By Eddy Berry, Security Research Analyst, TraceSecurity
There are new scams and phishing attacks being used every day. Bad actors try to find easier ways to make people click malicious phishing links. They try to find something that many people use and pose as the business asking for information or demanding some sort of action be taken. In this social engineering attack, they will use some sort of email, text message, or phone call in order to fool you.
The latest phishing scam involves the tolling company E-ZPass, informing the potential victim that they have some sort of fee that needs to be paid. They will refer to some sort of past-due fee or a companion fee, followed by a link that might look legitimate. This link will certainly lead you to a dangerous website that might steal information or install something malicious on your device.
E-ZPass is an electronic toll collection method that creates a seamless payment to tolls in order to make things faster and more efficient. It is used by millions of people every day and it is used billions of times a year. Each day, people spend money to go through tolls in order to make their commute shorter or easier, so the electronic option is always beneficial. Because of its massive customer database, bad actors have created a smishing attack that’s working.
Smishing is a social engineering attack where bad actors will use SMS, or short message system, to text malicious messages and links to unsuspecting people. It is similar to phishing, which is a social engineering attack that uses emails to accomplish the same goal. There will usually be a call to action, like asking for a password or to click a link.
Always keep in mind that businesses will never ask you for a password or any unprompted information. If someone is posing as a representative of a business, it should always be verified. If you get an unsolicited text, it should never be replied to or interacted with if you don’t know who the sender is. It will most likely be a bad actor looking to scam you.
Since so many people use E-ZPass for easier commute, it has become a big target for bad actors to use. The message is sent to millions of people and many of them have already fallen victim to it. The text claims that the person has an overdue fee or a companion fee that was received on a previous date. It has threatening wording that claims the customer has to resolve the issue in 12 hours or be charged with fee evasion.
Following the text, there is a link that leads to a malicious website. This website will pull any information you put into it and may attempt to install malware onto your device. The link might look official, but there are plenty of signs that show that it isn’t. The text looks like this:
As you can see, the text appears official, even if you’ve never received a text message from E-ZPass before. However, if you look closely at the link, you’ll see some strange things. First of all, the website is called “z-pass” and not “e-zpass”. Second, the domain is labeled with “.xin”, which isn’t at all trustworthy. Always pay attention to the links before clicking them.
One of the latest scams that people are getting is a smishing text form E-ZPass claiming that the receiver has acquired a fee. This can be an overdue fee or companion fee, stating that the customer needs to pay it within a certain amount of time, or it’ll be considered fee evasion. The text will have a malicious link in it, encouraging the victim to click it.
This link will lead the victim to a malicious website, which can steal information or install malware onto your device. You should never click a link from any unknown source in a text. However, that also extends to things like emails and phone calls. Unless you specifically request it, a business will not normally reach out to you for information on your account. Never give your password out to anyone, even if the business asks for it. Always verify who is calling you to be completely safe with your information.
Connect with TraceSecurity to learn more.