A must-read for anyone with a phone, a travel plan, or a distracted moment.
We’ve all gotten sketchy texts before —
“Your package is delayed,”
“Click here to avoid suspension,”
“Urgent notice from USPS.”
But a recent wave of smishing attacks is taking things to the next level.
And if you travel near toll roads or have family in different states, listen up.
What’s Happening?
Imagine this: You get a message saying your E-ZPass toll wasn’t paid — and it just so happens you were recently traveling.
The toll amount looks about right.
The link looks legit.
It says you could lose your license if you don’t pay now.
You click.
You pay.
But it wasn’t real.
And now they have your credit card.
This smishing campaign is scary-effective because it’s timely, emotionally triggering, and eerily well-targeted.
What Makes It So Dangerous?
Two major criminal toolkits are behind the rise in these “hyper-targeted” scams:
- Darcula (yes, like Dracula – sucks your financial blood)
- Lucid
Both are part of a growing cybercrime industry called PhaaS — Phishing-as-a-Service.
These platforms provide everything a scammer needs to impersonate trusted brands (like DMV, USPS, E-ZPass) and send high-conviction messages using tools that look just like your real iMessage or Android messages.
They’ve even figured out how to:
- Use Apple iMessage and Android RCS to sneak past spam filters
- Prompt users to reply before clicking, bypassing security blocks
- Automate phishing websites with real-time victim tracking
Why It Works
These criminals are using AI and social media data scraping to time these messages.
If you just posted about traveling, they can match that to a toll area.
If it’s close to a holiday, they’ll trigger package scams.
These aren’t random anymore — they’re intentional attacks wrapped in coincidence.
And they’re working. We’ve heard of 75+ MSPs seeing this hit their clients in the last few weeks.
How to Protect Yourself (and Your People)
- Never click links in unsolicited texts — no matter how real they look.
- Go directly to the source. Want to verify a toll? Manually type in the DMV’s site or E-ZPass portal.
- Train your team. Especially younger employees or family members who might be tech-savvy but scam-naive.
- Look for weird sender info. If it’s a jumble of letters or numbers and not saved in your contacts? 🚩
- Slow down. Urgency is the #1 manipulation tactic used in these messages. Breathe before you tap.
“The biggest security tip we can give you? Don’t click the link. Just don’t. Trust your gut — and then verify it yourself.” — Ginny & Tim, DS Tech
Need Help With Phishing Training?
We help businesses set up phishing training, team training, and real-time monitoring.
Head to dstech.net and we’ll make sure you’re safe for the next wave.
