E-ZPass toll payment texts return in massive phishing wave

April 6, 2025

Cars

An ongoing phishing campaign impersonating E-ZPass and other toll agencies has surged recently, with recipients receiving multiple iMessage and SMS texts to steal personal and credit card information.

The messages embed links that, if clicked, take the victim to a phishing site impersonating E-ZPass, The Toll Roads, FasTrak, Florida Turnpike, or another toll authority that attempts to steal their personal information including names, email addresses, physical addresses, and credit card information.

This scam is not new, with the FBI warning about it in April 2024, but BleepingComputer has seen and received multiple reports of a surge in this mobile phishing campaign.

The text messages bypass anti-spam measures and come from seemingly random email addresses, which, combined with the scale of the attack, indicate an automated attack.

Scam texts seen by BleepingComputer pretend to be directly from E-ZPass or the Department of Motor Vehicles. The texts use language that contains a sense of urgency, like the toll needs to be paid in a day or two, or there will be an additional fee, or licenses will be suspended.

"Your toll payment for E-ZPass Lane must be settled by April 4, 2025. To avoid fines and the suspension of your driving privileges, kindly pay by the due date," reads an example scam text seen by BleepingComputer.

The phishing text message — **Phishing text message samples from the campaign***Source: BleepingComputer*

Apple iMessage automatically turns off links in messages from unknown senders to protect users from SMS phishing scams. To bypass this, the scammers tell users to reply to the text, which will make the links clickable.

Tapping on the provided link takes the victim to an E-ZPass phishing site, which, other than the URL, looks like a legitimate site. BleepingComputer tests determined that the phishing website only loads on the mobile, so desktop users will not see it.

**The phishing page victims land on***Source: BleepingComputer*

The volume of texts being sent in this scam is so large that users have been expressing their frustration over the frequency and persistence of the particular scam attempts, sometimes reaching up to 7 messages in a day.

Although the origin of the messages hasn't been determined yet, we recently reported on an emerging phishing-as-a-service platform named Lucid, which has been linked to these types of scams.

Platforms like Lucid and Darcula use encrypted iMessage and RCS messages to bypass traditional anti-spam filters and send large volumes of text without incurring the costs associated with standard SMS delivery.

If you receive one of these messages, you should block and report the number so that the email address or phone number is reported to Apple. However, as a general rule, you should avoid responding to these scams as they put you on the radar of the scammers for future attempts.

For those concerned that they have legitimate outstanding payments, you should instead log in to your toll authority's site directly to check for any balances.

The FBI has previously advised recipients to file a complaint at the IC3 portal.