Share
TEXT SCAMS

407 ETR toll text scam (Ontario 2026): how to spot the 289 spoof and fake pay-link

A fresh smishing wave impersonates Highway 407 and now threatens your credit score, your plate renewal, and court.

SafeBrowz Security ResearchJune 23, 20268 min read

Story in 3 Sentences

The "407 ETR unpaid toll" text is a scam, and the new 2026 variant escalates the threats to credit-score damage, MTO licence-plate-renewal suspension, and court proceedings to rush you onto a fake pay-link. The texts come from spoofed 289-area-code numbers, often as group messages that expose other victims' phone numbers, and people who have never driven the 407 get them too. Real 407 ETR notices arrive by mail or in My Account at 407etr.com. A genuine 407 ETR reminder can arrive as a text from a 6-digit short code, but its link only ever points to 407etr.com and it never asks for your card, PIN, or password, so a toll text that links to any other domain or demands payment details is the scam.

What 407 ETR is actually saying about the scam

407 ETR (the operator of Highway 407, the electronic toll route across the Greater Toronto Area) has put out repeated public warnings. In 2024 the company received nearly 12,000 reports of scam texts, and in 2025 its IT security team took down more than 1,100 fraudulent lookalike domains built to imitate it. The official line on its Fraud Awareness page is blunt: 407 ETR will never ask for personal information like passwords, PINs, or credit card numbers through any contact method, and its communications never link to any domain other than 407etr.com.

The pattern matches the wider unpaid-toll smishing wave hitting North America (see the broader E-ZPass, FasTrak, and SunPass toll text scam and the global toll and traffic-fine text scam of 2026). What makes the 407 version worth its own warning is the threat escalation: where older toll texts just mentioned a "late fee," the current Ontario variant invokes your credit score, your ability to renew your plate, and court.

What the 407 ETR scam text looks like

The wording rotates, but the template is stable. Common openings reported by Ontario drivers in 2026:

  • "407 ETR: Our records show an outstanding toll balance of $6.49. Pay now to avoid a report to the credit bureau. [link]"
  • "Highway 407 Final Notice: Unpaid toll of $4.12. Your licence plate renewal will be suspended if unpaid within 24 hours. [link]"
  • "407ETR Toll Services: You have an overdue balance. Failure to pay will result in legal action and court proceedings. Settle here: [link]"
  • "407 ETR: MTO has flagged your account. Pay $7.85 immediately to prevent plate-renewal hold. [link]"

Three things stay consistent. The dollar amount is small (under $10). There is an escalating threat (credit score, plate suspension, court). And the link goes to a domain that is not 407etr.com.

The red flags that give it away

  • It came from a 289 (or 365 / 905 / 437) number, not the real 407 line. 407 ETR does not initiate toll contact by text from a personal-looking mobile number. A "407 ETR" message arriving from a spoofed 289-area-code cell number is a tell on its own.
  • It is a group text exposing other people's numbers. Many of these land as group messages where you can see a dozen other recipients' phone numbers in the header. A real billing notice is one-to-one. A group blast of strangers is a spam campaign, full stop.
  • The link is not 407etr.com. The domain is the part immediately before the first single slash after https://. If that is anything other than 407etr.com, the message is fake, no matter what text sits to the left of it.
  • It threatens credit, plate, or court within hours. Real toll disputes move over weeks by mail, never "within 24 hours by text." The urgency timer is engineered to stop you from checking.
  • You have never driven the 407. Attackers blast number ranges bought from data brokers. Getting the text is not evidence you owe anything.
  • It asks for a card, PIN, or password on the linked page. 407 ETR never requests those through any channel. The form is the entire attack.

The fake domains versus the one real one

Only one website is real. Type it yourself; never tap a link from a text.

What it is Domain Verdict
The real 407 ETR site and My Account407etr.comReal. Type it yourself.
Lookalike (cheap TLD)407etr-toll.xyzScam.
Lookalike (hyphen stitch)407-etr-payment.topScam.
Lookalike (keyword subdomain)407etr.com-toll-pay.onlineScam.
Lookalike (fake "services")highway407-services.infoScam.
Lookalike (MTO bait)mto-407etr.liveScam.

The red domains above are illustrative of the patterns attackers use; they are not clickable. Note the trick in every one: the string 407etr appears somewhere in the URL, but never as the actual registered domain. Real 407 ETR links live only on 407etr.com (or its official app), and while the company does send payment-reminder texts from a short code, the link in a real one only ever goes to 407etr.com and it never asks for your card, PIN, or password.

What a real 407 ETR notice actually looks like

Knowing the genuine process is the single best defense:

  • Real 407 charges show up in My Account at 407etr.com or the official 407 ETR app, and statements are mailed to the address on file. The legitimate record is always something you can reach by typing the address yourself.
  • A real 407 ETR text only ever links to 407etr.com. Per its Fraud Awareness page, the company will not request payment or personal data through SMS, and its messages never link off 407etr.com.
  • It does not threaten your credit score, your plate renewal, or court by text. Those escalations are scam pressure tactics. Ontario plate renewals are handled by ServiceOntario at ontario.ca/page/licence-plate-renewals, not via a toll text.
  • The timeline is weeks, not hours. A real billing dispute is resolved by phone or in My Account over days. There is no "respond within 24 hours by text" path, ever.
๐Ÿ›ก LIVE CHECK

Test a suspicious link right now

Got a 407 ETR text you are not sure about? Paste the link here before you tap it. Our 3-layer engine (Local + APIs + AI) returns a verdict in ~3 seconds. Free, no signup.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

How to verify a 407 ETR text in under a minute

  1. Do not tap the link. The link is the entire attack surface. Do not open it out of curiosity.
  2. Type 407etr.com yourself and sign in to My Account, or open the official 407 ETR app. If your account shows no balance, the text was a scam by definition. (Want a sanity check on how to read a domain? See how to tell if a website is a scam.)
  3. Call 407 ETR using the number on 407etr.com, not any number from the text, if you want a human to confirm.
  4. For anything about your plate or licence, go directly to ServiceOntario at ontario.ca/page/licence-plate-renewals. The MTO does not act on toll-text threats.
  5. Screenshot, report, delete. Forward the text to 7726 (the SMS spam shortcode that works in Canada), report it to the Canadian Anti-Fraud Centre, then delete the message.

