US Residents Targeted by Phishing Toll Fee Messages via SMS

Criminals are sending US residents rogue toll fee phishing messages via SMS in a new malicious campaign.

New smishing campaign targets US residents

A surge in spam messages sent to US residents has authorities concerned. Threat actors found a way to weaponize toll road operators, impersonating electronic tolling programs to send specially crafted phishing messages via SMS.

As usual with phishing campaigns, the messages instill a sense of urgency by threatening their recipients with hefty fines if they fail to pay the fabricated toll fees.

People who take the bait are instructed to hand out payment card details and supply a one-time password (OTP) from a mobile authenticator app or an SMS text.

Several toll programs in different states impersonated

According to recent reports, the new smishing (a combination of phishing and SMS messages) campaign has already targeted multiple electronic tolling services, including Massachusetts’ EZDriveMA, Florida’s SunPass, and North Texas’ Toll Authority.

As Krebs on Security reported, similar attacks have targeted residents of California, Colorado, Connecticut, Minnesota, and Washington, and possibly other states.

Threat actors specifically target mobile device users

It’s unclear whether a single mastermind coordinates the new smishing campaign or if several threat actors operate independently behind the spam message surge.

However, the threat’s origin point seems to revolve around a new feature implemented in an infamous commercial phishing kit sold in China.

Each report mentioned was filed shortly after the release of a new feature that lets perpetrators closely replicate the way toll operator websites appear on mobile devices.

Furthermore, the rogue pages crafted for the new smishing campaign are only designed to work for visitors on mobile devices.

Keeping smishing and other threats at bay

Dedicated security software like Bitdefender Mobile Security can help thwart cybercriminals by detecting and deterring smishing attempts and other intrusions.

It can protect your devices against viruses, worms, Trojans, spyware, ransomware, zero-day exploits, rootkits, and other digital threats.

Key features include continuous, comprehensive scanning, privacy protection modules, a built-in VPN, and robust scam protection technology. Bitdefender Mobile Security is available for both Android and iOS devices.

To further boost your protection against scams, Bitdefender’s Scamio can lend a helping hand. It can detect smishing attacks obfuscated in SMS texts, but also works for scams obscured in emails, text messages from social media, links, images, and QR codes.

Furthermore, it can detect scam attempts from given scenarios; describe the scam and Scamio will assess its perceived legitimacy.

Scamio is free and available on Facebook Messenger, WhatsApp, Discord and your web browser. You can also help others stay safe by sharing Scamio with them in France, Germany, Spain, Italy, Romania, Australia and the UK.