In the most recent SMiShing campaigns, the threat actors impersonate E-ZPass, the DMV (unlike the legitimate NJ Motor Vehicle Commission or MVC), and NJ Courts, claiming the recipients must pay a fine. The threat actors’ goals are the same: to entice you to click on malicious links, download malware, divulge personal information, or make a fraudulent payment. As with phishing emails, SMiShing text messages often include a sense of urgency and dire consequences if you do not take immediate action. Therefore, don’t take the bait!

As a friendly reminder:

• Government agencies and those affiliated with public services will not send you text messages demanding payments for fines.
• Law enforcement and court systems do not accept gift cards as payment for bail.
• Legitimate employers do not send unsolicited high-paying job offers via SMS messages.

Here is how to protect yourself and report SMS scams:

• Look for red flags like unexpected requests for personal information, suspicious links, or urgent requests to take action.
• Forward the scam text message to your carrier’s spam reporting service (often 7726).
• Report to the NJCCIC, IC3, and FTC.
• Block the number: Block the sender’s number to prevent further unwanted messages.
•  If you are unsure about a text message, contact the organization or individual mentioned in the message directly to verify the information and request.
• Be cautious of spoofed numbers, as scammers can disguise their phone numbers to appear as if they are from a trusted source.
• Share information about SMS scams to help others stay safe.

Scope and Impact

You are not alone! The scope of these SMiShing campaigns is extensive, affecting numerous US states and resulting in significant financial losses. The FTC highlighted that consumers reported losses amounting to $470 million in 2024 due to scams initiated via text messages, marking a fivefold increase compared to 2020 figures. SMiShing text messages for unpaid tolls were specifically identified as a top text scam category. The FBI’s Internet Crime Complaint Center (IC3) corroborated this trend, having received 59,271 complaints related to toll scams in 2024 alone. While these numbers may appear high, the actual number of scam attempts is likely much greater.

The recent rash of SMS scams is not unique or new to New Jersey. However, threat actors have significantly ratcheted up their campaigns over the past several months. The campaigns are demonstrably nationwide, as threat actors impersonate a wide array of state-specific toll collection services. Affected systems include, but are not limited to, E-ZPass in New Jersey, SunPass in Florida, FasTrak in California, and I-PASS in Illinois. The NJCCIC is also aware of these scams in Arizona, Colorado, Ohio, and many other states. Authorities across the United States warned of a surge in SMS-based toll payment fraud. Victims receive text messages impersonating state toll agencies, motor vehicle agencies, and court systems, claiming they owe unpaid road tolls and directing them to click a link to pay immediately. The text messages often threaten fines, legal action, or suspension of driving privileges if payment is not made by a certain date. These campaigns are like swarms of locusts that go from state to state, victimizing any unsuspecting and naive recipient in their path. No one is off limits, including NJCCIC staff members.

The NJCCIC identified over 20,000 second-level domains linked to these SMS scams, and the number of fraudulent URLs tied to these domains is many times higher. These numbers include domains and URLs, not the actual SMiShing messages referencing them. Authorities across the US have attempted to rein in these scams by taking down the domains, but it is like playing a game of whack-a-mole, as the threat actors continue to register new domains to carry out their campaigns.

Tactics, Techniques, and Procedures (TTPs)

The scam text messages are carefully crafted to appear official and urgent. They typically state that the recipient has an “unpaid toll” or “outstanding toll fee” and must immediately pay a small amount (often just a few dollars). The messages use alarming language (e.g., “NJ Motor Vehicle Commission Final Notice: Enforcement begins on June 15th.”) to scare users into taking quick action.

Many scam text messages instruct the user to “Reply ‘Y’” before clicking the link, a step intended to bypass security features. On iPhones, for instance, messages from unknown senders have clickable links disabled

by default. Therefore, the threat actors activate the hyperlink by convincing the user to reply “Y” and reopen the message. This ploy and sending messages via iMessage or RCS (internet-based messaging) helps the threat actors evade carrier SMS spam filters. The text sender IDs are often foreign phone numbers (e.g., Philippines, Canada, United Kingdom, etc.) or seemingly random email addresses, indicating that the text message is likely fraudulent.

The geographic distribution and the impersonation of local toll systems suggest the threat actor’s operational intelligence. Just a few weeks ago, the threat actors referenced the New Jersey Department of Motor

Vehicles (DMV) when targeting New Jersey residents. Unbeknownst to the threat actors, DMV changed its name to MVC almost 10 years ago, which was pointed out in warnings to identify the SMS text messages as fraudulent. However, fast forward to this week, the threat actors have now updated their messaging to correctly reference the MVC instead of the DMV. This level of “authenticity” likely increases the success rate of the scams. However, they have not yet updated the “According to Pennsylvania traffic regulations” language from their latest campaign targeting New Jersey residents.