What to do if you already tapped or entered card details

If you only tapped the link but entered nothing, you are probably fine. Close the tab, clear cookies for that domain, treat it as a near-miss. If you entered credit or debit card information:

  • Call your bank or card issuer immediately using the number on the back of your physical card, not one from the text. Ask them to cancel and reissue the card. Most issuers can re-add the new card to your phone wallet on the same call.
  • Freeze the card in your banking app right now. Every major Canadian bank app has an instant lock-card toggle. Use it while you wait for an agent.
  • Watch your statements for the next 30 days and dispute anything you did not authorize.
  • Report it to the Canadian Anti-Fraud Centre at antifraudcentre-centreantifraude.ca or by phone at 1-888-495-8501, with the URL, the sender number, screenshots, and any amount charged.
  • If you handed over an SSN-equivalent (SIN) or full address, contact Equifax Canada and TransUnion Canada to place a fraud alert. A walkthrough of the full cleanup is in I got scammed, what do I do now.

Why this scam keeps working in Ontario

The 407 is one of the busiest toll roads in North America, and many drivers genuinely do receive 407 ETR statements, so the story is plausible. The attackers churn through 289-area-code sender numbers daily, which makes carrier-side blocking slow. The credit-score and court threats are new in 2026 precisely because the old "late fee" line stopped scaring people. And the group-text format does double duty: it blasts the message cheaply and harvests a fresh list of live phone numbers from everyone who replies STOP. The same phishing-as-a-service kits that build fake E-ZPass and SunPass pages now ship a ready-made 407 ETR template, which is why the lookalike sites appear faster than they can be taken down.

How browser-layer defense catches the fake 407 page

The SMS is hard to block at the carrier because sender numbers rotate daily. The defense that actually works is at the destination: when you tap the link and land on a fake 407 ETR page, a browser-layer scanner can recognize that the page is impersonating a toll agency on a non-official domain and block it before you ever type a card number. SafeBrowz scans the pay-link before you tap it, and flags a lookalike 407-ETR domain even before Google Safe Browsing has it listed, because the lookalike pattern is caught locally. For people who do not want to install an extension, the same engine is exposed at the free public URL checker: paste any link from a suspicious toll text and get a verdict in seconds, no login.

Frequently asked questions

Is the 407 ETR unpaid toll text real?

Not always, and the tell is the domain, not the link itself. 407 ETR does send payment-reminder texts from a 6-digit short code, but the link only ever goes to 407etr.com and it never asks for your card, PIN, or password. A toll text that links to any other domain, threatens your credit score, plate, or court, or asks for payment details is a scam. Check the real balance by signing in at 407etr.com or in the official 407 ETR app.

Does 407 ETR send a payment link by text?

Yes, it can, but only to its own site. 407 ETR sends payment-reminder texts from a 6-digit short code that include a link, and that link only ever goes to 407etr.com. It never asks for passwords, PINs, or card numbers through any channel. So a toll text that links to a different domain, demands payment details, or threatens your credit score, plate, or court is the scam.

I got a 407 toll text but never use the highway. Why?

Because the attackers do not target by driving history. They blast millions of messages to phone-number ranges bought from data brokers, often as group texts that also expose other recipients' numbers. A large share of people who get these texts have never driven the 407. Receiving the text is not evidence you owe anything.

How do I report a toll text scam in Canada?

Forward the text to 7726, the SMS spam shortcode that works in Canada. Report it to the Canadian Anti-Fraud Centre at antifraudcentre-centreantifraude.ca or by phone at 1-888-495-8501, with the URL and the sender number. You can also report it to 407 ETR through 407etr.com/en/fraud-awareness. Then delete the message.

The bigger picture

The 407 ETR text is one local face of a worldwide template: harvest a card number, harvest an identity, resell it, repeat. The brand changes (E-ZPass, FasTrak, SunPass, USPS, the CRA), the visual mimicry changes, the damage shape stays the same. The defense is one habit used every single time: do not tap, type 407etr.com yourself, verify in My Account, and report it. If a "toll" text is rushing you with credit-score or court threats, that urgency is the proof it is fake.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures + community whitelist/blacklist, all running directly in the extension before the page renders. Catches the 407 ETR lookalike paths (407etr-{tld}, hyphen-stitched 407-etr-payment, and com-toll-pay subdomain tricks) instantly, even before Google Safe Browsing lists them.
  • Layer 2 - API checks: aggregates Google Safe Browsing, community blacklist, and domain-age lookups for known malicious domains (most toll-scam pages are less than 30 days old).
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel variants in seconds, flagging a page that renders 407 ETR branding on a non-official domain.

SafeBrowz is free on Chrome, Firefox, and Edge, with Safari pending. Premium is $14.99 a year and a single key covers 3 devices.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. SafeBrowz does not store per-user browsing history.

Install SafeBrowz free

Add the browser extension, or the SafeBrowz Android app, that runs every check in this article automatically, on every page, before it renders. Free forever.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

Related reading