RiskScope
Back to Blog

Got a Text About an Unpaid Toll or Traffic Fine? It Is Probably a Scam.

Millions of people have received official-looking texts claiming they owe a toll or traffic fine. The FTC issued a fresh alert about these in April 2026. The scam has a new twist: QR codes instead of links. Here is how it works, who is behind it, and what to do if you already clicked.

RiskScope Team
smishing, toll scam, traffic fine scam, QR code scam, text message fraud, phishing

The Text

It comes in looking official. It has your state's name. It references a specific violation. It gives you a case number and a court date. And it tells you that if you do not pay a small fine, usually somewhere between $4 and $15, you will face a default judgment, a suspended licence, or a court appearance.

Sometimes it includes a link. Increasingly, it includes a QR code and an image of what looks like a court notice.

The fine feels small enough that paying it is easier than questioning it. That is the whole mechanism.

The FTC issued a consumer alert about this scam on April 14, 2026, reporting a significant spike in complaints. It is not new, but the QR code version is, and it is specifically designed to get past the defences you may already have.

Two Scams, Same Playbook

These texts come in two main flavours, and they operate identically under the hood.

The toll road variant has been running since at least early 2024. The text claims you have an outstanding balance on a toll road, typically E-ZPass, SunPass, FasTrak, or whichever system is relevant to your state. It says the amount has been unpaid for some time and will now incur additional fees. One click, it promises, and you can settle it quickly.

The FBI's Internet Crime Complaint Center received more than 60,000 complaints about toll text scams by March 2025. The actual number of people who paid without reporting is, by definition, unknown and likely far higher.

The traffic violation variant is newer and more aggressive. The text claims you were caught by a camera committing a moving violation. It includes a fake case number, a specific court name, and a deadline. The April 2026 version, documented by Malwarebytes and flagged by the FTC, replaces the clickable link with a QR code embedded in what looks like an official court notice.

Both variants lead to the same place: a fake payment page designed to steal your card details.

Why QR Codes, and Why Now

When phishing texts first became widespread, security researchers taught people a simple rule: do not click links in unexpected texts. Phone carriers began scanning messages for suspicious URLs. Security software flagged known phishing domains.

Scammers adapted. A QR code is an image, not a URL. It does not get flagged by SMS filters the same way a link does. Most people cannot read a QR code visually to assess where it points before they scan it. By the time your camera app has decoded it and loaded the page, you are already there.

Malwarebytes documented the exact sequence in April 2026:

  1. You receive a text containing an image of what looks like a printed court notice
  2. The notice includes a QR code and tells you to scan it to pay your fine
  3. Scanning takes you to a CAPTCHA page, which adds legitimacy and filters out automated detection systems
  4. After the CAPTCHA, you land on a convincing clone of a state DMV or court payment portal
  5. The payment page asks for your name, address, and card details to settle the fee

The fee itself is kept deliberately small. Researchers have seen amounts ranging from $3.95 to $9.99. A charge that small feels like it is not worth the effort of disputing, which is exactly the point. The card details you enter are worth far more to the scammers than the stated fine.

Who Is Behind This

This is not individual opportunists sending random texts. It is an industrial-scale operation.

NBC News and cybersecurity researchers traced the toll text campaign to Chinese-speaking cybercrime groups operating what is known as a Phishing-as-a-Service (PhaaS) platform. The most documented of these is Lucid, a platform that has targeted 169 organisations across 88 countries. Lucid and its related platforms, including Darcula and Lighthouse, operate from Telegram channels where operators sell phishing kits to other criminals, offering pre-built fake sites, SMS-sending infrastructure, and card harvesting tools.

Google filed a lawsuit in November 2025 against the operators of Lighthouse, which had created more than 17,500 fake websites targeting 316 brands across 74 countries. The lawsuit estimates over one million victims.

The kits are sold, licensed, and discussed openly in Telegram channels conducted in Chinese. Buyers do not need technical skills. They pay a subscription fee and get working infrastructure.

The texts themselves bypass standard SMS filtering by using Apple iMessage and Android's RCS messaging system rather than traditional SMS. Both platforms are harder for carriers to monitor and filter than standard text messages.

Red Flags in the Text Itself

You owe a tiny amount. Real fines for moving violations run to hundreds of dollars. A text telling you to pay $6.99 to avoid court is not how courts work.

The urgency is artificial. Real government agencies do not text you with 24 or 48-hour deadlines before default judgments. Official notices come by post. Courts have formal processes with multiple stages before any default action.

The contact information does not match official sources. Look up your state's actual DMV or court website independently and compare the domain name. Scam sites typically use domains like dmv-pay-now.com or court-fine-settlement.net rather than the official .gov address.

