This one right here is from my personal phone.

Please pay your fast track lane tolls by February 22nd, 2025.

It's an old school scam in a new form.

It's enabled by the rise of smartphones, cashless billing and transaction systems, and AI.

We have been bedoubled by these scams.

The scamsters mutate every few weeks with different messages.

The messaging has become more sophisticated, more aggressive.

There's one thing I find with fraud, financial crime, is that people are so busy and these things are just annoying, but if somebody makes the wrong click, it literally takes a millisecond.

Your life could be ruined.

The Federal Trade Commission, the FBI, state governments all around the country, even local transportation authorities have all issued warnings to customers.

CNBC dives into the world of international financial crime to figure out why and how these scams have become so widespread and who could be behind them.

The scam is simple.

The text says something like this.

You have unpaid tolls.

You need to pay them by a certain date or else.

Then it will often supply a link and or ask you to respond.

It might spell out some kind of threat, as you can see on mine.

If you don't pay this, you will be fined or you will lose your license or whatever.

So you, conscientious and concerned citizen that you are, click on the link.

From there, one of a few things can happen.

Your phone could start downloading malware, software that can damage your device or steal your data.

The link could also take you to a fake website where you enter your credit card or bank account information and bam, the scammers have your financial info.

The second you click that, that point of no return, the Pac-Man game over, I call it is don't click that.

The fact that I received a text at all is the first red flag.

We do not contact our customers by text with a request to pay via a link to a website.

We don't do that, nor do any other legitimate toll operators anywhere in the country.

That's just not how business is done.

Here's how business is done the legal way.

There are about 359 toll facilities across the U.S.

Altogether, they pull in about $23 billion in revenue.

They include bridges, tunnels, turnpikes and in some cases, highways that allow you to bypass traffic.

Toll points used to, and in some cases still do, have staffed booths that collect cash.

But around 2008, they converted in large numbers to all electronic tolling.

The switch really picked up speed during and after 2020.

And that's where scammers saw an opportunity.

The advent of technology, it has just catapulted the world of financial crime, fraud, cybercrime.

They are exploiting both the rise of cashless billing systems and the fact that we use our phones to conduct all kinds of business.

Cashless tolling, in most cases, works like this.

You sign up for an account and the agency in your area sends you a little box called the transponder that you put in your car.

In some cases, operators might also just read your license plate when you go through a toll point, or you might be able to use a mobile tolling app to pay without a transponder.

Every time you go through a toll point, you get billed automatically.

That is automatically.

It is highly unusual to receive a text.

There are occasional exceptions.

Basically, if a toll hasn't been paid, unless the unpaid toll is sent to a collections agency, you would always hear directly from the roadway or transponder operator themselves.

Even if there is a problem with the transponder, most facilities have license plate readers and can find your account.

I think it's safe to say that any time you get a text that purports to be directly from a tolling operator, that that is a malign text.

Catherine Clay is the CEO of the International Bridge Tunnel and Turnpike Association.

She represents toll collectors and says this surge in incidents is not the result of a data breach.

This is an opportunistic scam.

These are people that have stumbled upon the idea of tolling as a target rich environment because it's so much a part of our daily lives now that even if you're starting with a random set of phone numbers, there is a very high probability that some of the recipients of those texts also happen to use tolling lanes.

The SF Bay Area Fast Track system, Goodwin's department overseas, has two million customers alone.

Doherty works for the New York State Thruway, which controls tolling across 570 miles of road throughout New York state.

It is part of the Easy Pass system, which is accepted in 18 other states.

The New York Thruway logged 400 million transactions last year.

That's 400 million trips through the system's toll gates.

Ninety percent of them used Easy Pass.

So if you just spray enough of these texts out there, most recipients will be baffled or recognize it as spam.

But sooner or later, you're likely to hit someone who wonders if they owe money.

Doherty's agency has been wrestling with this latest iteration of text based scams for about the last six months.

It does seem like almost every New York area code was targeted with this recent text message scam.

In the text I received, there are all kinds of other clues, quite common, actually, that can immediately indicate it's fraudulent.

These details are not that easy to notice, and scammers are betting that customers will overlook them.

