News
E-ZPass Phishing Scams Surge as Scammers Target Drivers Through iMessage and SMS
A flood of scam texts mimicking toll agencies like E-ZPass and FasTrak is hitting phones across the U.S., as fraudsters ramp up efforts to steal personal and financial information.
The wave of phishing messages has reached a new level of persistence. Victims report receiving several messages a day, often filled with fake urgency about overdue tolls or threatened license suspensions. And these aren’t your typical spam — they’re cleverly designed, bypassing anti-spam filters and using official-sounding language to reel in unsuspecting users.
Scammers Are Getting Smarter, and More Aggressive
What’s scary isn’t just the content — it’s how slick the whole thing is. Messages look like they’re from E-ZPass or even the DMV. They hit your phone with statements like, “Your toll payment must be settled by April 4, 2025,” and throw in threats of suspended driving privileges to push you to click.
And they don’t stop at one. Some users report getting up to seven of these messages in a single day.
These aren’t just regular SMS blasts either. Most of them are sent using encrypted messaging like iMessage or RCS, which not only masks the sender but helps evade standard filters that would normally catch this stuff.
Why This Scam Works — and Keeps Growing
Let’s be real: most of us have used toll roads, and most of us don’t keep tabs on every single bill. That’s what makes this scam hit so hard. It feels plausible.
Scammers are exploiting that uncertainty — and they’ve made some technical tweaks too. The messages now:
-
Come from random email addresses, making them harder to trace.
-
Prompt users to reply so that iMessage enables clickable links.
-
Direct you to fake websites that look nearly identical to the real thing — only the URL gives them away.
This phishing page doesn’t even load on a desktop. It’s mobile-only. Which, honestly, is a smart move on the scammers’ part — most people open texts on their phones anyway.
The Toll of a Growing Phishing-as-a-Service Market
There’s another layer to all this — a darker one. These scams aren’t just one-off efforts by solo cybercriminals. They’re part of something bigger.
Security researchers have tied some of these messages to platforms like Lucid and Darcula — services that specialize in phishing-as-a-service (PhaaS). Think of them like the Shopify for scammers: offering templates, tools, and messaging systems to bad actors.
These platforms are built to:
-
Automate massive message blasts.
-
Send encrypted messages that avoid carrier fees.
-
Help scammers track engagement and responses.
A recent report linked Lucid to similar campaigns, though no direct confirmation ties them to this E-ZPass wave. Still, the mechanics are strikingly similar.
FBI Raised the Alarm Last Year, But It’s Not Slowing Down
This scam isn’t exactly new. The FBI flagged it in April 2024, issuing guidance for people who might receive suspicious toll messages. But here’s the thing — despite the warning, it’s worse now.
Part of the issue? These messages keep changing. The urgency, the phrasing, even the toll agency being impersonated — all of it shifts constantly. It’s hard to pin down, and even harder to block.
Here’s what a few real examples look like, according to reports from BleepingComputer:
-
“You have an unpaid toll balance. Failure to pay by 04/04/25 will result in license suspension.”
-
“E-ZPass: Pay now to avoid late fees. Click the secure link.”
Even the URLs are crafted to mimic toll authority sites, swapping in slight changes that are easy to miss if you’re scanning quickly.
How to Protect Yourself — and What to Avoid Doing
If you get one of these messages, don’t panic — but don’t interact with it either. The FBI recommends filing a complaint at IC3.gov, but there are also some quick practical steps you can take right away.
First things first, don’t reply. Responding, even to say “Stop,” just confirms your number is active.
Here’s what cybersecurity experts say you should do:
-
Block the number or email address.
-
Report it to Apple if it came via iMessage.
-
Delete the message without clicking anything.
-
Check your actual toll account by logging into the official site directly.
Just for context, here’s a quick comparison of scam signs vs legit toll agency texts:
| Feature | Scam Texts | Real Toll Agency Messages |
|---|---|---|
| Sender | Random email or unknown contact | Official toll agency or short code |
| Link URL | Suspicious domain (e.g., ezpass-pay.net) | Verified domain (e.g., ezpassny.com) |
| Language | Threatening, urgent | Informative, clear |
| Response Prompt | Asks for replies to activate links | No replies needed |
So Why Hasn’t It Been Stopped Yet?
The short answer? It’s complicated. The scammers are exploiting the way modern messaging platforms are built.
iMessage, for instance, disables links from unknown senders — but if you respond, the app assumes you trust them. That’s how the link suddenly becomes clickable. It’s a loophole, and the bad guys know it.
There’s also the fact that encrypted messaging means these campaigns are tougher to trace. Unlike old-school SMS scams, there’s no easy digital breadcrumb trail for telecoms or law enforcement to follow.
One cybersecurity analyst BleepingComputer spoke to summed it up: “They’re organized, they’re evolving, and the barrier to entry has never been lower.”
