FBI Warns of Fake Toll Texts and Delivery Smishing Scams

In early 2025, the FBI flagged a surge in smishing—SMS phishing—scams targeting both iPhone and Android users. Unlike phishing emails, these deceptive messages arrive via text and often impersonate toll agencies or courier services, claiming urgent payment is needed to avoid penalties. Many of these messages lure recipients to fake websites via links that steal personal data or infect devices with malware.

Cybersecurity units, like Palo Alto Networks' Unit 42, have discovered that thousands of domains—many using the Chinese .xin top-level domain—are being used in these scams. This tactic makes the URLs appear official while steering users toward phishing traps.

New QR Code Scam: The Brushing Technique Arrives in the Mail

More recently, the FBI warned about clever new scams involving QR codes sent inside unsolicited packages—often with no return address. Known as the brushing technique, this method lures curious victims into scanning QR codes that lead to phishing sites or silently install malware.

Once scanned, these codes may lead to fraudulent payment pages or trigger downloads of malicious apps, putting your personal and financial information at risk. It’s become a modern twist on old-school phishing—but with an impressive disguise.

Why These Scams Work—and Why You Should Be Cautious

• Sense of Urgency: Fake messages mimic official notices that prompt immediate action.
• Authority Mimicry: Scammers pretend to be from toll or government services.
• Curiosity Tactics: Mystery packages with QR codes spark curiosity and lower defenses.
• Encrypted Path Evasion: Some smishing links instruct users to copy-paste URLs, bypassing protections like iMessage's link hiding.

How to Protect Yourself from Smishing and QR Scams

Smishing Texts: Link claiming unpaid toll or delivery alert - Delete suspicious texts immediately. Do not click links. Report to IC3.

QR Box Scams: QR in an unknown or unsolicited package - Never scan unknown QR codes. Use antivirus/mobile security apps and report to authorities if received.

Community Reactions and Real-World Behavior

From Reddit discussions, smartphone users report an increase in volume of scam texts, though not all are highly convincing.

“I’ve been getting tons of scam texts lately. They’re not very convincing but the volume has increased…”Reddit

This highlights the evolving nature of these scams: often low-effort for attackers but still effective due to the sheer volume and automation involved.

Grok AI Leak Exposes Hundreds of Thousands of Chats

Elon Musk’s AI chatbot, Grok AI, is making headlines for the wrong reasons. Reports suggest that over 3 lakh (370,000+) user conversations were accidentally made public and indexed by Google, exposing sensitive details like personal health queries, business discussions, and even at least one password.

According to a Forbes investigation, the leak is tied to Grok’s “share” feature, which generates a unique URL for each shared chat. While meant for convenience, these URLs were publicly accessible and open to search engine crawlers. As a result, conversations that users believed were private became searchable online.

Some of the leaked transcripts reportedly included extreme content—such as instructions on making illegal drugs and guidance on assassinations—directly violating Grok’s own terms of service.

Why This Matters for AI Privacy

The Grok leak underscores a growing concern in the AI industry: how user data is handled when interacting with chatbots.

• Sensitive Data at Risk: From medical questions to corporate details, chat history can reveal deeply personal or confidential information.
• Search Engine Indexing: Once a chat URL is indexed by Google or Chrome browsers, it can remain public even after deletion.
• User Trust: For platforms like Grok, mishandling privacy could lead to mistrust, especially as AI becomes embedded in everyday workflows.

This isn’t the first time AI privacy has been called into question. Earlier this year, OpenAI’s ChatGPT faced criticism after some shared conversations appeared on Google Search. Although OpenAI described it as a “short-lived experiment,” users quickly pushed back, forcing the company to disable the feature.

The Grok Timeline: From Denial to Exposure

Interestingly, Grok’s official X (Twitter) account once claimed the chatbot didn’t offer a share feature. Elon Musk himself replied with a “Grok ftw” tweet when OpenAI ended its own share experiment.

However, user complaints on X dating back to January 2025 suggested otherwise. Many pointed out that Grok chats were showing up in search results, well before the leak became widely reported.

While the exact timeline of when Grok enabled sharing remains unclear, the current exposure shows that data protection mechanisms may not have kept up with user expectations.

Industry Lessons from the Grok Leak

The Grok incident highlights the importance of responsible AI design and transparent privacy policies. As more people rely on AI chatbots for personal, medical, and business-related queries, companies must ensure that shared conversations remain private unless users explicitly consent to public access.

For now, the spotlight is on Grok AI and xAI’s handling of this breach—raising broader questions about how secure our conversations really are in the age of generative AI.