CallTracer

Article

That "unpaid toll" text is a scam — how the E-ZPass smishing wave works

Fake "unpaid toll" texts impersonating E-ZPass, SunPass and FasTrak are surging across the US. Here's how the scam actually works — and how to spot one in five seconds.

T

The CallTracer team

· 4 min read

Share All articles
That "unpaid toll" text is a scam — how the E-ZPass smishing wave works

You glance at your phone and there it is:

"Your vehicle has an unpaid toll of $4.35. Pay now to avoid a late fee of $75."

It comes from a random number. The link looks almost like E-ZPass, or SunPass, or FasTrak — whichever toll authority is common where you live. The amount is small. The warning is loud. For a split second, most people actually try to remember whether they drove through a toll last Tuesday.

Every single one of these texts is a scam. Every one, including the ones that correctly name the toll authority for your state.

The shape of the wave

Toll smishing — SMS phishing that impersonates a toll operator — started as a regional nuisance a couple of years ago and went national fast. Federal consumer warnings followed. The FBI's Internet Crime Complaint Center has logged tens of thousands of reports, and the FTC keeps issuing fresh alerts as new templates spread.

The mechanics are simple. One operator blasts the same lure to huge blocks of phone numbers, often through cheap overseas SMS gateways or freshly rotated VoIP lines. They don't care that only a small fraction of recipients actually drive on toll roads. They only need a few people to click.

The URL is the tell

Look at the link the text wants you to visit. Real toll authorities use boring, well-established domains — ezpassnj.com, sunpass.com, thetollroads.com. Smishers can't register those, so they improvise:

  • ezpass-toll[.]vip
  • sunpass-billing[.]top
  • usps-service-toll[.]xin
  • tollpay-account[.]cc

The giveaway is usually the top-level domain. Legitimate US toll authorities live on .com or .gov. If the text wants you to visit anything ending in .top, .xin, .vip, .icu, or a country code you don't recognize, it's a scam. Full stop.

The landing pages look convincing. They copy the real authority's logo, colors, and layout, then ask for your name, billing address, and a payment card. Some go further and ask for the one-time passcode your bank texts you when the card is charged, which lets the operator rebill it indefinitely.

Why it works so well

Two reasons. First, toll violations are a real thing. Most of us have occasionally missed a scan and paid a small fine after the fact, so the premise doesn't feel absurd. Second, the dollar amount is tiny. Your brain does a quick calculation: five bucks now versus seventy-five later — just pay it and move on.

The smaller the number, the faster you click. That is the entire psychology of the scam.

Five seconds is all you need

Before you tap anything in a toll text, do this:

  1. Don't tap the link. Not even to "see what happens." Confirming a human read the message is valuable to the operator; your number gets upgraded to a hot list.
  2. Check the real site directly. Open your browser and type the toll authority's name into a search engine. Log in there. If you actually have an unpaid toll, it will be on your account. You won't find it, because you don't.
  3. Look at the sender. Real toll authorities text from short codes (five- or six-digit numbers) that they publish on their official websites. A random ten-digit or international number is not them.
  4. Forward the text to 7726. That's the universal SPAM reporting short code in the US. Your carrier uses these reports to block numbers and take down campaigns. It costs you nothing and takes three seconds.
  5. Delete and move on. Don't reply, not even "STOP." Replying confirms the number is live, which only buys you more of the same.

If you already clicked

If you only opened the page and didn't type anything, close the tab and you're almost certainly fine. If you entered card details, call the number on the back of your card and freeze it now. If you entered a one-time passcode from your banking app, assume the account is compromised and walk through a full reset with your bank.

The costume keeps changing

Toll smishing will mutate. When "unpaid toll" burns out, the same operators move to "undelivered package," "missed court date," or whatever lure tests well that week. The URL tricks and the pressure tactics stay the same; only the costume changes.

If a text arrives from a number you don't recognize and you're not sure what to make of it, you can look the number up in a few seconds. That small habit — verify before you tap — is what defangs the whole category.

T

Written by

The CallTracer team

The CallTracer team writes about phone scams, spam trends, and the intelligence behind every lookup.

Keep reading

More from the journal

All articles →

Why you keep getting "wrong number" texts from strangers

A 'Sorry, wrong number' text from a stranger is rarely a mistake. It is usually the opening line of a long con — here is what it is really after.

Voice-cloned grandparent scams: why a code word beats caller ID

AI voice cloning turned the grandparent scam from improvised theater into near-perfect impersonation. A family code word remains the cheapest, most reliable defense.

When your bank's fraud department is the fraud

A calm voice calls from your bank's number about a suspicious charge. Every instruction that follows is the scam. Here is how to break the loop.

Got a number you don't recognize?

Look it up instantly — carrier, location, and community reports in one place. Free, no signup.

Look up a number