What the FBI is saying about the unpaid toll text scam
On April 12, 2024, the FBI's IC3 released a public service announcement titled "Smishing Scam Regarding Debt for Road Toll Services." The agency reported more than 2,000 complaints in a single month, then over 60,000 within a few months. By early 2026, the FTC's Consumer Sentinel Network was reporting unpaid toll smishing as the single most-reported text-message scam in the country, ahead of USPS delivery scams in some weekly snapshots.
The scam targets victims regardless of whether they have ever used the named toll system. People in states without electronic tolling receive E-ZPass texts. People in California receive SunPass texts meant for Florida. SMS sending costs are essentially zero, so even a 1% reaction rate on millions of texts is profitable. The credit card numbers harvested are resold on dark-web markets; the identity data feeds follow-on attacks for months.
What the text actually looks like
The wording rotates, but the template is stable. Common openings:
- "E-ZPass Lane: We have noticed an outstanding toll amount of $2.99 on your record. To avoid a late fee of $50.00, visit [link]."
- "FasTrak Notice: You have an unpaid toll of $4.35. Pay before [date] to avoid penalties. [link]"
- "SunPass Final Notice: Unpaid balance of $6.75. Click [link] to avoid registration suspension."
- "NY Tolls Service: Final reminder. Amount due $2.79. Visit [link] within 12 hours to prevent license suspension."
Three things stay consistent. The dollar amount is small (under $10). There is a threat (late fee, registration suspension, license suspension). And the link goes to a domain that is not the real toll agency.
Why this scam works so well
Most American drivers genuinely do not know what their state's toll system mailing process looks like in detail. Real toll agencies do send unpaid-toll notices, the amounts can be small, and the threat of late fees is real. The scam exploits exactly this uncertainty.
- Toll bills do exist. Every E-ZPass, FasTrak, SunPass, and TxTag operator sends real bills for missed tolls, especially in cashless tolling states.
- The amounts are believable. Real toll charges range from $0.50 to $30 depending on the road and vehicle class. A $2.99 charge fits within the normal range.
- State agencies do text some enrolled users. Several toll agencies now send legitimate SMS reminders (low balance, renewal alerts). The base rate of "I get texts from my toll agency" is no longer zero.
- License suspension is a credible threat. Most state laws allow registration or license suspension for chronically unpaid tolls, so the threat lines up with something users have heard about.
- Mobile UX hides the URL. The SMS app does not unwrap shortened links or show the full destination domain before tapping. The user taps before reading.
State-by-state table: real toll agencies and official websites
Only the websites below are real. Type the URL into your browser yourself.
| State(s) / Region | Toll Agency / Brand | Real Official Website |
|---|---|---|
| NY | E-ZPass New York | e-zpassny.com |
| NJ | E-ZPass New Jersey | ezpassnj.com |
| PA | E-ZPass Pennsylvania / PA Turnpike | paturnpike.com |
| MD | E-ZPass Maryland | ezpassmd.com |
| VA | E-ZPass Virginia | ezpassva.com |
| DE | E-ZPass Delaware | ezpassde.com |
| MA | E-ZPass Massachusetts | ezdrivema.com |
| ME | E-ZPass Maine | ezpassmaineturnpike.com |
| NH | E-ZPass New Hampshire | ezpassnh.com |
| RI | E-ZPass Rhode Island | ezpassri.com |
| IL | I-Pass / Illinois Tollway | illinoistollway.com |
| IN | E-ZPass Indiana / Indiana Toll Road | ezpassin.com |
| OH | E-ZPass Ohio | ezpassoh.com |
| WV | E-ZPass West Virginia | wvturnpike.com |
| NC | E-ZPass / NC Quick Pass | myncquickpass.com |
| CA | FasTrak (statewide) | thetollroads.com / bayareafastrak.org |
| FL | SunPass | sunpass.com |
| OK | PikePass | pikepass.com |
| TX | TxTag | txtag.org |
| TX | TollTag (NTTA) | ntta.org |
| WA | Good To Go! | mygoodtogo.com |
| HI | uPASS (H-3 / Honolulu) | hidot.hawaii.gov |
If the domain in the text does not exactly match the column above for your state, it is a scam. Even a close version (an E-ZPass URL on .top, .xyz, .online, .info, or a hyphen-stitched name like e-zpass-toll.com) is a scam. Real state agencies always use .com or .gov, never the cheap TLDs attackers buy in bulk.
