Toll Road Text Scam
A text arrives claiming you owe an unpaid toll — $4.85, due immediately, or a $35 fine will be added. The link looks like an official toll agency portal. Your card details go into the form. Nothing is charged to your toll account because no toll exists. Your card number goes straight to the scammer. The entire transaction took under two minutes.
What Is the Toll Road Text Scam?
The toll road text scam — also called toll smishing — is a phishing attack delivered by SMS that impersonates a state toll authority, E-ZPass, SunPass, or similar electronic toll collection agency. Victims receive a text claiming they have an unpaid toll balance, typically a small amount between $3 and $15, and are warned that a substantially larger fine will be applied if payment is not made immediately through the provided link.
The FBI issued a public warning in 2024 after receiving over 2,000 complaints per month related to toll smishing campaigns. The attacks operate in waves across different states — scammers run campaigns targeting one region, then shift to another, maximizing the plausibility that recipients recently drove on toll roads in the referenced area. The campaigns are run by organized criminal groups who deploy identical infrastructure against multiple jurisdictions simultaneously, changing only the agency name and logo in the text message.
What makes this scam particularly effective is the specificity and plausibility of the pretext. Unlike a generic “your account has suspicious activity” message, a toll payment text references something concrete — a specific small dollar amount, a named agency, and a believable consequence. For drivers who regularly use toll roads and manage multiple payment methods, the message triggers action rather than skepticism.
How the Toll Text Scam Works — Step by Step
Mass SMS Deployment
Scammers send bulk SMS messages to phone numbers obtained from data broker lists, leaked databases, or randomly generated number pools. The messages are crafted to reference toll agencies operating in the recipient’s region — E-ZPass in the Northeast, SunPass in Florida, FasTrak in California, TxTag in Texas. Some campaigns are region-specific; others blast nationally using multiple agency names. The small claimed amount and fine threat are calibrated to produce fast, unthinking compliance.
The Fake Payment Portal
The link leads to a fraudulent website designed to look exactly like the legitimate toll agency’s payment portal — copying logos, color schemes, fonts, and layout. The URL is the tell: it will contain words like “toll,” “ezpass,” or a state name, but will not match the agency’s actual domain. The fake site presents a payment form requesting full card number, expiration date, CVV, and billing address — everything needed to make fraudulent purchases.
Card Data Harvesting
Card details entered into the fake form are transmitted instantly to the scammer’s server. In many cases the form appears to process a payment — returning a “payment successful” message to reduce suspicion and prevent the victim from alerting their bank. The scammer now has a complete card profile usable for online purchases, dark web resale, or further fraud. Some operations also collect the victim’s name and address, enabling full identity profile construction.
Follow-On Fraud
Captured card details are used immediately — within minutes of collection in some operations — for online purchases before the victim thinks to check their statements or cancel the card. Details not used immediately are sold on dark web card marketplaces. Phone numbers that responded to the text (by clicking) are identified as active and valuable, and may be targeted with follow-on scams including additional phishing texts and voice calls.
Red Flags in a Toll Payment Text
- The URL in the text does not match the toll agency’s official domain — any domain other than the agency’s verified address is fraudulent regardless of how convincing it looks.
- The text arrived unsolicited and you have no memory of recently driving on the referenced toll road.
- The message threatens an immediate fine within hours — legitimate toll agencies send notices by mail with reasonable response windows, not SMS countdown threats.
- The sender number is an unknown 10-digit number or appears to come from overseas — legitimate agency short codes are consistent and verifiable.
- The text creates urgency: “Pay now to avoid penalty” or “Final notice before fine escalation” — manufactured urgency is designed to bypass verification instincts.
- The payment form asks for your full card details — legitimate toll payment updates are made through your existing registered account, not through a card entry form reached via a text link.
💡 The Complete Defense: Never Click — Always Navigate Directly
If you receive a toll payment text and want to verify whether you have a genuine unpaid balance, open your browser and type your toll agency’s official URL directly — for example, ezpass.com, sunpass.com, or your state DOT’s official site. Log into your actual account and check your balance there. If there is no unpaid toll, the text was fraudulent. The link in the text is the only attack vector — if you never click it, the scam fails completely regardless of how convincing the message looks.
The Broader Smishing Landscape
Why smishing has surpassed email phishing in volume
SMS messages have a significantly higher open rate than email — industry figures consistently show over 90% of texts are read within minutes of receipt, compared to under 30% for email. Spam filters are mature and effective for email; SMS has no equivalent filtering infrastructure. These factors make SMS an increasingly preferred phishing channel. The toll road scam is one of several high-volume smishing campaigns — package delivery texts, bank fraud alerts, and government benefit notifications use the same infrastructure and targeting approach.
State-specific targeting
Sophisticated toll smishing campaigns use location data from data broker profiles to send state-specific messages — targeting Florida residents with SunPass texts, California residents with FasTrak texts. This localization increases plausibility significantly: a Florida driver receiving a SunPass text is far more likely to believe it is genuine than the same driver receiving a text referencing an unfamiliar out-of-state agency. The targeting data comes from commercially available consumer profiles that include residential state and vehicle ownership indicators.
Smishing Campaigns Buy Your Phone Number Before They Text You
Toll text scammers and other smishing operations purchase consumer data — including phone numbers, location, and vehicle ownership signals — from data brokers before launching campaigns. The more of your data that’s publicly available, the more targeted the attack. Find out what’s already out there about you.
Check Your Data Broker Exposure Free →What To Do If You Entered Card Details on a Fake Toll Site
- Call your card issuer immediately and report that your card details were entered on a fraudulent website — request a new card number before any unauthorized charges appear.
- Monitor your card statements closely for the next 30 days and dispute any unauthorized charge immediately when it appears.
- Report the fraudulent URL to the FTC at reportfraud.ftc.gov and to the FBI at ic3.gov — include the full URL of the fake site and the sending phone number.
- Forward the original text message to 7726 (SPAM) — this reports it to your mobile carrier’s fraud team for number blocking and pattern tracking.
- Report to the legitimate toll agency whose name was used — E-ZPass, SunPass, and other agencies maintain fraud reporting channels and actively work to take down impersonation sites.
- If you also entered your address and personal details, consider placing a fraud alert with the credit bureaus as a precautionary measure against identity theft.