to prevent these attacks. Organizations must invest in stronger anti-smishing measures, while consumers need to exercise caution and verify the legitimacy of any unsolicited messages they receive.

Fact Checker Results:

The rise in smishing campaigns targeting toll service users, attributed to the Smishing Triad, is a well-documented trend, with attacks on the US and UK being particularly prevalent.
The use of spoofed sender IDs and phishing websites is a common and highly effective tactic in these smishing campaigns, which have been gaining traction in early 2025.
There are calls for stronger protections from instant messaging platforms to combat the growing threat of smishing.