
Image Credit: Resecurity
A China-based cybercriminal group known as the Smishing Triad is escalating its smishing activities, now targeting consumers in the US and UK with fraudulent text messages related to toll payment services.
The Resecurity report reveals that these campaigns involve deceptive text messages that claim unpaid toll bills or payment requests linked to services like FasTrak, E-ZPass, and I-Pass. The report warns that this targeting of toll services is expected to broaden globally, mirroring the group’s previous campaign expansions.
The cybercriminals employ tactics that make it difficult for consumers to protect themselves, notably by “impersonating legitimate organizations by spoofing Senders ID (SID)“. They exploit the lower spam protection of SMS, iMessage, and similar instant messaging apps compared to email, which increases the likelihood of victims falling for the scam. As the report highlights, “end users place more trust in these types of messages than in email, and these messages also create a sense of urgency for users to resolve the issue“. This perceived legitimacy and urgency contribute to a “significantly higher expected conversion rate than email, SEO, and other techniques the actors could use“.

The scam operates by sending instant messages that appear to originate from actual tolling agencies. These messages demand payment for alleged unpaid tolls or seek sensitive information. The attackers’ objectives include not only financial gain but also the theft of personal and financial data for future exploitation.
The scale of the campaign is significant, with the use of over 60,000 domain names, posing a challenge for platforms like Apple and Android in their efforts to block the fraudulent activity. Resecurity observed “a significant spike in these activities” at the beginning of Q1 2025, with millions of consumers being targeted. In some instances, malicious texts were sent from UK numbers using underground bulk IM/SMS services.
Interestingly, some of the identified domain names used in the campaign were registered in the “.xin” top-level domain (gTLD). The report notes that “.xin” translates to “new” or “faith” in Chinese and is managed by Elegant Leader Limited, a domain aimed at Chinese language users, particularly for new or innovative organizations.
In response to these widespread scams, federal and state agencies have issued warnings, advising individuals to verify toll-related claims through official websites. The report emphasizes that “consumers are advised not to click on links in unsolicited text messages and to report suspicious messages to authorities“.