A massive toll rate SMS is sweeping the US

The US cushion scam states that unpaid toll service rates must be
SMS messages include a false link to make an online payment
Cybercriminals are using more than 10,000 domains to deceive the recipients

A generalized SMS scam is aimed at thousands of smartphone users in the US. Its objective is not only to cheat innocent receptors of their money, but also their personal and financial information.

The reports of the amordaz scam emerged for the first time last year. In April 2024, the FBI Internet Crimes Complaints Center (IC3) issued a notice about the text messages of the false toll service, after receiving more than 2,000 complaints from US citizens.

Since then, the scheme scale seems to have grown. The cities in several US states have now issued warnings, including Boston, Denver and San Francisco. Mcafee has also highlighted the cities most affected by the scheme: the first three are Dallas, Atlanta and Los Angeles.

How the amordaz scam works

An example of the type of texts used in this generalized SMS scam (Image credit: future / unit 42)

According to the screenshots we have seen, text messages in the toll scam seem to follow a similar structure. Each SMS claims to be a legitimate toll service and states that there is an unpaid rate. Then he tells the recipient to pay the pending toll within a period of time established to avoid late rates and a reference to the DMV. Then a URL is provided, which directs the uses to a false payment page.

This page is designed to look convincingly as a legitimate toll service payment website. It will often have a logo, commercial name and street address. It will also indicate the supposed time and date of the unpaid rate.

A threat actor who takes advantage of the same name pattern has registered the 10K+ domains for several #stafas #smishing. They put as toll services for US states and package delivery services. Root domain names begin with “com-” as a way of deceiving victims. More information at pic.twitter.com/7cbkvwywxoMarch 7, 2025

If you click on the payment link, the website will request payment information. Sometimes you will also request confidential personal information, such as your driver’s license number. If you send this information, it is actually giving it to the scammers, exposing themselves to identity theft.

The scam uses the same tactics as most phishing scams, creating a sense of urgency by demanding payment in a short period of time. The threat of legal actions increases the probability of an emotional reaction, which could make users overlook inconsistencies in the original SMS or the linked payment page.

The scam uses the same tactics as most phishing scams, creating a sense of urgency by demanding payment in a short period of time.

The reports also suggest that there are variations of the scam. In some cases, it seems that cybercounts have varied the content of the SMS and the payment page to direct users in specific states. A screenshot that we have seen being from New York City. For some recipients, this could make the message more credible than a generic alert.

Recent Intelligence of Unit 42 of Palo Alto Networks reports that scammers have registered more than 10,000 domain names. Each of these is designed to be ambiguous enough for a casual look not to reveal deception. The new domains not only suggest that the scam is still ongoing, but certain URLs indicate that it could be expanding to include false messages from delivery companies, an increasingly common tactic.

These are some of the domains listed in the notice:

dhl.com -new[.]xin
Driveks.com-JDS[.]xin
Ezdrive.com-2H98[.]xin
Ezdrivema.com-Citations-ETC[.]xin
Ezdrivema.com-securetta[.]xin
e -zpassiag.com-courtfees[.]xin
e -zpassny.com-Ticketd[.]xin
Fedex.com-fedexl[.]xin
getipass.com-tickeuz[.]xin
SunPass.com-Tichetap[.]xin
Thetololloads.com-fastrakeu[.]xin
USPS.com-tracking-helpsomg[.]xin

How to stay safe

(Image credit: Shuttersock)

As with any amordazos or phishing scam, the best way to stay safe is to practice caution. If you receive an unexpected SMS on unpaid toll rates, there is a good possibility that it is a scam. Pause before acting on any information in the message and not click on any link.

Pay attention to details in the message. Scam texts will often have grammatical errors or format inconsistencies, such as puncture placement. A look closer to the URL will often reveal that it is also illegitimate.

In case of doubt, communicate with the genuine toll service in question. Never click on the link in the SMS. Instead, find the website or real contact number of the service using a confidence search engine and communicate to clarify it.

The scam is now so extensive that the United States Federal Commission of Commerce has issued advice to the same effect, as well as the FBI. If you discover a false or suspicious SMS, the instructions of both agencies are the same: inform and delete messages. You can do this on the IC3 website.

Must Read

Leave a Comment Cancel Reply