- My favorite bone conduction headphones have 3 invaluable safety features
- How to send RCS messages from your iPhone to your Android user friends
- I replaced my Kindle with an E Ink tablet that runs on Android - and don't regret it
- Are smart planters legit? I tested one at home for 45 days, and here's how it went
- This rugged smartphone has a highly-functional feature that made my iPhone look bad
Smishing Triad Fuels Surge in Toll Payment Scams in US, UK
A rise in smishing campaigns impersonating toll service providers has been traced to a China-based cybercriminal group known as the Smishing Triad.
The group is using deceptive instant messages to defraud users in the US and UK, with signs the activity may spread globally.
According to a new advisory by Resecurity, the scam works by sending fraudulent SMS and iMessage texts appearing to come from legitimate tolling agencies like FasTrak, E-ZPass and I-Pass.
These messages claim recipients owe unpaid toll bills, often using spoofed sender IDs to appear authentic. Victims are then directed to phishing websites designed to harvest personal and financial information.
The tactic is difficult to counter, as instant messages tend to evade spam filters and users typically place more trust in them than emails. Combined with urgent language, this leads to higher conversion rates for the scammers compared to other phishing methods.
Over 60,000 domain names have been registered to support these attacks, many hosted under the “.xin” top-level domain, managed by Elegant Leader Limited in Hong Kong.
A significant spike in this smishing activity occurred at the start of Q1 2025, with millions of targeted messages reported.
How the Scam Works
Victims receive messages that appear legitimate, urging immediate payment or account verification. These often mimic trusted institutions and lead recipients to phishing websites.
Once engaged, users are asked for sensitive data, including credit card details or login credentials.
A service called “Oak Tel” (also known as “Carrie SMS”) has emerged as a key enabler. Operated by actors based in China, Oak Tel gives cybercriminals access to:
- Web-based dashboards to manage campaigns
- Tools to spoof sender names like “US Postal Service” or “Chase Bank”
- APIs to automate and scale smishing attempts
- Data uploads for targeting victims based on region or behavior
The service is marketed and sold via Telegram, often for as little as $8 per 1000 texts.
Mitigation and Consumer Warnings
Federal and state agencies urge consumers to verify toll payment claims through official websites and avoid clicking links in unsolicited messages.
“It is challenging for consumers to mitigate smishing because actors have started impersonating legitimate organizations by spoofing sender IDs (SIDs),” Resecurity explained.
“If you receive a message that appears to be from a bank or service provider, contact them via their official number and make sure their notification is legitimate.”
Meanwhile, instant messenger (IM) platforms are being called to adopt stronger protections to counter this growing threat.
“Incorporating best practices and adapting them to the unique aspects of IM messaging can significantly increase the cost to the threat actors while decreasing the scale, effectiveness and conversion rates of attacks that utilize IM services as a key component,” Resecurity concluded.
