The FBI is urging all iPhone and Android users to be alert to an insidious toll fee texting scam from China widely regarded as “an infrastructural attack on our phones, not a single campaign.”
It follows an urgent FBI and Cybersecurity and Infrastructure Security Agency (CISA) warning in December 2024 to stop sending texts messages over unsecured networks and use encrypted messaging and calling systems instead.
The agencies warn texting between Android phones and iPhones is vulnerable (iPhone to iPhone and Android to Android is reportedly safe) due to “Chinese hacking of U.S. networks that is reportedly ‘ongoing and likely larger in scale than previously understood.’”
Encrypted channels are considered the best defense against these attacks.
“Encryption is your friend” for texts and phone calls, Jeff Greene, CISA’s executive assistant director for cybersecurity, told NPR. “Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible, if not really hard, for them to detect it. So our advice is to try to avoid using plain text.”
MySudo all-in-one privacy app offers end-to-end encrypted messaging and video and voice calls. Download it for iOS or Android now.
Get MySudo Desktop and the MySudo browser extension.
Toll smishing texts are rapidly spreading across America
The recent spate of smishing texts are claiming an unpaid toll of $6.99 but are really designed to steal the recipient’s credit card and identity.
The Anti-Phishing Working Group (APWG) says the attackers are registering tens of thousands of domains to mimic state and city toll agencies and attract clicks. They’re also making similar-looking text message using “an upgraded phishing kit sold in China, which makes it simple to send text messages and launch phishing sites that spoof toll road operators in multiple U.S. states.”
The toll smishing attacks are rapidly spreading “from state to state.” The FBI is urging people to delete the texts immediately.
Authorities are reminding Americans that “legitimate agencies usually send invoices via official mail, not random emails or texts.”
Learn more about the toll smishing attacks. If you receive a toll smishing text, the FBI advises you to:
- File a complaint with the Internet Crime Complete Centre (IC3). Be sure to include:
- The phone number from where the text originated
- The website listed within the text.
- Check your account using the toll service’s legitimate website.
- Contact the toll service’s customer service phone number.
- Delete any smishing texts you receive.
You can also report toll scams to the Federal Trade Commission (FTC) at reportfraud.ftc.gov or your local consumer protection agency.
Spam texts are on the rise
According to Robokiller, more than 19 billion spam texts were sent in the U.S. in February alone.
Always be alert to the possibility of scams texts and emails and NEVER CLICK THE LINK OR GIVE YOUR INFORMATION. If you think the content of the message might be correct, go straight to the company’s legitimate website (e.g. your toll service’s website) and log into your account to check.
If you think you’ve been scammed, check your accounts and change your passwords even if you haven’t made a payment to the scammers. Dispute any unfamiliar charges on your accounts.
Remember, legitimate agencies will communicate with you about unpaid tolls through official post and not via texts and emails.
The APWG says people receiving any sort of scam text can “help update alerting/blocking mechanisms that protect billions of devices and software clients worldwide” by reporting the texts to the FBI’s IC3.gov or directly to them at apwg.org/sms.
MySudo can protect you from smishing and phishing attacks
Sick of scammers? Fight back with MySudo.
First, download MySudo for iOS or Android.
Then, set up a dedicated “Car Bills” Sudo digital identity within MySudo, and use it specifically for opening and paying tolls and all other car-related services you want to include.
Only ever use your “Car Bills Sudo” phone number and email address when communicating with and logging into these services. Do not use your personal phone or email.
If a suspected smishing text about an outstanding toll or any other supposed debt comes into any other Sudo (you can have 9 Sudos, depending on your plan) or to your personal phone number, then you will know it’s a scam and delete it.
If a text about a toll comes into your official “Car Bills Sudo” you’re more likely to consider whether it’s from the legitimate service provider and not a scammer. But still stay vigilant and check with the legitimate service provider, remembering they’re more likely to contact you by official mail. If the message turns out to be a scam, you can either:
- Ignore it, or
- Block the scammer’s number, or
- Reset your “Car Bills” Sudo phone number, or
- Delete the “Car Bills Sudo” altogether and cut off the scammers. They won’t be able to reach you again.
Go one powerful step further by always using the MySudo virtual card within your dedicated “Car Bills Sudo” to pay your toll account and any other car-related bills. That way, even if you fall victim to a scam, the scammer does not have your personal credit card. They have your Sudo virtual card, which you can easily cancel or close and move on.
The data protection strategy behind MySudo is called compartmentalization.
You might also like:
2024 was the Biggest Year for Data Breaches: Here’s How to Stay Safe in 2025
The Top 10 Ways Bad Actors Use Your Stolen Personal Information
How to Take Back Control of Your Digital Footprint: Get RECLAIM 1.1!
Americans Say Data Privacy is a Human Right: 3 Apps that Achieve It