The Who and the How

Security researchers believe these campaigns are the handiwork of financially motivated organized cybercrime groups based in China, who employ sophisticated tools and infrastructure, referred to as SMiShing kits, to maximize the scale and effectiveness of their operations. The SMiShing kits consist of pre-packaged software solutions, reportedly developed by threat actors like “Wang Duo Yu,” or marketed under names such as “Lighthouse,” “Darcula,” and “Xiū gǒu.” These kits provide a suite of functionalities designed to streamline the phishing/SMiShing process, including tools to spoof sender names, APIs for automating SMiShing attempts, and web-based dashboards for managing campaigns and tracking victims. The kits are often advertised and sold on underground forums or messaging platforms like Telegram.

Multiple security firms have traced the SMiShing kits to a Chinese “Smishing Triad,” a threat actor group specializing in SMS frauds. In addition to the recent spate of toll road and government agency impersonation SMS scams, the Smishing Triad is also believed to be responsible for many SMS fraud campaigns impersonating shipping companies and tricking recipients into clicking links about fake package deliveries. More recently, the Smishing Triad has reportedly been using SMiShing kits to impersonate banks and financial institutions to trick recipients of fraudulent SMS text messages into clicking links and divulging sensitive information related to their accounts. Renowned security researcher Brian Krebs documented this activity.

The use of these kits allows threat actors to scale their operations immensely. The NJCCIC identified over 20,000 domains related to the SMS scams. However, reports indicate that these fraud groups may register over 60,000 domains for a single campaign, which allows for rapid cycling of domains to evade blocklisting and takedown efforts. While the exact methods for initial targeting are not always clear, it is suspected that publicly leaked data breaches containing phone numbers and other personal details are used to compile lists of targets for these SMiShing campaigns.

Domain Naming Conventions and Impersonation Strategies

The NJCCIC’s analysis of the latest toll violation SMiShing campaigns revealed consistent domain naming conventions that closely impersonate legitimate official government or transportation payment systems, such as ezpass, fastrak, sunpass, paturnpike driveezmd, txtag, etc. These variations often include words like “service,” “pay,” “payment,” “info,” and “gov,” followed by random alphanumeric strings or state abbreviations (e.g., NJ, MD, VA, TX), sometimes se

parated by hyphens to create a semblance of legitimacy. Examples include ezpassnji[.]xin, gov-payvd[.]icu, ezpass[.]xyz, and mvc-govpx[.]live. Another observed tactic is to prepend a familiar brand term to the domain to make the URL appear legitimate. Examples include mvcnj.gov-dfb[.]vip, dmv.colorado-govw[.]icu, and az.gov-ncsa[.]icu. Users unaware of the precise official URL for their specific toll provider or government organization may be more susceptible to these slightly altered but plausible-sounding fraudulent domains.

Another notable characteristic of many SMiShing campaigns is selecting a relatively small group of Top-Level Domains (TLDs). The NJCCIC’s analysis found a significant concentration of these SMiShing domains registered under TLDs such as .xin, .vip, .top, .win, .cc, and .live. Cybercriminals often favor these TLDs due to several factors, including low registration costs, minimal or lax registrant verification processes, and sometimes inadequate oversight from the respective TLD registries or affiliated registrars. The NJCCIC’s findings are consistent with those of the Spamhaus Project, an international non-profit organization focused on combating spam and other forms of cyber threats.

The initial registration of a domain is typically much less expensive than renewing its registration, enabling threat actors to use the domain for a single campaign without renewal. This operational model allows threat actors to treat domains as disposable assets while keeping costs in check.

Domain Registrars Facilitation of Fraudulent Activity

In addition to the threat actors using a few TLDs for their campaigns, they favor a few domain registrars. The NJCCIC reviewed the toll violation SMiShing campaigns and found that 82 percent of the fraudulent domains were registered through Dominet (HK) Limited, formerly known as Alibaba.com Singapore E-Commerce Private Limited. Dominet (HK) Limited provides domain registration services for Alibaba Cloud, which also uses the domain allyun[.]com. Beyond the registrars, Cloudflare provided DNS services for the fraudulent sites associated with the domains. The NJCCIC filed abuse complaints, including cease and desist demands with Dominet (HK) Limited and Cloudflare. However, the lack of timely response or action to disable the domains and take steps to root out threat actors from using their services significantly inhibits efforts to reduce victimization.

