Imagine you’re heading out on a late summer road trip to see family or visit one of our nation’s beautiful state parks. You’ll probably take a direct route, which may mean paying tolls along the way. After your trip, you get a text message from an unrecognized number asking you to “click here” to pay overdue toll charges and avoid late fees.
Your first thought may be that Big Brother is watching your every move, but the situation is actually much worse than that. Cybercriminals don’t know if you actually took a trip or not. If you get one of these texts during peak travel seasons — like the summer or holidays — they can seem legitimate.
The Federal Trade Commission warns that almost all unpaid toll texts are part of a road toll ‘smishing’ scam that can bait you into giving bad actors access to your sensitive personal information, having your identity stolen or worse.
Aura
CNET’s best overall identity theft protection service
How do road toll smishing scams work?
Unpaid toll scams are on the rise, according to the FBI. The agency has received more than 2,000 complaints since March. Unpaid toll scams are classified as smishing, whereby bad actors use text messages and pretend to be a part of a company to extract your personal information.
The FBI says that texts sent by scammers use wording that may look something like this:
“(State Toll Service Name): We’ve noticed an outstanding toll amount of $12.51 on your record. To avoid a late fee of $50.00, visit https://myturnpiketollservices.com to settle your balance.”
Wolfgang Goerlich of IANS Research, a Boston-based cybersecurity research and advisory firm, says that smishing scams like this one are becoming more popular since people have shifted from calls to texting in everyday life. Since we’re accustomed to getting text updates about upcoming changes on a flight itinerary or a monthly payment being due, getting a text about unpaid tolls may appear innocent and even normal.
Bad actors also rely on creating a sense of urgency with toll road scams to lure victims into paying up, Michael Scheumack, chief innovation and marketing officer of identity theft protection service IdentityIQ, said. In the FBI example above, the scammer warns that late fees will be charged for non-payment.
For those who click on the link within the text, the scam can play out in different ways. Criminals might be trying to get a copy of your driver’s license, credit card information or both. Scheumack says they might also try to trick you into sharing sensitive personal data like usernames or passwords. In other scenarios, the fake link might download malware to your smartphone device, he said. Depending on how much data you provide, you could run the risk of having your identity stolen.
How to avoid falling for a road toll scam
You can’t always stop unwanted spam texts, but you can control how you respond to them. Here are some other tips from experts about how to avoid becoming a victim of toll smishing.
Slow down before acting
Toll road scam texts often convey a false sense of urgency. This tricks you into acting quickly before you even consider the possibility that it may be a scam.
“Scared people moving quickly make poor decisions, which is exactly what a scammer wants,” Goerlich said. “If a message makes you feel rushed or afraid, trust your intuition and stop responding.”
If you receive an unpaid toll text, it’s likely a scam
Toll agencies usually don’t send out random messages. Instead, they’re more likely to send you notices of unpaid tolls by regular mail, according to Dr. Zulfikar Ramzan, Aura‘s chief scientist and EVP of product and development.
If you’re curious if the text is real, the FTC recommends calling the state’s toll agency to inquire. Use a phone number or website you know is real, not the info from the text.
Don’t click on links
You should be wary of any links in the message, Ramzan said. If you think the link is legitimate, you can (and should) hover over to check the URL before you click.
“If the URL looks off or doesn’t match the official site, it’s likely a scam,” he said.
To play it safe, call the toll agency directly to take care of any unpaid tolls.
Keep an eye out for typos
Watch out for spelling mistakes or awkward phrasing in toll smishing scams and double-check the sender’s contact information using verifiable toll agencies or government websites. Toll scams are often filled with errors and likely contain incorrect contact information.
Typos are also commonly found in phishing emails as well, so get into the habit of carefully reviewing messages you receive to help avoid fraud.
What if I fall for the scam?
If you believe you have fallen for a toll road scam, there are steps you can take to limit potential damage. Your best course of action may depend on the information you shared, but you can consider doing some or all of the following:
- Contact your card issuer. If you shared your credit card number, expiration date and security code, call your credit card company using the number on the back of your card. They will likely respond by freezing your account or closing the compromised card and sending you a new one.
- Freeze your credit reports. If you shared your SSN and other personal identification, you should look into freezing your credit reports with the three credit bureaus — Equifax, Experian and TransUnion. This prevents identity thieves from opening new accounts in your name, and you can always temporarily unfreeze your reports if you need to apply for a new credit card or a loan.
- Check your credit reports. You should also check your credit reports for suspicious new accounts or information, which you can do for free at AnnualCreditReport.com. If you find anything incorrect on your credit reports, you can dispute these errors and have them removed.
- Sign up for identity theft protection. Also, consider signing up for identity theft protection and credit monitoring. These companies can oversee your financial accounts, credit reports and identity on your behalf and check the dark web for traces of your information. Many companies also offer identity theft insurance protection worth $1 million or more.
How to report toll smishing
The FTC says you should report toll-smishing messages before deleting them from your phone.
“Use your phone’s report junk option to report these unwanted texts to your messaging app or forward them to 7726 (SPAM),” the agency says.
The FBI also says you can report these texts to the Internet Crime Complaint Center. You can do this by sharing the phone number the text came from and the website sent in the text. This all helps the government and service providers in stopping fraudsters before they cause additional harm.