Toll booth bandits continue to scam via SMS messages

North American drivers are continuing to be barraged by waves of scam text messages, telling them that they owe money on unpaid tolls.

Last month we described on Hot for Security how US authorities had issued a warning about SMS phishing attacks from scammers posing as tolling agencies.

For instance, Texas-based audience producer Gwen Howerton described on Bluesky how she had been duped by an unpaid toll scam after she had driven a rental car on the Dallas North Tollway - and, not being aware of the correct way to pay a toll, had believed the overdue payment demand she received to be genuine.

The scam text messages seen in the campaigns claim that the recipient has an "outstanding toll amount" that remains unpaid, and links to a page which poses as an overdue payment portal.

You'll notice that in both examples pictured above, the scammer is asking the recipient to perform a very specific action:

(Please reply Y and reopen the message to activate the link, or copy the link to the Safari browser for access.

The reason for this is that Apple iMessage automatically disables links received from unknown senders as a built-in protection against phishing.

Replying "Y" to the scam tricks iMessage into believing that you know the person who sent it to you, and re-enables the link.

Even if you ultimately decide not to click on the link, the fact that you may have replied with a "Y" verifies that your number if "live", making you a prime target for future scams and spams.

The advice to members of the public is to be wary when receiving an unexpected message from an unknown source. If the message contains links then replying to it will make the links live again. Simply ignoring the text, however, will not share any information with the sender.

If you are in any doubt as to whether a message is genuine or not, consider contacting the organisation which has contacted you directly. But be careful not to trust any contact information contained within the text message itself, as this could obviously direct you straight into the clutches of the scammer.

Members of the public would be wise to report and delete unwanted text messages or forward them to 7726 (SPAM). The FTC has published information about how to recognise and respond to scam text messages here.

A year ago, the FBI's Internet Crime Complaint Center (IC3) said it had received over 2,000 complaints about the scam messages and warned that the campaign appeared to be "moving from state-to-state."