The text message looked routine: a $4.15 unpaid toll, a link to settle it, and a warning about a $50 late fee. Scenarios like this one play out thousands of times a week across the United States. What follows is anything but routine. The link leads to a fake payment portal that siphons credit card numbers and banking credentials, and within hours, victims can find their accounts drained by strangers they never spoke to. (This example is a composite drawn from FTC consumer alerts, not a single named case.)
Toll-text phishing is just one thread in a much larger problem. Imposter scams of all kinds drove $3.5 billion in reported losses during 2025, according to Federal Trade Commission complaint data explored through the agency’s public Consumer Sentinel database. That marks roughly a 20 percent increase from the prior year and reflects more than one million individual fraud complaints filed with the agency.
Fidelity Investments has raised a broader alarm. On its fraud-awareness page, the firm warns consumers about a range of scam types and points to an industry-wide loss figure it characterizes as reaching $15 billion annually when investment fraud, romance scams, account takeovers, and imposter schemes across the financial sector are counted together. (Fidelity does not name a single source report for that aggregate; it appears to reflect the firm’s own cross-category estimate.) That number dwarfs the FTC’s imposter-scam subset because it spans categories the commission tracks separately, but the direction is the same: fraud is scaling faster than the systems built to stop it.
Why the scams are working so well
Two shifts in technology have turned small-time cons into industrial operations.
The first is automated smishing: the mass delivery of fraudulent text messages from spoofed phone numbers. Spam-tracking firms such as RoboKiller publish periodic estimates suggesting that scam operations can push enormous volumes of spoofed texts per day, with some analyses placing the figure in the range of 100,000 messages daily, using cheap, cloud-based messaging platforms. (Exact methodology and reporting periods vary by release, and no single dated report is available for independent verification.) The messages are short, plausible, and engineered to trigger a quick tap before the recipient thinks twice.
The second is AI-powered voice cloning. In January 2023, Microsoft researchers published a paper on a system called VALL-E that could reproduce a person’s voice from just three seconds of recorded audio. It was a research demo, not a consumer product, but the underlying technique spread fast. Open-source cloning tools now let anyone with a laptop generate a convincing replica of someone’s voice from a short clip scraped off social media. A McAfee survey published in May 2023 (“The Artificial Imposter”) found that one in four adults globally had already encountered an AI voice scam or knew someone who had. By mid-2026, the technology is cheaper, faster, and deeply embedded in scam playbooks.
These tools work in tandem. A smishing text harvests a victim’s phone number and basic account details. A follow-up voice call, using a cloned voice or a spoofed caller ID that matches a real bank, pressures the victim into transferring funds or reading out a one-time passcode. The entire sequence, from first text to emptied account, can unfold in under an hour.
The toll-text scheme up close
Among the specific scams the FTC has flagged, toll-related phishing texts stand out for their simplicity and scale. The messages claim the recipient owes a small unpaid highway toll and include a link to a fake payment portal. Because the amount is trivial, often under $10, many people pay without a second thought. The real damage comes after: the phishing site captures credit card numbers, banking credentials, or both, opening the door to unauthorized charges and full account takeovers.
The scheme exploits three psychological levers at once. The sender appears to be a government or tolling authority, lending false legitimacy. The alleged late fee creates urgency. And the payment page mimics the look and feel of a real billing system, reducing the friction that might otherwise make someone pause. For drivers who use electronic toll systems daily, the message blends seamlessly into routine notifications.
What the official numbers miss
The FTC’s $3.5 billion figure, drawn from its Consumer Sentinel complaint database, is the most widely cited public benchmark for imposter-scam losses. But the agency has repeatedly acknowledged that it captures only a fraction of actual fraud. Many victims never file a report, whether out of embarrassment, confusion about where to complain, or resignation that the money is gone.
That reporting gap helps explain why industry estimates run so much higher. When Fidelity and other financial institutions tally fraud across all categories, including investment scams, synthetic identity fraud, and unauthorized account access, the aggregate reaches into the tens of billions. The numbers are not contradictory; they measure different slices of the same problem. But the distance between $3.5 billion and $15 billion underscores how much fraud activity falls outside any single agency’s view.
Payment methods have shifted in ways that make recovery harder, too. FTC data show that scammers increasingly steer victims toward peer-to-peer payment apps like Zelle and Venmo, gift cards, and cryptocurrency, all channels where transactions are near-instant and difficult or impossible to reverse. Traditional credit card chargebacks, once a reliable safety net, are irrelevant when the money never touches a card network. And while some banks have begun voluntarily reimbursing certain peer-to-peer scam losses under pressure from regulators and lawmakers, policies vary widely, and many victims are still told the transfer was “authorized” and therefore not eligible for a refund.
How to protect yourself right now
No single step eliminates the risk, but layered precautions make a real difference. Security professionals and the FTC recommend the following:
- Never pay from a link in a text. If you receive a toll notice, parking ticket, or bank alert via text, go directly to the official website by typing the URL into your browser or calling the number on your physical card or statement.
- Set a family verification word. Choose a code word that only your household knows. If someone calls claiming to be a relative in distress, ask for the word before sending money. AI can clone a voice, but it cannot guess a secret passphrase.
- Enable multi-factor authentication on every financial account. A one-time passcode sent to your phone is better than a password alone, but an authenticator app or a hardware security key is stronger still.
- Freeze your credit. A credit freeze at Equifax, Experian, and TransUnion is free and prevents anyone from opening new accounts in your name. You can lift it temporarily whenever you need to apply for credit.
- Report immediately. File a complaint at reportfraud.ftc.gov. If personal information was compromised, start a recovery plan at identitytheft.gov. Spanish-speaking consumers can access equivalent resources at consumidor.ftc.gov.
Why early disengagement is the strongest defense available
Regulators are working the problem, but the gap between enforcement and innovation keeps widening. The FTC has ramped up actions against companies that facilitate robocall and robotext campaigns. The Federal Communications Commission has pushed carriers to implement STIR/SHAKEN, a caller-ID authentication protocol designed to flag spoofed numbers. But scammers adapt quickly, rotating through disposable phone numbers and overseas messaging platforms that sit beyond U.S. jurisdiction.
Financial institutions are investing in their own defenses. Fidelity and several large banks have rolled out real-time transaction monitoring that flags unusual withdrawal patterns and, in some cases, delays outbound transfers long enough for a human review. Yet these systems are only as strong as the behavioral models behind them, and scammers who coach victims to confirm transactions voluntarily can slip past automated checks.
For now, the most effective firewall is an informed person on the other end of the phone. Fraud-prevention experts and consumer advocates consistently note that people who recognize a scam attempt and disengage early, hanging up, deleting the text, refusing to click, almost always avoid financial loss. The harder task is reaching the millions of Americans who have not yet received a convincing smishing text or heard a cloned voice on the line, and making sure they know what to do before that moment arrives.
