FBI Warns of Fake Toll Texts and Delivery Smishing Scams

In early 2025, the FBI flagged a surge in smishing—SMS phishing—scams targeting both iPhone and Android users. Unlike phishing emails, these deceptive messages arrive via text and often impersonate toll agencies or courier services, claiming urgent payment is needed to avoid penalties. Many of these messages lure recipients to fake websites via links that steal personal data or infect devices with malware.

Cybersecurity units, like Palo Alto Networks' Unit 42, have discovered that thousands of domains—many using the Chinese .xin top-level domain—are being used in these scams. This tactic makes the URLs appear official while steering users toward phishing traps.

New QR Code Scam: The Brushing Technique Arrives in the Mail

More recently, the FBI warned about clever new scams involving QR codes sent inside unsolicited packages—often with no return address. Known as the brushing technique, this method lures curious victims into scanning QR codes that lead to phishing sites or silently install malware.

Once scanned, these codes may lead to fraudulent payment pages or trigger downloads of malicious apps, putting your personal and financial information at risk. It’s become a modern twist on old-school phishing—but with an impressive disguise.

Why These Scams Work—and Why You Should Be Cautious

• Sense of Urgency: Fake messages mimic official notices that prompt immediate action.
• Authority Mimicry: Scammers pretend to be from toll or government services.
• Curiosity Tactics: Mystery packages with QR codes spark curiosity and lower defenses.
• Encrypted Path Evasion: Some smishing links instruct users to copy-paste URLs, bypassing protections like iMessage's link hiding.

How to Protect Yourself from Smishing and QR Scams

Smishing Texts: Link claiming unpaid toll or delivery alert - Delete suspicious texts immediately. Do not click links. Report to IC3.

QR Box Scams: QR in an unknown or unsolicited package - Never scan unknown QR codes. Use antivirus/mobile security apps and report to authorities if received.

Community Reactions and Real-World Behavior

From Reddit discussions, smartphone users report an increase in volume of scam texts, though not all are highly convincing.

“I’ve been getting tons of scam texts lately. They’re not very convincing but the volume has increased…”Reddit

This highlights the evolving nature of these scams: often low-effort for attackers but still effective due to the sheer volume and automation involved.