No physical notice preceded it. Jurisdictions that use traffic enforcement cameras send physical notices by post before any digital follow-up. A text with no prior paper notice is suspicious.

The QR code leads somewhere you cannot preview. Before scanning any QR code, use a QR reader app that shows you the destination URL before loading it, rather than immediately opening the link.

You cannot find the case number anywhere. If a text references a genuine case, that number will exist in a public court record accessible through your state's official court website. Fake case numbers will not appear in any official system.

How to Verify Whether a Fine Is Real

Before paying anything, do the following:

For toll road notices: Go directly to your toll provider's official website, which you should find through a search engine rather than through any link in the text. Log in to your account and check whether any outstanding balance exists. E-ZPass, SunPass, and other legitimate providers will show actual balances in your account.

For traffic violations: Search for your state or county court's official website (look for .gov addresses) and use their public case search tool to look up the case number referenced in the text. If the case does not exist, the text is fraudulent.

For parking fines: Most cities have an official parking violations portal. Search for it directly. Do not use any phone number or website provided in the text.

If you are genuinely unsure, call the court or agency directly using a number from the official government website, not from the text. Courts have clerks who can tell you in thirty seconds whether a case exists.

What to Do If You Already Clicked or Scanned

If you entered card details:

Contact your bank or card provider immediately to report potential fraud. Ask them to cancel the card and issue a replacement. Review recent transactions and dispute anything you do not recognise. Most banks have a 24-hour fraud line.

If you only clicked or scanned but did not enter any details:

Your card details are not compromised. However, if the page prompted you to download anything or enable any permissions, treat your phone as potentially compromised. Run a security scan, check for any apps you do not recognise, and consider a factory reset if you have any doubt.

In either case, report it:

You can also forward the text itself to 7726 (SPAM) on most carriers, which flags the number for investigation.

The Bigger Pattern

The toll and traffic fine scams are part of the same industrial machinery behind fake parcel delivery texts, fake bank security alerts, and fake government refund notices. The underlying infrastructure is the same. The kits are sold on the same platforms. The card harvesting systems feed the same criminal networks.

What makes the fine scam particularly effective is that it targets something most people cannot immediately verify. You drive on roads. You might have gone through a toll. You might have been near a camera. The uncertainty is enough to make some people pay without questioning.

The shift to QR codes is a direct response to people getting better at spotting suspicious links. As public awareness catches up with one tactic, the approach changes. The goal stays the same.

The simplest rule: no government body, toll authority, or court will ever send you a QR code in a text message and ask you to scan it to pay a fine. If you receive that message, delete it.

You can run any suspicious domain from a payment link or QR code destination through RiskScope for a free risk assessment. Scam payment sites typically show multiple threat signals including recently registered domains, no verifiable business registration, and matches in phishing databases.

Related Reading

Sources: FTC Consumer Alert: That Text About a Traffic Violation Is Probably a Scam, Malwarebytes: Traffic Violation Scams Swap Links for QR Codes, BleepingComputer: Traffic Violation Scams Switch to QR Codes, NBC News: Unpaid Toll Bill Scams Fueled by Telegram Salesmen, The Hacker News: Lucid PhaaS Hits 169 Targets in 88 Countries, Malwarebytes: 1 Million Victims, 17,500 Fake Sites, FCC: How to Spot and Avoid Toll Road Payment Scam Texts, FBI IC3: Internet Crime Complaint Center

Check Any Website Yourself

RiskScope is free. No signup required. Enter any domain and get an instant risk assessment.

Check a WebsiteAPI Documentation

Related Articles

Your Phone Rings. You Hear Your Child Crying. Before You Do Anything, Read This.

AI voice cloning tools can replicate anyone's voice from three seconds of audio pulled from social media. Scammers are using them to fake family emergencies and demand ransom in real time. Here is how it works, who is behind it, and the one defence that stops it cold.

Read more

Someone Emailed Saying They Found a Vulnerability on Your Website. Read This Before You Pay Anything.

If you run a website or small app, there is a good chance you will eventually receive an email from a 'security researcher' who has found a vulnerability and wants payment. Most of these are a scam with a specific name: beg bounty. Here is how to tell the difference, what to do, and how to make sure it never catches you off guard.

Read more

Is Your Streaming Box Spying On You? The SuperBox, BadBox Botnet, and Android TV Malware Explained

The SuperBox and devices like it are sold at Walmart, Best Buy, and through your neighbour's social media. The FBI has confirmed they're part of a global botnet. Here's what these boxes actually do, who is behind them, and exactly how to protect your home network.

Read more