The conduct of some registrars and registry operators has drawn scrutiny from the Internet Corporation for Assigned Names and Numbers (ICANN). For instance, ICANN has issued compliance notices to Alibaba.com, citing failures to take reasonable and prompt steps to investigate and respond appropriately to reports of abuse. Such failures are critical, as registrars typically have Acceptable Use Policies (AUPs) or Terms of Service (ToS) that explicitly prohibit using their domain registration services for illicit activities such as phishing, fraud, impersonation, and malware distribution. Shortly after receiving the compliance notice, Alibaba.com Singapore E-Commerce Private Limited changed its name to Dominet (HK) Limited for the purposes of its domain registration business. Cloudflare is also no stranger to complaints about it turning a blind eye to its services’ illegal and unethical use. AUPs and ToS agreements should not be ineffectual.

The concentration of malicious domains with a relatively small number of registrars suggests that the business models, registration processes (e.g., ease of anonymous or bulk registration, minimal upfront vetting, etc.), or abuse response mechanisms of non-compliant registrars may be more permissive or less robust. These registrars, in turn, make them preferred choices for threat actors seeking to quickly and cheaply acquire domains for malicious campaigns. Threat actors will naturally gravitate towards registrars that offer the path of least resistance, including those that might be slow to act on abuse complaints or offer services like WHOIS privacy that are attractive to those wishing to conceal their identities. The NJCCIC found that the WHOIS information for the fraudulent domains used privacy protection services offered by the respective registrars. Other than a few domains for which a probable fictitious registrant name or organization was used, identifying the registrants of fraudulent domains is impossible without the assistance of the registrars. For instance, the fictitious registrant’s name “Corsss” was used to register 153 fraudulent domains (e.g., gov-ber[.]win, gov-nlk[.]win, gov-pwe[.]win, gov-krn[.]win, etc.) while Dominet’s privacy safeguards redacted all other identifiers.

FTC and ICANN compliance enforcement can exert pressure on registrars. However, the persistence of the problem indicates that these measures are not necessarily effective or sufficiently punitive to drive fundamental changes in behavior across all registrars. Current enforcement mechanisms are not a strong enough deterrent for entities whose business models may benefit from high registration volumes, irrespective of the domains’ ultimate use.

The transnational nature of these cybercrime groups, with operations potentially spanning multiple countries, presents significant challenges for law enforcement. Investigations and takedown efforts are complicated by jurisdictional boundaries, requiring international cooperation that can be slow and complex to navigate. This operational structure provides a degree of insulation for the threat actors, allowing them to continue their illicit activities with a reduced risk of identification and apprehension.

Wrangling the Wild West

The proliferation of fraudulent SMS scams represents a severe and highly adaptable cyber threat that can inflict significant financial losses upon its victims. These SMiShing campaigns are characterized by their social engineering tactics, large-scale operational infrastructure, and sophisticated threat actor groups, who continuously evolve their TTPs by adopting new SMiShing kits, identifying and abusing new low-cost TLDs, and refining their social engineering lures to bypass detection and manipulate victims.

Issuing cease and desist notifications to domain registrars is a vital tactical step in disrupting these cybercriminal operations. By systematically identifying domains that violate registrars’ own Terms of Service and demanding their deactivation, organizations like the NJCCIC, Spamhaus, the Anti-Phishing Working Group (APWG), the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG), and others can actively work to dismantle the infrastructure used in these attacks. However, while individual domain takedowns are necessary, they address the symptoms more than the root causes.

A long-term, more sustainable solution requires systemic changes within the internet ecosystem, including fostering greater accountability among domain registrars and registries, potentially through stricter enforcement of ICANN policies and implementing more robust registrant verification processes. Enhanced international cooperation among law enforcement agencies is also crucial to investigate and prosecute transnational cybercrime groups responsible for these campaigns.

Ultimately, the success of these SMiShing campaigns highlights broader societal vulnerabilities, including susceptibility to well-crafted social engineering messages and the inherent challenges of securing a decentralized global internet infrastructure where malicious threat actors can easily and cheaply procure resources for these SMS scams and beyond. Today, the internet is still like the lawless wild west where threat actors, fraudsters, thieves, drug dealers, child sex abusers, rapists, and murderers thrive. Addressing these threats requires advanced technical solutions, more effective governance of critical internet resources, and a concerted effort to improve security awareness among the public. The impact of such unlawful activities can be meaningfully curtailed only through a comprehensive and collaborative approach involving continuous adaptation by cybersecurity professionals, proactive measures by organizations, cooperation among governments and law enforcement agencies, and a commitment to systemic improvements.