Is the unpaid toll text real? No. And the same scammers are running it in fifty states.
The text says you owe $12.51 to E-ZPass, SunPass, FasTrak, or whichever toll system covers your state. It threatens late fees, license suspension, or court action if you do not pay in 24 hours. It looks official. It is not. The FBI's Internet Crime Complaint Center logged 59,271 toll-smishing complaints across 2024. By March 2025, FBI Atlanta counted 1,573 fake-PeachPass complaints in one month alone — almost matching the prior fourteen months combined. The operators are not in your state. They are in Hong Kong, running a phishing kit called Lighthouse on more than 60,000 lookalike domains, and they are sending these texts at a cost of eight dollars per thousand messages.
59,271
Toll smishing complaints 2024 (FBI IC3)
1,573
Fake PeachPass complaints in March 2025 alone (FBI Atlanta)
60,000+
.xin domains registered for the campaign
$8
Underground cost per 1,000 SMS sent
The short answer
Yes, the unpaid toll text is a scam — every single one. The FBI's IC3 logged 59,271 complaints across 2024 and FBI Atlanta saw 1,573 fake-PeachPass complaints in March 2025 alone, nearly matching the prior fourteen months combined. The campaign is run by a China-based criminal group called the Smishing Triad using a phishing kit called Lighthouse, hosted on 60,000+ domains under the .xin top-level domain. No US state toll authority — not E-ZPass, not SunPass, not FasTrak, not TxTag — texts unpaid balances to people who have not opted in. Delete the text.
"What we're seeing with these tolls scams is just a continuation of the Chinese smishing groups rotating from package redelivery schemes to toll road scams."
Here is what I think every American with a phone should know about this scam: it is not a wave that came and went. The FBI's first public alert was in April 2024. Complaint volume kept climbing through 2025. By the time you finish reading this paragraph, the same operators have probably sent another million texts to American phone numbers. The systems that should have stopped them — the FCC's robotext rules, the carriers' abuse desks, the trademark protection that should have shut down sixty thousand fake-toll-system domains — did not, for almost two years.
This piece is not a complaint, it is a map. If you got the text, the rules below are the ones I would follow myself. If you clicked, the rules below are still the ones I would follow myself. And if you have not yet got the text, you will — it is now arriving at every US area code and every UK mobile number on a rolling basis, and what makes it stop is not Apple, not the FCC, and not your carrier. It is you, deleting it.
Three things that prove it's a scam — every time
Most online guides treat this as a "spot the red flags" exercise. It is not. There are three structural facts that make every unpaid-toll text a scam, before you even read it:
—No US toll authority sends unsolicited texts for unpaid balances. Real toll systems — E-ZPass, SunPass, FasTrak, TxTag, I-Pass, PeachPass, EZDriveMA, Good-To-Go, NTTA, MDOT, all of them — bill the registered owner of the vehicle by mail. If you have an account and have specifically opted into text reminders, the texts go through the system you have logged into, not to numbers it does not have. A text from a number you have never seen, claiming a balance you have never been notified about by mail, is always a scam. The Pennsylvania Turnpike states this explicitly: "The PA Turnpike does not text customers about unpaid tolls."
—The link is never a real toll-system URL. Real toll systems use the addresses you know: e-zpass.com, sunpass.com, paturnpike.com, txtag.org, bayareafastrak.org, peachpass.com. The scam links almost always end in .xin, .top, .cc, .info, or .com followed by random characters (e.g. "e-zpass[.]com-etcjr[.]xin"). The .xin top-level domain is managed by Elegant Leader Limited, a Hong Kong company. Over sixty thousand .xin domains have been registered specifically to host these scam pages.
—Government agencies do not demand payment by gift card, wire, or crypto. Several of these scam pages, after harvesting card details, escalate to demands for gift-card purchase or crypto deposit, exactly as the IRS-imposter and digital-arrest scams do. No US state toll authority accepts payment in gift cards, wire transfers, or cryptocurrency. The escalation is the tell.