The URL patterns used in the scam
Reported phishing destinations from FBI IC3 takedowns and state DOT consumer alerts include ezpass[.]com-toll-payment[.]top, ezpassny[.]xyz, e-zpass-services[.]info, fastrak-payments[.]online, sunpass-info[.]live, sunpass[.]fl-toll[.]xyz, txtag[.]toll-services[.]com, thetollroads-payment[.]xyz, and ipass-illinois[.]online. The pattern is the same as USPS and FedEx smishing: keyword spoofing (agency name appears somewhere in the URL, but not as the actual top-level domain), cheap TLD abuse, or a "real-looking" URL stitched onto an unrelated parent via the subdomain trick. The actual domain is always the part immediately before the first single slash after https://. Anything to the left of that is dressing.
What a real toll notice actually looks like
Knowing the real notification process is the single best defense. Per state consumer alerts from California DMV, Florida DOT, and the New York State Thruway Authority during 2024-2026:
- Real toll bills arrive by mail, on paper, with state agency letterhead, sent to the address on file with the DMV. Even if the agency sends digital notifications, the legal notice always comes by post.
- The mailed notice includes a photo of your license plate from the toll gantry, plus the date, time, and location of the toll event.
- Real agencies do not send "pay now" links via SMS. The California DMV's 2024 alert: "FasTrak will never request payment by text message." NY E-ZPass, SunPass, and TxTag have issued matching statements.
- Payment phone numbers are agency-specific and publicly listed. Numbers in a text message are not legitimate.
- The escalation timeline is weeks, not hours. Real unpaid tolls become real problems over 30 to 90 days, never "within 12 hours" as the scam claims. The urgency timer is the single biggest tell.
The 5-step verification (do this before anything else)
- Do not click the link in the text. The link itself is the entire attack surface. Do not tap, even out of curiosity.
- Look up your toll agency directly. Find your state in the table above and type the official URL yourself. Do not Google the agency name during phishing waves: paid ads sometimes point to typosquats.
- Log in to your toll account using the typed URL. If your account shows zero balance and no violations, the text was a scam by definition.
- Call the agency directly using the number on their official website (not from the text) if you want a human to confirm.
- Screenshot for the record, then report. File at ic3.gov and forward the text to
7726(the universal SMS spam shortcode in the US, Canada, UK). Then delete the message.
What to do if you already clicked or entered card details
If you only clicked the link but did not enter anything, you are probably fine. Close the tab, clear cookies for the domain, treat it as a near-miss. If you entered credit or debit card information:
- Call your card issuer immediately using the number on the back of your physical card (not one you Google). Ask them to cancel and reissue. Most issuers can add the new digital card to Apple Pay or Google Pay on the same call.
- Freeze the card in your bank's app right now. Every major US bank app has an instant "lock card" toggle. Use it while waiting for the agent.
- Review transaction history for the next 30 days. Dispute anything unauthorized within 60 days under the Fair Credit Billing Act.
- File a complaint with the FBI at ic3.gov with the URL, sender phone number, screenshots, and amount charged.
- File with the FTC at reportfraud.ftc.gov. Consumer Sentinel data feeds law enforcement.
- If you entered SSN or full address, place a fraud alert with the credit bureaus. One free call to Equifax, Experian, or TransUnion places an alert with all three for 12 months. A security freeze (also free) is stronger.
