When Toll Roads Become a Highway to a Scam

Phony invoices and payment demands bombard toll roads users: Internet Scambusters Issue #636

Toll roads users across the U.S. have been receiving phony but genuine-looking emails warning them they haven’t paid their fees, and demanding immediate payment.

But, in the main, the crooks behind this scam aren’t really after your money. They want you to click on a link to the supposed invoice, which installs malware so they can use your machine in a botnet — a network of hacked computers.

We’ll show you how to spot these fakes, along with details of a new phishing trick, in this week’s issue.

Let’s get started…


When Toll Roads Become a Highway to a Scam


Users of toll roads across the U.S. — and many drivers who never use them — are the latest group of consumers to be targeted by crooks.

They’re sending out emailed violation notices, claiming recipients used a toll road and failed to pay.

They contain what appears to be a link entitled “Get Invoice” with details for payment but it actually summons a file that installs malware onto victims’ PCs.

The file is in the well-known .zip format that conceals a program that identifies where the computer is located and then installs the virus, possibly tying the victim’s machine into a botnet — a network of hacked computers.

The vast majority of notices are disguised to look like they came from E-ZPass, an automated vehicle identification and payment system used by a consortium of 26 different toll agencies operating in at least 15 states.

In some cases, the message is marked as “From: Collection Agency” and has the subject line “Indebtedness for driving on toll road” (or similar wording) and begins with “Dear Customer.”

It then goes on to say that the recipient has failed to reply to repeated requests for payment.

Here’s the wording from one of the messages:

(Begin fake message)

E-ZPass Service Center
Dear customer,
You have not paid for driving on a toll road. This invoice is sent repeatedly, please service your debt in the shortest possible time.
The invoice can be downloaded here

(End fake message)

A button labeled “Get Invoice” links to the malware.

The Internet Crime Complaints Center (IC3) says it has received hundreds of complaints from across the country.

The botnets in this case seem to be used for what is known as “advertising click fraud.”

Without the user knowing, “captive” computers click on advertising links that earn a small commission for the crooks each time they’re used.

That means the victims themselves may not actually be defrauded but their machines are under the control of the crooks and might be used for other purposes in the future.

In that case the only visible sign of what’s happened is a slowing down of affected computers as they do their dirty work for the crooks.

However, some other news reports suggest the link may also install more dangerous viruses or link to a fake E-ZPass page seeking personal financial information, which can then be used for identity theft.

It’s also possible (though we haven’t seen evidence of this yet) they could simply demand payment, which would almost certainly be by untraceable methods like wire transfer or prepaid debit cards.

Officials in several states say the fake notices, which use a replica of the genuine E-ZPass logo, actually seem to be sent out at random but in areas where toll road usage is heavy.

This means that locals are almost certain to be toll users and to believe the payment demands are genuine.

Regular toll road users usually have an account linked to a debit or credit card, from which fees are deducted after their license plate is read.

But the toll agencies often do send out monthly invoices or payment statements so users could easily be tricked into thinking this scam message is genuine, and click the link.

However, since the fake notices are being sent out at random, curiosity may also prompt people who don’t use toll roads to click the link.

Action: The important thing is not to click on a link in this type of email and, definitely, never to send payment by wire transfer.

If you receive email notification of an invoice or other communication from the toll agency, go to the agency’s website and check it out from there.

If it’s too late and you already clicked the link, a good anti-virus program should have blocked the malware installation.

If it didn’t or if you unwisely don’t have security software, get your machine checked by a professional.

Toll road fees are already expensive enough — don’t add to the cost by clicking on these dangerous messages.

Alert of the Week

As we explain above, crooks will try all kinds of tricks to get you to click on dangerous links — including fear and alarm.

That’s what they’re trying in a new ruse, an email claiming to alert recipients about the presence of a “child predator” in their area.

The message is headed “Neighborhood Safety Info” but the link inside is anything but safe — leading once again to a malware download.

Don’t click the link. If you’re worried it may be true, check the claim with your local police department.

That’s all for today — we’ll see you next week.