Who is sending these — and how it works
The operation has a name, and the security-research community has been documenting it since early 2024. Two firms — Resecurity in California and Palo Alto Networks' Unit 42 — independently traced the toll-smishing infrastructure to a China-based criminal collective referred to as the Smishing Triad. Brian Krebs added the connective tissue in his January 2025 reporting: the Triad runs an integrated stack of phishing kits, domain registration, and SMS sending services, sold to affiliate operators via Telegram.
—The phishing kit is called Lighthouse. Released in major updates between January 10-14, 2025 (per Krebs), Lighthouse serves pixel-perfect replicas of every major US state's toll-system website. The kits detect mobile devices — desktop visitors see a generic error page, mobile devices see the fake toll-payment form. The kits capture keystrokes in real time, meaning data is exfiltrated whether or not the victim hits submit.
—The SMS layer is sold as a service. Underground platforms like Oak Tel (also known as Carrie SMS) provide what amounts to a smishing dashboard: bulk SMS sending, sender-ID spoofing for Apple iMessage and Android RCS, automation APIs, and victim-phone-number list management. Pricing as of early 2025 was approximately eight dollars per one thousand messages. The platforms are marketed on Telegram.
—The domain layer abuses the .xin TLD. Sixty thousand-plus .xin domains were registered specifically for this campaign, hosted under registrar relationships traced back to Hong Kong. The volume defeats traditional takedown — blocking one domain accomplishes nothing when sixty thousand are standing by. The .xin TLD's registrar accreditation through ICANN has not been revoked despite the documented abuse.
—The operators rotate brands every few months. In April 2025, the same infrastructure pivoted to bank-impersonation smishing (per Krebs's follow-up reporting). The toll campaign continues, but the Triad now runs three or four simultaneous scams: fake banks, fake DMVs, fake postal services, fake toll authorities. The infrastructure does not care which brand is on the text. Tomorrow it will be a different brand.
No US state toll authority texts you about unpaid balances if you have not opted in to text reminders inside a verified account. Not E-ZPass. Not FasTrak. Not SunPass. Not TxTag. Not PeachPass. Not EZDriveMA. The text was never real, regardless of how convincing it looked.
The state-by-state list of impersonated toll systems
The scam started with three states in March 2024 (per the FBI's April 12, 2024 PSA) and is now active across all fifty. The toll systems below have each been used as the cover identity in 2024-2025 campaigns. Resecurity, Krebs, and the individual state DOTs document the spread:
—E-ZPass — 19 northeastern and midwestern states. Used as the impersonated identity in the broadest geographic spread. E-ZPass spans New York, New Jersey, Pennsylvania, Virginia, Massachusetts, North Carolina, and more — meaning the same scam text can plausibly land in nineteen different states with no modification. The PA Turnpike, NY Thruway Authority, and Mass DOT have all issued individual warnings.
—SunPass — Florida. Florida-specific. The Florida Department of Transportation has confirmed SunPass does not text balances. The Smishing Triad's SunPass variant has been particularly active because Florida has heavy out-of-state visitor traffic, which the scam exploits — recipients are more likely to second-guess whether they did drive through a toll they forgot about.
—FasTrak — California. Multiple FasTrak variants exist in California (Bay Area Toll Authority, The Toll Roads of Orange County, San Diego region). Each has confirmed the scam. The Toll Roads of Orange County specifically has issued multiple alerts in 2025.
—TxTag — Texas. Texas Department of Transportation runs TxTag; the North Texas Toll Authority (NTTA) and Harris County Toll Road Authority operate parallel systems. The scam has impersonated all three.
—I-Pass — Illinois. Illinois Tollway has confirmed the I-Pass scam-text variant. As with FasTrak, the multi-region structure makes consumer verification harder — there are several legitimate sub-brands, so an unfamiliar-looking link feels plausible to some recipients.
—PeachPass — Georgia. FBI Atlanta documented 1,573 fake-PeachPass complaints in March 2025 alone, compared to 1,720 across the entire prior fourteen months. This is the single most dramatic month-over-month spike documented for any state-level toll-smishing variant.
—EZDriveMA — Massachusetts. MassDOT and the Massachusetts Department of Transportation issued explicit warnings. MassDOT's statement is the cleanest of any state agency: "MassDOT and the RMV will never request payment via text."
