This screenshot shows an attempt by a scammer at smishing, obtaining money and possibly personal information.
This screenshot shows an attempt by a scammer at smishing, obtaining money and possibly personal information. Credit: SCREENSHOT/MASSACHUSETTS DEPARTMENT OF TRANSPORTATION

It looks so benign.

The reminder appears to come from EZDriveMA, the Massachusetts Turnpike Authorityโ€™s electronic tolling program.

โ€œYour bill for $6.99 is due soon.โ€ The text message contains a link and instructs you to โ€œpay and avoid additional feesโ€ by replying with a Y and activating a link or copying the link into your browser.

This is smishing, a text message scam, technically referred to as a tactic at social engineering. Based on a recent uptick of reports, MassDOT made its third warning about smishing in recent months.

โ€œMassDOT is underscoring that: EZDriveMA will never request payment by text,โ€ according to the warning. โ€œAll links associated with EZDriveMA will include www.EZDriveMA.com.โ€

The FBI Internet Crime Complaint Center recognized the unpaid toll smishing scam in early March 2024 and noted more than 2,000 complaints had been made by April 12, when it put out its first alert.

Since then, periodically, state highway and turnpike authorities have put out alerts, including all six New England states and New York.

The U.S. Postal Service and the IRS have also put out alerts about smishing attempts with texters impersonating their agencies.

Smishing, a cute word that sounds vaguely Yiddish, was coined in 2006, according to Merriam-Webster. It combines the acronym SMS, which stands for โ€œshort message serviceโ€ referring to a text message, with phishing, the term for email or internet-based scams.

Brian Levine told the Berkshire Eagle he gets smishing attempts all the time, though he hasnโ€™t received the EZDriveMA one. Heโ€™s a distinguished professor at the University of Massachusetts Amherst in the Manning College of Information and Computer Sciences.

โ€œI think itโ€™s pretty common these days, because everyone has a phone … and everyone with a phone number can receive text messages,โ€ he said.

Part of the reason smishing attempts are so common is because the phone texting system isnโ€™t secure.

โ€œItโ€™s easy to send fake messages, meaning they may appear to be from your local town, but they could come from anywhere in the globe, and thereโ€™s barely any mechanism that would prevent that,โ€ Levine said.

While text messages may be thought of as postcards, because theyโ€™re โ€œviewable by anyone,โ€ Levine said thereโ€™s one crucial difference: the postmark.

โ€œThereโ€™s nothing in an SMS message to authenticate where it actually came from and to keep it private,โ€ Levine said.

Smishing attempts are designed to take advantage of typical behaviors โ€” or social engineering โ€” and this one does in specific ways.

โ€œPeople are busy, and theyโ€™re used to receiving real messages that are important on their phone, because theyโ€™re from their family or their jobs or places they do business with, like their banks,โ€ he said. โ€œWeโ€™re busy and weโ€™re distracted. We say, โ€˜Oh, my God, this is important. I have to react to this. I owe someone money.โ€™โ€

However, the inclination to instantly resolve the issue could create far bigger ones: from the loss of $6.99 to identity theft.

While these attacks have a low chance for success, theyโ€™re easy to automate and donโ€™t cost much to initiate, which is why theyโ€™ve become so prevalent, Levine said.

โ€œIf it costs very little to carry out, that can be very profitable,โ€ he said.

He said the $6.99 amount was likely chosen by the scammer because victims will consider that amount small and pay it without stopping to question the legitimacy of the demand.

There are often clues within scams that indicate the source is fake. In the EZDriveMA scam, Levine noted the URL ending. Any Massachusetts agency would have .ma as the final extension.

But even if the targets of a smishing attempt donโ€™t recognize that sort of clue, thereโ€™s a way to ensure theyโ€™re not trapped by these scams.

Levine recommends using the following strategy to avoid getting caught by smishing, phishing or vishing. Vishing is the name given to similar attacks using voicemail, phone calls using either real or computer-generated voices.

Donโ€™t click on a link or interact with the text message, the caller or the email, Levine advises. Donโ€™t interact with that number or email and instead contact the entity using a known and trusted website, email address or phone number.

โ€œItโ€™s annoying to be secure,โ€ Levine said. โ€œIt takes extra work, and thatโ€™s what theyโ€™re taking advantage of. Itโ€™s much easier to just click this link in your text message and not think about it, but thatโ€™s what youโ€™ve got to do.โ€

Levine uses a free messaging app called Signal, which filters text messages. Similarly, he has three email addresses: one for personal friends, a second for work and a third for receipts.

Levine said older adults may be vulnerable to smishing and recommends placing safeguards to prevent the loss of lifelong savings.

Heโ€™s also concerned about those who are new to cellphones, such as children, who may be unfamiliar with scams. While they may not be vulnerable to this one because they may not be old enough to drive, there are others involving gifts and packages.

โ€œThis should be part of their financial education,โ€ Levine said.