A recent increase in smishing campaigns by a cybercriminal group known as the Smishing Triad has caught the attention of security experts. The group, believed to be based in China, has been targeting users in the US and UK with deceptive instant messages, with concerns that the activity may soon spread worldwide.
The scam involves sending fake SMS and iMessage texts, posing as legitimate tolling agencies such as FasTrak, E-ZPass, and I-Pass. These messages claim that the recipients have unpaid toll bills and provide links to phishing websites where personal and financial information is harvested.
One of the reasons why this tactic is so successful is because instant messages often bypass spam filters and users are more likely to trust them compared to emails. When urgency is added to the message, it increases the chances of victims falling for the scam.
According to Resecurity, over 60,000 domain names have been registered to support these attacks, with many hosted under the “xin” top-level domain managed by Elegant Leader Limited in Hong Kong. A significant increase in smishing activity was observed at the beginning of Q1 in 2025, with millions of targeted messages reported.
Victims receive messages that appear to be from trusted sources, urging them to make immediate payments or verify their accounts. These messages often lead to phishing websites where users are asked to provide sensitive information like credit card details or login credentials.
A service called “Oak Tel” or “Carrie SMS” has been identified as a key tool used by cybercriminals to facilitate such attacks. Operated by individuals in China, Oak Tel provides web-based dashboards, tools for spoofing sender names, APIs for automating smishing attempts, and data uploading for targeting victims based on their location or behavior. This service is marketed and sold via Telegram for as little as $8 per 1000 texts.
To mitigate the risks associated with smishing, federal and state agencies recommend verifying toll payment claims through official websites and refraining from clicking links in unsolicited messages. Consumers are also advised to contact the alleged organization directly using their official contact information to confirm the legitimacy of the message.
In light of this growing threat, instant messenger platforms are being called upon to enhance their security measures to combat smishing attacks more effectively. By implementing best practices tailored to instant messaging services, the cost to threat actors can be increased, reducing the scale and effectiveness of such attacks.
In conclusion, the rise of smishing campaigns impersonating toll service providers highlights the need for increased vigilance among consumers and stronger security measures on messaging platforms to prevent falling victim to these fraudulent schemes.