—Good-To-Go — Washington. Washington State Department of Transportation has confirmed the Good-To-Go scam. The Pacific Northwest spread came later than the East Coast wave but has been continuous through 2025.
—Plus active scam variants targeting: Connecticut, Colorado, Minnesota, Michigan, Pennsylvania. Michigan Attorney General Dana Nessel issued a fresh consumer alert in March 2026. The Pennsylvania Turnpike published a dedicated explainer in March 2026. The Connecticut, Colorado, and Minnesota DOTs have issued warnings throughout 2025.
Why the carriers, the FCC, and Apple have not stopped this
I want to be clear about what this scam is, structurally: it is a problem that several coordinated decisions could have prevented. The technical capacity to block it existed throughout the campaign. The question is why the institutions that have that capacity did not use it in time.
—The FCC's robotext blocking mandate lagged the campaign by twenty-one months. The FCC announced Do-Not-Originate (DNO) list requirements for text messages in May 2023. Mandatory enforcement against non-compliant providers began December 15, 2025 — twenty-one months after the FBI's first toll-smishing PSA in April 2024. By the time the rules became mandatory, the IC3 had already logged tens of thousands of complaints.
—Carriers were not complying with existing rules. In August 2025, a bipartisan coalition of 51 state attorneys general launched Operation Robocall Roundup. They sent warning letters to thirty-seven voice providers found to be non-compliant with the FCC's traceback support, robocall mitigation database certification, and mitigation plan requirements. The rules existed. The carriers were skipping them. The state AGs had to write thirty-seven letters before action followed.
—The .xin TLD's registrar accreditation has not been revoked. More than sixty thousand .xin domains have been registered specifically for this fraud campaign, managed through a Hong Kong registrar relationship. ICANN's contract terms permit accreditation revocation for systemic abuse. No public US filing has explained why the abuse threshold for .xin has not been considered to have been crossed.
—Apple iMessage and Android RCS sender-ID spoofing remained possible at consumer scale throughout 2024 and 2025. The two companies that mediate every smartphone in the country had the engineering capability to detect and block sender-ID spoofing from foreign-originated commercial SMS-as-a-service platforms. Both companies have publicly committed to anti-spam improvements; neither has shipped a default user-facing change that would block the Smishing Triad's iMessage pipeline at scale. When asked, the answer is always that it is complicated. It is in fact the simplest engineering problem in the chain, and it is the one with the loudest victims.
The FCC's mandatory robotext blocking went live on December 15, 2025 — almost two years after the FBI's first toll-smishing PSA. The carriers had the tools. The FCC had the authority. The texts kept coming. Whatever the right answer was, the system did not deliver it in time, and millions of Americans got the texts anyway.
The UK version: Dart Charge, Mersey Gateway, and ULEZ
The same Smishing Triad operators pivoted into UK toll-impersonation scams in early 2025, per Resecurity's tracking and Infosecurity Magazine's reporting. The UK volume is smaller than the US — the campaign is younger and the UK toll geography is narrower — but the mechanics are identical. If you are in the UK and you get one of these texts, the rules are the same:
—Dart Charge — the Dartford Crossing. The most-impersonated UK toll. The fake texts claim an unpaid Dart Charge fee with a link to a copycat government site. The real Dart Charge has a dedicated explainer on the gov.uk domain; National Trading Standards prosecuted at least one operator behind copycat government-toll websites in 2024.
—Mersey Gateway Bridge. The Liverpool-area toll has been used as the impersonated identity in 2025 campaigns. The Merseyflow real-payment system does not text unpaid balances.
—ULEZ — London's Ultra Low Emission Zone. ULEZ is a Transport for London scheme, not a toll system, but the Smishing Triad impersonates it with the same kit because the public confusion about whether ULEZ charges are appealable through text payment makes the scam more effective.
—Reporting in the UK: forward to 7726, then file at Action Fraud. The UK equivalent of the US 7726 spam-report number is also 7726. Forward the text; then file at actionfraud.police.uk (or its successor Report Fraud, see our UK reporting guide). Same delete-and-report discipline as the US.
For the full UK reporting and recovery directory — including how the Payment Systems Regulator's mandatory-reimbursement rules apply if you sent money — see the 2026 UK scam-reporting guide.
