MassDOT issues 3rd warning about texting scam called smishing; UMass prof offers tips on what to do

This screenshot shows an attempt by a scammer at smishing, obtaining money and possibly personal information.

This screenshot shows an attempt by a scammer at smishing, obtaining money and possibly personal information. SCREENSHOT/MASSACHUSETTS DEPARTMENT OF TRANSPORTATION

By JANE KAUFMAN

The Berkshire Eagle

Published: 01-14-2025 1:03 PM

Modified: 01-14-2025 5:03 PM


It looks so benign.

The reminder appears to come from EZDriveMA, the Massachusetts Turnpike Authority’s electronic tolling program.

“Your bill for $6.99 is due soon.” The text message contains a link and instructs you to “pay and avoid additional fees” by replying with a Y and activating a link or copying the link into your browser.

This is smishing, a text message scam, technically referred to as a tactic at social engineering. Based on a recent uptick of reports, MassDOT made its third warning about smishing in recent months.

“MassDOT is underscoring that: EZDriveMA will never request payment by text,” according to the warning. “All links associated with EZDriveMA will include www.EZDriveMA.com.”

The FBI Internet Crime Complaint Center recognized the unpaid toll smishing scam in early March 2024 and noted more than 2,000 complaints had been made by April 12, when it put out its first alert.

Since then, periodically, state highway and turnpike authorities have put out alerts, including all six New England states and New York.

The U.S. Postal Service and the IRS have also put out alerts about smishing attempts with texters impersonating their agencies.

Article continues after...

Yesterday's Most Read Articles

Smishing, a cute word that sounds vaguely Yiddish, was coined in 2006, according to Merriam-Webster. It combines the acronym SMS, which stands for short message service referring to a text message, with phishing, the term for email or internet-based scams.

Brian Levine told the Eagle he gets smishing attempts all the time, though he hasn’t received the EZDriveMA one. He’s a distinguished professor at the University of Massachusetts Amherst in the Manning College of Information and Computer Sciences.

“I think it’s pretty common these days, because everyone has a phone, every phone has a phone number, pretty much, and everyone with a phone number can receive text messages,” he said.

Part of the reason smishing attempts are so common is because the phone texting system isn’t secure.

“It’s easy to send fake messages, meaning they may appear to be from your local town, but they could come from anywhere in the globe, and there’s barely any mechanism that would prevent that,” he said.

While text messages may be thought of as postcards, because they’re “viewable by anyone,” Levine said there’s one crucial difference: the postmark.

“There’s nothing in an SMS message to authenticate where it actually came from and to keep it private,” Levine said.

Smishing attempts are designed to take advantage of typical behaviors — or social engineering — and this one does in specific ways.

“People are busy, and they’re used to receiving real messages that are important on their phone, because they’re from their family or their jobs or places they do business with, like their banks,” he said. “We’re busy and we’re distracted, we say: ‘Oh, my God, this is important. I have to react to this. I owe someone money.’”

However, the inclination to instantly resolve the issue could create far bigger ones: from the loss of $6.99 to identity theft.

While these attacks have a low chance for success, they’re easy to automate and don’t cost much to initiate, which is why they’ve become so prevalent, Levine said.

“If it costs very little to carry out, that can be very profitable,” he said.

He said the $6.99 amount was likely chosen by the scammer because victims will consider that amount small and pay it without stopping to question the legitimacy of the demand.

There are often clues within scams that indicate the source is fake. In the EZDriveMA scam, Levine noted the URL ending. Any Massachusetts agency would have .ma as the final extension.

But even if the targets of a smishing attempt don’t recognize that sort of clue, there’s a way to ensure they’re not trapped by these scams.

Levine recommends using the following strategy to avoid getting caught by smishing, phishing or vishing. Vishing is the name given to similar attacks using voicemail, phone calls using either real or computer-generated voices.

Don’t click on a link or interact with the text message, the caller or the email, Levine advises. Don’t interact with that number or email and instead contact the entity using a known and trusted website, email address or phone number.

“It’s annoying to be secure,” Levine said. “It takes extra work, and that’s what they’re taking advantage of. It’s much easier to just click this link in your text message and not think about it, but that’s what you’ve got to do.”

Levine uses a free messaging app called Signal, which filters text messages. Similarly, he has three email addresses: one for personal friends, a second for work and a third for receipts.

Levine said older adults may be vulnerable to smishing and recommends placing safeguards to prevent the loss of lifelong savings.

He’s also concerned about those new to cellphones, such as children, who may be unfamiliar with scams. While they may not be vulnerable to this one because they may not be old enough to drive, there are others involving gifts and packages.

“This should be part of their financial education,” he said.