A New Jersey commuter who drives the Turnpike five days a week got a text in April about a $6.99 unpaid toll. The logo said E-ZPass. The payment page matched the colors she sees every time she reloads her account. She entered her debit card number, hit submit, and within two hours her bank flagged three unauthorized charges totaling more than $1,400. The toll was invented. The website was a clone. And her experience is playing out, with minor variations, tens of thousands of times a month across the country.
Toll-road smishing, the term investigators use for SMS-based phishing tied to fake toll notices, has become the fastest-growing form of government imposter fraud in the United States. The Federal Trade Commission reported in May 2026 that government imposter scam losses climbed 40% during 2025, reaching $3.5 billion, and identified fake toll texts as a primary driver of that surge. The FBI’s Internet Crime Complaint Center had already logged more than 2,000 toll-related complaints by early 2024, a number the bureau called a small fraction of actual incidents because most people who receive these messages never file a report. By mid-2026, security researchers and state attorneys general describe the volume as orders of magnitude larger.
How a $6 toll text turns into identity theft
The playbook is remarkably consistent from coast to coast. A driver receives an SMS claiming a small balance is overdue, usually between $4 and $12. The message warns of penalties, sometimes referencing license suspension or legal action, and sets a tight deadline, often 48 hours or less. Because millions of Americans pass through cashless toll gantries without giving it a second thought, a surprise charge feels entirely plausible. The low dollar amount is strategic: it is small enough that many people would rather pay than investigate.
One detail makes the scam especially effective on iPhones. Many messages instruct the recipient to reply with the letter “Y,” mimicking the confirmation prompts people are used to getting from doctors’ offices, delivery services, and appointment reminders. On iMessage, that reply can elevate the conversation’s trust level, turning subsequent links from grayed-out text into tappable blue hyperlinks. A follow-up message then delivers a shortened URL leading to a cloned payment portal.
Those fake sites are polished enough to fool careful users. The Colorado Department of Transportation’s ExpressToll program warned that scammers are replicating ExpressToll and EZ Pass branding down to the logo, fonts, and color palette. California Attorney General Rob Bonta noted that both the texts and the linked pages can appear indistinguishable from official communications. In New York, Governor Kathy Hochul flagged imitation websites targeting E-ZPass and toll-by-mail customers. The Massachusetts Department of Transportation issued a separate alert stressing that EZDriveMA never collects tolls through unsolicited texts. The common thread across every state warning: the fakes are getting better faster than most consumers realize.
Once on the spoofed page, victims are prompted for their full name, billing address, and credit or debit card details. Some versions also request a driver’s license number or ask for login credentials to “verify your account,” which can hand scammers direct access to real toll accounts with stored payment methods. Stolen data is then resold on dark-web marketplaces, used for fraudulent purchases, or leveraged to open new lines of credit in the victim’s name.
Why the numbers keep climbing
Cashless tolling has expanded rapidly. More than 30 states now operate some form of electronic toll collection, which means a growing share of drivers regularly receive legitimate digital notices and are conditioned to trust them. That expanding footprint gives scammers a larger target population every year, and they do not need to know whether a recipient actually drove through a toll plaza. They just need the recipient to believe it is possible.
At the same time, commercially available phishing kits have collapsed the technical barrier. Security researchers have documented ready-made toolkits, some traced to overseas fraud networks, that let operators spin up convincing toll-agency clones in minutes. The kits come loaded with region-specific logos and can auto-detect a target’s area code to serve the correct state branding. A scammer with no coding ability can launch a campaign for the cost of a few hundred bulk SMS messages.
The FTC’s broader fraud data underscores the environment. Total reported losses across all scam categories reached $12.5 billion in 2024, and the 40% spike in government imposter losses during 2025 signals that criminals view public-agency impersonation as especially profitable. The FBI noted that the originating phone numbers in toll texts rotate constantly, cycling through disposable SIMs and internet-based messaging services, which renders traditional caller-ID blocking largely useless.
Wireless carriers have rolled out filtering tools, including T-Mobile’s Scam Shield and AT&T’s ActiveArmor, but the sheer volume and rapid number rotation of toll smishing campaigns means many texts still slip through. No carrier has publicly claimed to block a majority of these messages, and consumer advocates say the gap between filtering capability and scam volume continues to widen.
Who is being held accountable
As of June 2026, no major U.S. prosecution has been publicly announced specifically targeting a toll smishing ring. Law enforcement officials say the challenge is jurisdictional: the text messages often originate from overseas numbers or internet-based messaging platforms, the spoofed websites are hosted on servers outside U.S. borders, and the stolen data moves quickly through layered resale networks. The FBI and FTC have acknowledged that enforcement has not kept pace with the scale of the fraud. Consumer reports filed at ReportFraud.ftc.gov and ic3.gov remain the primary tools investigators use to map scam infrastructure, identify hosting providers, and build cases, but translating that intelligence into arrests has proven slow. For now, the absence of high-profile prosecutions means the financial risk for scammers remains low relative to the payoff.
What to do if you get one of these texts
Every agency that has issued guidance on toll smishing agrees on the core advice: do not tap the link, do not call any number embedded in the message, and do not reply, not even with “STOP.” Instead, go directly to your toll provider’s website by typing the address into a browser or using a bookmark you saved previously. If you are unsure whether you owe a balance, call the customer service number printed on a past paper invoice or displayed on roadway signage.
The FTC reinforced this in a January 2025 consumer alert, advising that any unexpected text about a small unpaid toll is likely part of a smishing campaign. The agency recommended taking a screenshot for your records before deleting the message.
Drivers who already entered information on a suspicious site should move fast. Contact your bank or card issuer to cancel the compromised card and dispute any unauthorized charges. Place a fraud alert or credit freeze with Equifax, Experian, and TransUnion. Monitor account statements closely for at least 90 days. File a report with the FTC at ReportFraud.ftc.gov and with the FBI’s IC3 at ic3.gov. Those reports feed the databases investigators use to map scam infrastructure and pursue takedowns.
Every new toll lane is another opening for smishing
What makes toll smishing so durable is that it rides the same infrastructure shift states are betting on. Every new cashless gantry, every paper-invoice phaseout, and every toll-app download widens the pool of people conditioned to expect a digital bill. Criminals do not need precision. They need volume and plausibility, and American roads are supplying both.
Until tolling agencies adopt stronger sender-verification standards, such as registering official short codes and supporting RCS-based identity checks, and until carriers deploy more aggressive filtering, the most reliable defense remains the simplest one: if a text about a toll you do not remember comes with a link you did not request, delete it. The six dollars they are asking for was never real. The credit card number you type in is.
