A text arrives claiming you owe an unpaid toll — $4.85, due immediately, or a $35 fine will be added. The link looks like an official toll agency portal. Your card details go into the form. Nothing is charged to your toll account because no toll exists. Your card number goes straight to the scammer. The entire transaction took under two minutes.
The toll road text scam — also called toll smishing — is a phishing attack delivered by SMS that impersonates a state toll authority, E-ZPass, SunPass, or similar electronic toll collection agency. Victims receive a text claiming they have an unpaid toll balance, typically a small amount between $3 and $15, and are warned that a substantially larger fine will be applied if payment is not made immediately through the provided link.
The FBI issued a public warning in 2024 after receiving over 2,000 complaints per month related to toll smishing campaigns. The attacks operate in waves across different states — scammers run campaigns targeting one region, then shift to another, maximizing the plausibility that recipients recently drove on toll roads in the referenced area. The campaigns are run by organized criminal groups who deploy identical infrastructure against multiple jurisdictions simultaneously, changing only the agency name and logo in the text message.
What makes this scam particularly effective is the specificity and plausibility of the pretext. Unlike a generic “your account has suspicious activity” message, a toll payment text references something concrete — a specific small dollar amount, a named agency, and a believable consequence. For drivers who regularly use toll roads and manage multiple payment methods, the message triggers action rather than skepticism.
Scammers send bulk SMS messages to phone numbers obtained from data broker lists, leaked databases, or randomly generated number pools. The messages are crafted to reference toll agencies operating in the recipient’s region — E-ZPass in the Northeast, SunPass in Florida, FasTrak in California, TxTag in Texas. Some campaigns are region-specific; others blast nationally using multiple agency names. The small claimed amount and fine threat are calibrated to produce fast, unthinking compliance.
The link leads to a fraudulent website designed to look exactly like the legitimate toll agency’s payment portal — copying logos, color schemes, fonts, and layout. The URL is the tell: it will contain words like “toll,” “ezpass,” or a state name, but will not match the agency’s actual domain. The fake site presents a payment form requesting full card number, expiration date, CVV, and billing address — everything needed to make fraudulent purchases.
Card details entered into the fake form are transmitted instantly to the scammer’s server. In many cases the form appears to process a payment — returning a “payment successful” message to reduce suspicion and prevent the victim from alerting their bank. The scammer now has a complete card profile usable for online purchases, dark web resale, or further fraud. Some operations also collect the victim’s name and address, enabling full identity profile construction.
Captured card details are used immediately — within minutes of collection in some operations — for online purchases before the victim thinks to check their statements or cancel the card. Details not used immediately are sold on dark web card marketplaces. Phone numbers that responded to the text (by clicking) are identified as active and valuable, and may be targeted with follow-on scams including additional phishing texts and voice calls.
If you receive a toll payment text and want to verify whether you have a genuine unpaid balance, open your browser and type your toll agency’s official URL directly — for example, ezpass.com, sunpass.com, or your state DOT’s official site. Log into your actual account and check your balance there. If there is no unpaid toll, the text was fraudulent. The link in the text is the only attack vector — if you never click it, the scam fails completely regardless of how convincing the message looks.
SMS messages have a significantly higher open rate than email — industry figures consistently show over 90% of texts are read within minutes of receipt, compared to under 30% for email. Spam filters are mature and effective for email; SMS has no equivalent filtering infrastructure. These factors make SMS an increasingly preferred phishing channel. The toll road scam is one of several high-volume smishing campaigns — package delivery texts, bank fraud alerts, and government benefit notifications use the same infrastructure and targeting approach.
Sophisticated toll smishing campaigns use location data from data broker profiles to send state-specific messages — targeting Florida residents with SunPass texts, California residents with FasTrak texts. This localization increases plausibility significantly: a Florida driver receiving a SunPass text is far more likely to believe it is genuine than the same driver receiving a text referencing an unfamiliar out-of-state agency. The targeting data comes from commercially available consumer profiles that include residential state and vehicle ownership indicators.
Toll text scammers and other smishing operations purchase consumer data — including phone numbers, location, and vehicle ownership signals — from data brokers before launching campaigns. The more of your data that’s publicly available, the more targeted the attack. Find out what’s already out there about you.
