Cybercriminals are escalating their tactics, with at least one scammer registering over 10,000 domains to conduct smishing scams, a form of phishing attack via text messages. According to a cybersecurity report released on Thursday by Palo Alto Networks, these fraudulent schemes are targeting individuals across multiple U.S. states and Canada, aiming to steal personal and financial information.
Smishing Scams: A Growing Cyber Threat
Smishing, a combination of SMS and phishing, is a tactic where cybercriminals disguise themselves as legitimate organizations—such as toll services and delivery companies—to trick individuals into clicking malicious links. Once a victim interacts with the message, they may unknowingly provide credit card details, passwords, or other sensitive data.
Palo Alto Networks uncovered that this threat actor has been sending deceptive text messages claiming to be from toll collection agencies and package delivery services. These messages urge recipients to settle outstanding fees or track a package, leading them to fraudulent websites designed to harvest their personal information.
Scam Targets Spread Across Multiple Regions
The fraudulent text messages are reportedly affecting users in several high-population U.S. states, including California, New York, Texas, Virginia, Pennsylvania, Florida, Massachusetts, New Jersey, Illinois, Kansa. Individuals in Ontario, Canada, have also been targeted, indicating the widespread nature of this scheme.
How the Smishing Scam Works
According to Palo Alto Networks, the scam operates in multiple stages:
- Sending Deceptive Texts – Victims receive fraudulent SMS messages from phone numbers or email addresses that appear legitimate.
- Embedding Malicious Links – The messages contain URLs that seem real but redirect users to fake websites.
- Impersonating Toll & Delivery Services – The sites claim to represent E-ZPass, USPS, and other well-known companies.
- Harvesting Personal Data – Victims who enter their payment details or personal credentials expose themselves to identity theft and financial fraud.
Examples of Fake URLs Used in the Scam
Cybersecurity experts have identified suspicious domains linked to these scams, such as:
- e-zpassiag.com-courtfees.xin
- usps.com-tracking-helpsomg.xin
These URLs are carefully crafted to resemble official websites, making it difficult for unsuspecting users to recognize the scam. The messages typically urge immediate action, creating a sense of urgency that pressures victims into clicking the link.
iMessage Users Also Targeted
Apple users are not immune to this scam. Palo Alto Networks revealed that some cybercriminals are specifically targeting iPhone users through iMessage. In some cases, scammers request victims to respond to the text before displaying the fraudulent link. While Apple blocks unknown links from unverified senders, users who interact with the scam messages may still be vulnerable.
FBI Issues Warning on Toll Collection Scams
The Federal Bureau of Investigation (FBI) has been tracking smishing scams and issued a public warning last year. The agency reported that over 2,000 complaints had been filed regarding a specific scheme involving fake toll collection services.
Common Characteristics of the Toll Collection Scam
- Messages claim recipients owe unpaid tolls.
- The amount due remains consistent across different states.
- The provided links mimic real toll service websites.
- Scammers use rotating phone numbers to evade detection.
The FBI has emphasized that no legitimate toll agency will demand payment via SMS links. Officials urge victims to report any suspicious messages to the Internet Crime Complaint Center (IC3) and delete the messages immediately.
How to Protect Yourself from Smishing Scams
With text message scams on the rise, staying vigilant is essential. The FBI and cybersecurity experts recommend the following precautions:
Do Not Click on Suspicious Links
If you receive an unexpected toll payment request or package tracking alert, avoid clicking on any embedded links. Instead, visit the official website by typing the verified URL directly into your browser.
Verify Before Taking Action
Always confirm payment requests or tracking updates with the actual company. For instance, if you receive a toll violation notice, check directly with your state’s toll agency.
Report Smishing Attempts
If you suspect a smishing attack, report it to:
- The FBI’s Internet Crime Complaint Center (IC3) at ic3.gov
- Your mobile carrier (most allow spam reporting by forwarding texts to 7726)
- The company being impersonated (e.g., USPS, E-ZPass)
Delete Suspicious Messages
Never engage with unverified texts. Simply delete them to avoid accidental clicks or continued targeting.
Cybercriminals Continue to Evolve Tactics
Cybersecurity experts warn that scammers are refining their methods, making it increasingly difficult for victims to differentiate between real and fake messages. This latest smishing scheme highlights how cybercriminals are exploiting technology to conduct mass-scale phishing campaigns.
As fraud tactics become more sophisticated, public awareness and cybersecurity best practices are the best defense against identity theft, financial fraud, and personal data breaches.