The 8-step playbook: what to do
This is the sequence I would follow if I got the text right now. It works whether you have already clicked, already typed information, or just received the message:
1Do NOT click the link. Even on a modern, patched iPhone or Android, the link goes to a phishing page that captures keystrokes in real time. The link is the entire scam. Delete the text.
2Verify any real balance by going directly to your toll-system's official URL. Type the address into a fresh browser: e-zpass.com (then pick your state), sunpass.com, paturnpike.com, txtag.org, bayareafastrak.org, peachpass.com, ezdrivema.com. Log into your real account. If you do not have an account or the balance does not match the text, you owe nothing.
3Forward the spam to 7726. Long-press the text, select forward, send to 7726 (SPAM on the keypad). This routes to your carrier's abuse desk and the FCC reporting database. Free, takes thirty seconds, and is the only carrier-side reporting channel that exists.
4Report at ic3.gov. Include the phone number the text came from and the full URL in the message. This is the dataset that drove the FBI's PSAs and the eventual federal action against the .xin TLD operators. Every report matters because the volume is what unlocks coordinated takedowns.
5If you clicked but typed nothing — clear browser data, run a malware scan. Clear browser history and cookies for the browser that opened the link, then run an anti-malware scan (Apple users: typically not needed but cheap insurance; Android users: Play Protect from the Play Store, or Malwarebytes). Most phishing kits do not deploy device-level malware as a default, but the precaution costs nothing.
6If you typed card information — call card-issuer fraud line within the hour. Ask them to freeze the card and reissue. Dispute any unauthorized charges under Regulation E (debit) or the Fair Credit Billing Act (credit). The Smishing Triad's kits resell card data within minutes, so speed matters more than completeness. See the 72-hour recovery playbook for the by-payment-method odds.
7If you entered identity information — freeze your credit at all three US bureaus. Experian, Equifax, TransUnion. All three freezes are free and take about five minutes each online. Do all three — a freeze at only one bureau is bypassable. If your SSN or full DOB was in the form, sign up for free credit monitoring. The combination of card details plus identity details enables synthetic-identity fraud months later, after you have forgotten the toll text ever happened.
8Check your real toll account and pay any genuine balance through the verified URL. After you have dealt with the scam, log into your real account. If you genuinely owe a toll, pay it through the verified site. Do not call any phone number listed in the scam text — those numbers are also fraudulent and route to the same operators trying a different approach.
If you posted publicly that you lost money to a toll scam, "recovery scammers" will find you within days. They will offer to retrieve your money for an upfront fee. They will know specific details about your scam because your information has been sold on the same Telegram channels the toll texts are sent from. Real recovery channels — your bank, the dispute process, FBI IC3, FTC — are all free. See the recovery scams piece for the full pattern.
From the field. The single most common version of this scam I see in the inbox is not the high-loss card-fraud case — that one usually gets resolved by chargeback within a week. The harder cases are people who entered identity details (full name, address, DOB, sometimes SSN) without entering card details, then heard nothing for months, then discovered synthetic-identity accounts in their name a year later. The card harvest is the loud part of the scam. The identity harvest is the quiet part. The same kit collects both, and the second one does not show up in the FBI's loss tallies for two to three years.
So why is this still happening?
The unpaid toll text scam is not clever. The tells are right there — the text comes from a number you have never heard of, the link goes to a domain you have never used, the urgency is artificial, the toll authority does not text. What makes the scam work at this scale is not skill. It is that sixty thousand phishing domains can stay online for months at a time because no single agency has the authority and the will to take them down, and the carriers that route the SMS have spent more time arguing about compliance scope than blocking obvious sender-ID spoofing from a country whose criminal-justice cooperation with the US on cybercrime is, to put it generously, limited.
The 2024 FBI PSA was not the start of the action. It was the start of the wait. The FCC took twenty-one months to make robotext blocking mandatory. The state attorneys general had to write thirty-seven letters in August 2025 to get carriers to follow rules that already existed. The .xin TLD remains accredited. Apple and Google still allow sender-ID spoofing at consumer scale in iMessage and RCS. None of these are individual people's fault, and none of them are unfixable. They are simply not yet fixed.
