The message that landed on a New Jersey commuter’s phone last spring looked like any routine toll notice: “Your E-ZPass account has an unpaid balance of $6.99. To avoid a $50 late fee, pay immediately.” A link followed. It felt mundane enough to tap without thinking. That was the point. The commuter entered a credit card number, and within hours, fraudulent charges began appearing on the account. Across the country, millions of drivers have received nearly identical texts, and not one of them has come from a real toll agency.
Federal agencies now rank fake toll messages among the fastest-spreading fraud tactics in the United States. The FBI’s Internet Crime Complaint Center published a public warning in April 2024 after logging more than 2,000 complaints since the previous month, and officials said the true volume was almost certainly far higher because most people delete suspicious messages without reporting them. By mid-2025, state attorneys general and transportation departments from coast to coast had issued their own alerts, a clear sign the campaign has only accelerated.
How the scam works
The playbook is remarkably consistent. A driver receives an unsolicited text referencing E-ZPass, SunPass, or a state turnpike authority. The message claims a small unpaid balance, typically under $15, and warns of late fees, license suspension, or account closure if payment is not made quickly. A link directs the recipient to a website built to look like an official toll portal, complete with agency logos and a payment form.
Once a victim enters a credit card number, the scammers have what they need. Some phishing pages also request driver’s license numbers or login credentials, giving criminals enough data to open new accounts or commit identity theft. The FBI notes that certain links may install malware on a phone, turning a single tap into ongoing surveillance of the device.
What makes these messages so effective is their ordinariness. Millions of Americans use electronic tolling, and a small unpaid charge is a plausible nuisance. The texts often include realistic-looking invoice numbers or partial license plate details, which can make even cautious drivers pause before dismissing them. Scammers typically send the messages in bulk to randomly generated phone numbers, meaning recipients do not need to have a toll account at all to be targeted.
The bigger picture: imposter fraud by the numbers
Toll smishing is one thread in a much larger pattern. The Federal Trade Commission reported that Americans lost more than $12.5 billion to fraud in 2024, up from $10 billion the year before. Imposter scams, the category that includes fake toll texts, remained the single most reported fraud type. The FTC’s 2023 data put imposter-fraud losses at $3.5 billion in reported losses that year alone, and the agency’s 2024 figures indicate the problem has continued to grow.
Toll-related texts are not broken out as a separate line item in federal data, so there is no precise dollar figure for this specific scheme. But the FTC’s January 2025 consumer alert about fake toll messages signals that the agency considers the threat significant enough to warrant a standalone warning, something it reserves for scams generating unusually high complaint volume.
Where the texts are hitting hardest
Early FBI reports flagged victims in at least three states, and the wave of state-level warnings since then suggests the heaviest concentration along the toll-dense East Coast corridor. New York Governor Kathy Hochul issued a public alert after residents reported a surge of E-ZPass-themed messages. Delaware’s Department of Transportation reminded drivers that its toll program never sends unsolicited texts or emails demanding immediate payment. Virginia’s DMV urged residents to delete suspicious toll notices outright.
The scam is not confined to the Northeast. Transportation agencies in Florida, Texas, Colorado, and other states with electronic tolling have posted similar warnings in recent months. Cybersecurity firm Resecurity and other researchers have documented ready-made phishing kits, sold on underground forums and often built by Chinese-speaking developers, that let low-skill operators customize messages for virtually any toll brand or region. That plug-and-play infrastructure helps explain how the campaign has scaled so quickly across state lines.
What officials still do not know
As of June 2025, several important questions remain unanswered. No federal agency has published loss figures specific to toll smishing, making it impossible to separate this scam’s financial damage from the broader imposter-fraud total. The FBI’s 2,000-complaint figure dates to April 2024 and has not been publicly updated, even though the volume of state-level warnings strongly suggests the number has grown substantially.
The technical side is equally murky. It is unclear how effectively wireless carriers are filtering toll-related phishing texts before they reach consumers. The FCC’s STIR/SHAKEN framework, a system designed to verify that calls and messages actually come from the number they claim to come from, was built primarily for voice calls. Whether carriers are adapting it to flag suspicious SMS traffic has not been publicly disclosed. Without that transparency, drivers have no way to gauge whether their carrier is catching most of these messages or letting them sail through.
Prosecution remains another gap. No major federal case targeting a toll-smishing ring has been publicly announced, and the decentralized, often overseas nature of the operations makes traditional law enforcement difficult.
How to protect yourself right now
Every major toll agency and federal regulator agrees on the core advice: do not tap links in unsolicited toll texts. If you think you might actually owe a balance, open a browser and go directly to your toll agency’s official website or app. You can also call the customer service number printed on a past statement or on the back of your transponder.
Beyond that, a few extra steps can limit your exposure:
- Forward the suspicious text to 7726 (SPAM). This sends it to your wireless carrier’s abuse team, which uses the data to improve filtering.
- Report it to the FBI. File a complaint at ic3.gov, the Internet Crime Complaint Center’s portal. Include the phone number the text came from and the URL in the message.
- Check your credit card statements. If you did click a link and enter payment information, contact your card issuer immediately to dispute charges and request a new card number.
- Freeze your credit if personal data was exposed. A freeze at Equifax, Experian, and TransUnion is free and prevents new accounts from being opened in your name.
Why the burden still falls on drivers
Toll agencies say they are working to make their legitimate communications more recognizable, but until carriers, regulators, and law enforcement close the gaps described above, the responsibility to spot these fakes rests largely with the people receiving them. The simplest rule holds: if a text about a toll balance surprises you, treat it as suspicious until you can verify it through a channel you trust. A $6.99 toll is easy to ignore. A stolen credit card number is not.
