New Hampshire E-ZPass users the latest to be ‘smished’ in growing scam

Two smishing texts Ink Link reporter Maureen Milliken received in the past few days illustrate the red flags to look for when trying to determine if a text is a smish. Never click on a link in an unsolicited text. Go to the website or call the business or agency if you believe the text is real. It’s usually not. Maureen Milliken Ink Link graphic

MANCHESTER, NH – E-ZPass users in New Hampshire, Maine and beyond are being warned about a scam that involves getting a text message about unpaid fines – clicking on the link will put your personal information and accounts in jeopardy.

The smishing scam – text messages from fraudsters that look like they’re from a legitimate source – has been making the rounds in the Northeast for months, but has resurged as holiday travel season approaches.

The latest messages in the scam purport to be from the New Hampshire Department of Transportation and cite an unpaid toll, telling the user to click on the link to pay and avoid a fine.

“NH E-ZPass will never send text messages requesting payment for tolls with late fees,” the department said in a news alert about the scam.

Smishing scams lure victims into giving away important contact information that can allow hackers to access bank accounts, passwords and other vital information stored on a phone or in an email account. “Smishing” is a combination of SMS (the acronym for short message service, which is the technical term for texts) and phishing, which is the practice of tricking people into giving out personal information.

New Hampshire, like all of the 20 states that are part of the E-ZPass network, notify violators by letter through the U.S. mail, not text message.

E-Z Pass customers who get such text messages should check their accounts through the E-Z Pass website – ezpassnh.com – or app, not by clicking on the link in the text, which has a similar URL. The texts that look like they’re from NH DOT aren’t just going to New Hampshire drivers, but also those in nearby states, like Maine, who may live near the New Hampshire border or travel to the state. 

The Maine Turnpike Authority last month issued a similar news release citing the same issue.

“MTA’s E-ZPass Customer Service Center does NOT use text messaging to collect tolls,” Erin Courtney, MTA spokesperson said in a news release. “These fake messages have led to an increase in calls and visits to our service center, resulting in longer wait times for customers with legitimate inquiries.”

Other states in the E-ZPass network have issued similar warnings over the past several months, including Delaware, Maryland, New Jersey, New York, Pennsylvania and Virginia.

The texts look convincing – most of them (though not all) use the E-ZPass logo, and the URL is similar to the actual agency URL.

Even though New Hampshire Department of Transportation will not send a text asking for money, it’s a good idea for anyone with a smart phone to know how to look for clues that indicate that a text that looks legitimate is a scam.

Clues on the scam E-ZPass text are:

  • The phone number does not have a New Hampshire area code – 263 is a Montreal area code. 
  • The message has typos – for instance, the dollar sign is after the numbers, rather than before.
  • The URL to click on is ezpnh.com, while the real one is ezpassnh.com.
  • There is no user account number or license plate number, which would normally be included in a toll violation notice.
  • The language is a little off: “Your vehicle has an unpaid toll invoice on New Hampshire Express Lane.”

Most smishing scams have similar red flags. For instance, a recent smishing scam that appeared to be from the U.S. Post Office had +63 as its country code in the telephone  number – a huge red flag. That’s the Philippines. The U.S. country code is +1 and appears before every phone number you get a text from.

Complicated instructions on how to respond or click on the link are also red flags. Although you should never click on a link in an unsolicited text.

The FBI this year cited a huge uptick in smishing scams. The most common are fake bank alerts about suspicious activity; “IRS” urgent alerts; package issues with USPS, FedEx or UPS; customer support from Amazon or another well-known business; “law enforcement” notifying the recipient there is a warrant out on them, they’ve missed jury duty, or some other thing that requires paying a fine.

Scammers often “spoof” phone numbers, making them look legitimate, which lures in unsuspecting victims.

The FBI offers these tips to protect yourself from smishing and other phishing scams:

  • Don’t click on anything in an unsolicited email or text message. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
  • Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
  • Companies generally don’t contact you to ask for your username or password.
  • Be careful what you download. Never open an email attachment from someone you don’t know and be wary of email attachments forwarded to you.
  • Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
  • Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.

Anyone who has received a smishing text, particularly if they’ve been scammed by one, can file a complaint through the FBI’s Internet Crime Complaint Center. They should also alert their phone provider of scams by forwarding the messages to 7726 (SPAM).