If you take one rule from this entire piece, take this: any text that tells you that you owe money to a government agency or a quasi-government toll system is a scam until you have logged into the agency's real website yourself and confirmed the balance there. The government does not text. Your toll system does not text. Every time. No exceptions.
Already submitted information to a fake toll site? Let's look at the damage together.
Tell us what you entered — card, identity, both — and what has happened since. A real expert reviews every case and replies within 24 hours. Free, confidential, no pressure.
Is the unpaid toll text from E-ZPass, SunPass, or FasTrak ever real?
No. No US state toll authority texts unpaid balances to people who have not specifically opted into text reminders inside a verified account. Not E-ZPass, not SunPass, not FasTrak, not TxTag, not I-Pass, not PeachPass, not EZDriveMA, not Good-To-Go. Real toll systems mail paper notices to the registered vehicle owner. If you have an account, you can log in to the official website by typing the address into your browser directly and see the real balance — it will not match the text. The text is always a scam. The FBI's IC3 has logged tens of thousands of complaints since the campaign started in March 2024.
What happens if I clicked the link in a toll scam text?
Clicking the link alone does not usually compromise a modern phone — it loads a phishing page that asks for your name, ZIP code, and card details. If you closed the page without typing anything, you are most likely fine; clear your browser data and run a malware scan to be safe. If you typed information, treat it as already stolen even if you never hit submit — the phishing kits used by the Smishing Triad capture keystrokes in real time. Call your card issuer's fraud line the same hour, freeze the card, and dispute any charges. If you entered identity details (SSN, DOB, full address), freeze your credit at all three US bureaus immediately.
Why are these toll scam texts so convincing in 2026?
Three reasons. First, the criminal group running this — Resecurity and Krebs on Security have linked it to a China-based operation called the Smishing Triad — uses a phishing kit called Lighthouse that detects mobile devices and serves pixel-perfect replicas of real toll-system websites. Second, the .xin top-level domain registry has approved more than 60,000 lookalike domains supporting the campaign, so blocking one does nothing. Third, the texts arrive via Apple iMessage and Android RCS using spoofed sender IDs sold through underground services like Oak Tel at $8 per 1,000 messages. The texts look real because the infrastructure built to serve them was designed to look real.
Why don't the carriers and the FCC block these texts?
They eventually started to. The FCC adopted Do-Not-Originate (DNO) list requirements for text messages in May 2023, and mandatory enforcement began in December 2025 — twenty-one months after the FBI's first toll-smishing PSA in April 2024. In August 2025, a bipartisan coalition of 51 state attorneys general launched Operation Robocall Roundup and sent warning letters to 37 voice providers who were not complying with the FCC's traceback and mitigation rules. The tools existed, the rules existed, and the texts kept coming. The honest answer is that the carriers' compliance was slow, the FCC's enforcement timeline lagged the criminal operations by years, and ICANN registrar accreditation for the abused .xin TLD has not been revoked.
How are the scammers getting my phone number?
They are not specifically targeting you. The Smishing Triad operators buy bulk phone-number lists from data brokers, scrape leaked breach data, and use sequential number generation against US area codes. The campaign is volume, not precision — Palo Alto Unit 42 documented millions of texts in 2025 alone. Getting a toll scam text does not mean your number was specifically compromised; it means your number exists. The same operators rotated into this scam from the 2023-2024 wave of fake-USPS package-redelivery texts. If you got those, you are now on the toll list. If you get the toll texts, you will likely get the next variant when the operators pivot again.
What if I actually have an unpaid toll?
Go directly to your state's official toll-system website by typing the address into your browser. Never click the link in any text. If you have an E-ZPass account, log in at the e-zpass.com sub-site for your state (every state operates its own). For SunPass, sunpass.com. FasTrak, bayareafastrak.org or thetollroads.com depending on region. TxTag, txtag.org. If you legitimately owe a toll, it will appear in your account and you can pay through the verified site. If your account shows no balance but you think you owe one (perhaps you drove a friend's car or a rental), call the toll system's customer service line published on the official site — never the number in the text.
Sources & further reading
Every figure in this piece is drawn from these authorities. Click any of them to verify.