We now use our phones to pay for everything—almost; but sometimes that means serious risks that are difficult to spot before it’s too late...
New FBI warning over toll scams
Beware those devilish little SMS messages designed to fool you just long enough to click. Maybe your bank with an unrecognized transaction, or how about that late-running Amazon delivery, or FedEx trying to deliver a parcel, or even highway tolls.
That’s the latest warning from the FBI, whose Internet Crime Complaint Center (IC3) has received several thousand reports from users complaining about “smishing texts representing road toll collection service from at least three states.” The Bureau says this scam might now “be moving from state-to-state.”
The scam has been running since last month, with links designed to “impersonate the state's toll service name.” Other than that and different phone numbers, the wording of the fraudulent messages appears to be broadly the same:
“(State Toll Service Name): We've noticed an outstanding toll amount of $12.51 on your record. To avoid a late fee of $50.00, visit https://myturnpiketollservices.com to settle your balance.”
SMS scams such as this one, which mimic email phishing campaigns, are known as smishing attacks. And such crimes are surging. When the global telecoms industry gathered in Barcelona in February for Mobile World Congress, one headline session asked “Who will stop global SMS fraud? And how?”
The data is eye-watering—just in the US, mobile users lose more than $300m each year from SMS scams, with more than 400,000 malicious texts sent each day. Nearly half of all smartphone users now say they receive them.
The statistics go on and on. “4.8% of global messaging traffic is fraudulent,” ENEA warns, “with between 19.8 billion and 35.7 billion fraudulent messages sent in 2023… and brands incurring costs of $1.16 billion due to fraudulent messages.”
Meanwhile, Bitdefender says that not only are “SMS scams everywhere,” but “if you think new RCS messaging will offer any protection, you would be wrong; these types of scams will continue to spread regardless of the messaging standard used.” We saw this in Google’s recent warning to RCS users clicking links from unknown senders.
Preview of proposed Google Messages warning
“SMS is still as simple as when it was first delivered, yet its simplicity is what also makes it a prime target with fraudsters,” ESET’s cyber ambassador Jake Moore has said. “Unknown phone numbers connected to a text message are more likely to be accepted and have far more manipulation than a dodgy looking email address with the same content. It is surprising the technology is still so relied upon.”
The FBI suggests that those receiving such a text first check the toll company’s usual website and do not click through from the SMS. If you think you have actually been defrauded, you can file a report at www.ic3.gov.
Meanwhile, stick to the golden rules for SMS cyber safety:
- Never open an SMS from a brand you don’t use—just delete it
- Never click a link in an SMS unless you are expecting that very specifically—even then my advice would be to avoid all links
- If the message is from your bank or Amazon or Apple or another brand you use, then login the usual way and do not opt for the quick link provided
- Don’t leave suspect SMS messages in your inbox—delete them and then block the numbers to avoid any further messages
- Filter unknown senders if you can, to separate them from known traffic; and when you get OTPs or updates from your accounts, save the number