Michael Skiba is a veteran cybercrime investigator who has worked with the FBI, the U.N., Interpol and others.

He says there's a kind of psychology of fraud.

The texts exploit a person's sense of urgency, such as by threatening a fine or a legal penalty.

They are also taking advantage of the way we are accustomed to using our phones, which tends to be hastier than how we behave with other screens such as laptops.

You have all those apps on your phone, you know, Instagram, you're swiping videos.

And so it's more like the swipe psychology.

That means we're liable to make some snap decisions, even ones we shouldn't.

Even the smaller size of the phone screen compared with the size of, say, a laptop makes it harder to read small print or notice suspicious details.

But look closely.

Though I live in New York, I am from the San Francisco Bay Area and my number has a 650 area code, which covers a portion of the peninsula south of the city.

The text I received mentions the fast track cashless toll billing system used in the Bay Area.

The scammers misspelled the name, which only has one T in it.

I didn't catch it at first and even copied the error in an email to a potential source for this story.

The URL also mimics the Web address for a toll collection system in Texas, not California.

Another detail I missed.

A colleague had to point it out.

The second tell it is they're asking people to reply why to get a link.

Easy Pass would never ask that they would actually send an official link with an official website.

Even then, you have to be careful.

Scammers have gotten better at disguising bogus links like in this other text I received.

This time they spelled fast track correctly.

More convincingly, the enclosed URL looks at first like an address for the toll roads, a group that oversees tolling in California.

It's only when you carefully read that you can see it is not by the string of letters at the end.

Another giveaway is a suspicious number.

This one starts with a country code for the UK.

The second comes from the Philippines.

We would never send a text message from an international number.

They're invariably registered at offshore locations.

The first wave a year ago, many of them were from Hong Kong, others from Russia.

More recently, there have been some South American nations where the domains were registered.

Those international numbers point to the identities of the scammers, large international criminal networks.

Back in the day, a scammer might just be a guy in his basement sending out emails or making phone calls one at a time.

Today, smishing, which is what these types of scams are called, is done by large, sophisticated international criminal syndicates.

Now you have these massive, massive cartels, terrorist groups collaborating.

One smart person can run 20, 50 computers at once, running thousands of A.I. programs, sending out thousands of texts a second.

A text scam is an appealing, far less dangerous way of making money than some of the more traditional criminal trades like kidnapping.

It's very low risk for them and the reward could be incredible.

While common, these types of scams are difficult to track.

Researchers in law enforcement say it's hard to even estimate the total loss to consumers.

I've seen statistics come out, try to put a number on like, I personally think it is astronomical and I think it would be so alarming to know what the true cost is.

Unfortunately, they're also difficult to investigate.

The international nature of them requires a high level of international cooperation.

A single text received in New York could be at first tracked to an I.P. address in, say, Connecticut.

But then it was linked to somewhere overseas and then it crossed three state lines.

But then they transferred the money to cryptocurrency.

I mean, it literally is a headache to just even try to figure out where if you don't have the big numbers behind it, it doesn't gain the momentum that's really needed.

When Skiba says big numbers, he means an accurate understanding of how much money this is costing people.

That is difficult to track, in part because it is likely underreported.

There are a lot of people, unfortunately, that when they do get tricked, they're embarrassed.

You know, they don't want to report it.

Number two, there's some that only get scammed out of a couple thousand dollars and they think it's not worth it.

So they don't even bother reporting it to anybody.

I have seen a shift, though.

There are some new laws in place.

There are some new powers given to law enforcement.

I do see dedicated units now to it.

So what do you do?

Know that these texts are sprayed out to people indiscriminately.

So it is not an indication that your tolling account has been hacked or anything like that.

I was involved in a recent case, international like this, where I saw these programs and they actually will throw out these algorithms.

It looks kind of like the matrix.

Right.

And it goes through these numbers and it just keeps sending these texts.

And it doesn't know if you're a real person or not.

And the only way it knows you're a real person is when you engage.

So never click on the link and never respond to the text.

Just go directly to the website for the tolling agency or group and contact them.

Skiba says the scams adapt to changes in technology.

Phone scams gave way to email and now text.

But car infotainment systems, smartwatches, potentially anything that can be hacked or exploited is up for grabs.