Why the FBI says this scam is uniquely persistent
The IC3 alert from April 2024 has been re-issued multiple times because attackers keep adapting. The infrastructure is run from outside the US in most cases, so domain takedowns are slow. The agency-name rotation means a single takedown only kills one variant, and the text content is short enough to bypass carrier-side keyword filters. The unpaid-toll story is just plausible enough that a percentage of recipients will react even after years of public warnings. Several reports link the campaign to organized phishing-as-a-service operations selling SMS phishing kits with pre-built fake E-ZPass and FasTrak pages, the same kit operators that also sell USPS, FedEx, and bank impersonation templates.
How browser-layer defense catches the destination page
The SMS itself is hard to block at the carrier level because attackers churn through sender numbers daily. The defense that actually works is at the destination: when you tap the link and land on a fake E-ZPass or FasTrak page, a browser-layer scanner can recognize the page is impersonating a toll agency and block it before you type a card number.
SafeBrowz runs as a free browser extension on Chrome, Firefox, and Edge with a three-layer detection model. Layer 1 is local checks: bundled rules look for toll-agency keyword patterns (ezpass, fastrak, sunpass, txtag, pikepass, ipass, goodtogo) on non-official domains, suspicious TLDs (.top, .xyz, .online, .info, .live), and free-hosting destinations. Layer 2 is API checks: Google Safe Browsing, community blacklist, and domain age lookup (most toll-scam destinations are less than 30 days old). Layer 3 is an AI deep scan: content-aware brand impersonation detection in 100+ languages. If a page renders the E-ZPass logo or "FasTrak Toll Payment" text on a non-official domain, it is flagged before any form loads.
For users who do not want to install an extension, the same engine is exposed at the free public URL checker. Paste any link from a suspicious toll text, get a verdict in seconds, no login.
Frequently asked questions
Do real toll agencies ever send unpaid toll notices by text message?
Almost never, and never with a payment link. A few toll systems send opt-in balance reminders via SMS, but they tell you to log in or call customer service, not click. State agencies including California DMV, Florida DOT, New York State Thruway, Massachusetts DOT, and Pennsylvania Turnpike have all publicly stated they will never request toll payment by SMS.
How do I know what my actual unpaid toll balance is?
Type your state's official toll agency URL from the table above into your browser yourself, log in, and check. If you do not have an account, the official site will show how to look up a violation by license plate. Never use a phone number or website that arrived in a text.
What happens if I really do have an unpaid toll and ignore it?
The state agency sends a paper violation notice to the address registered on your DMV record, with a license plate photo from the toll gantry and a payment window of 30 to 60 days. Ignoring it for months can result in late fees, registration holds, or in some states license suspension. The process is slow and arrives by mail. There is no respond-within-12-hours-by-text pathway, ever.
I do not even drive a toll road. Why am I getting these texts?
Attackers do not target by driving history. They send millions of messages to phone number ranges bought from data brokers. A material percentage of recipients have never used the named toll system. Receiving the text is not evidence you owe anything.
I clicked the link but did not enter information. Am I safe?
Probably yes. The page itself usually cannot install anything on a modern phone or laptop without you also downloading and approving an install. Close the tab and clear cookies for that domain. The risk is the form, not the page load.
How do I report an unpaid toll smishing text?
Forward the text to 7726 (the universal SMS spam shortcode in the US, Canada, and UK). File at ic3.gov with the screenshot and sender phone number, and at reportfraud.ftc.gov. Then delete the text.
The bigger picture
Unpaid toll smishing is one case of the same template that drives USPS, FedEx, DHL, Apple ID, bank, and IRS phishing. The brand changes, the visual mimicry changes, the damage shape is the same: harvest a credit card number, harvest an identity profile, resell on dark-web markets, repeat. Until carriers implement universal sender authentication for SMS, the defense burden falls on individuals and the third-party tools they install. The 5-step verification (do not click, look up the real agency, log in via a typed URL, call the agency, screenshot for police) is reliable but only if used every single time.
Install SafeBrowz free
Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.
Add to Chrome
Add to Firefox
Add to Edge