iMessage scams on the rise: Tax refunds and toll payments
Posted on
by
Joshua Long
Scammers continue to escalate their efforts to defraud people via unsolicited text messages. This week, two types of scam messages have been prevalent. One of the latest scams involves an alleged tax refund. Additionally, texts claiming that the recipient owes toll fees are prevalent.
Phishing scams delivered via text message are sometimes referred to as “smishing” (or “smshing”). While short for “SMS phishing,” such scams are increasingly being delivered via other texting platforms besides the old SMS standard. Notably, we have observed an increase in scams sent over Apple’s iMessage service in recent months. Both of this week’s most common text scams often arrive via iMessage.
Here’s how you can recognize, avoid, and report these scams.
In this article:
- Tax scams: California Franchise Tax Board (FTB) refund
- Toll scams: E-ZPass, FasTrak, EZDriveMA, The Toll Roads
- Why is Apple failing to block so many iMessage scams?
- What should I do if I receive a scam text message?
- How can I learn more?
Tax scams: California Franchise Tax Board (FTB) refund
Tax-related scams are certainly nothing new; but Californians are currently being hit with a new version. California residents, and potentially others with a California area code, may receive messages like the one below.
Phishing text message claiming to be from the California Franchise Tax Board.
This particular example says:
STATE OF CALIFORNIA Franchise Tax Board (FTB)
Your California tax refund of [$1,050] will permanently expire on [03/[current date]/2025]. Failure to submit the required documentation by the deadline will result in the forfeiture of your payment to the State of California. To prevent unnecessary loss, please address this matter promptly:
https://ftb.gov-checking-[random characters].[top or cfd]/us
(Please reply Y, then exit the text message and open it again to activate the link, or copy the link into your Safari browser and open it)
California Franchise Tax Board | Sacramento, CA | Official State Agency
Note that the domain isn’t ftb.gov (which, in fact, isn’t a real site anyway; California’s Franchise Tax Board site is at ftb.ca.gov). Rather, the hyphen immediately after the .gov part of the URL is an indication that the sender is trying to be tricky. (We have previously reported about scam links using a deceptive hyphen instead of a slash.) The real domain in this case would be gov-checking-randomcharacters.cfd (or .top); the “ftb.” part at the beginning is just a subdomain, or a subsection of the main site.
California’s real Franchise Tax Board has issued its own statement about these scam messages.
Web addresses found in any similar messages will lead to phishing scam sites. They’re often designed to mimic real forms, in an attempt to steal your personal information. Data collected through such forms may be used to commit financial fraud.
Toll scams: E-ZPass, FasTrak, EZDriveMA, The Toll Roads
Another common text message scam this week involves allegations of toll evasion, or late fees for usage of toll roads. Again, many such messages often arrive via iMessage. Following are a few recent examples:
Final Notice: Toll Road Payment Needed
Please settle your toll fees by [current date], to avoid potential penalties such as:
Suspension of vehicle registration
Possible fines
Credit score repercussionshttps://fastrak.org-[random characters].xin/pay
Take action today to avoid these outcomes. Your attention is appreciated!
(Please reply Y, then exit the SMS and open it again to activate the link, or copy the link to your Safari browser and open it)
The Toll Roads Notice of Toll Evasion: You have an unpaid toll bill on your account. To avoid late fees, pay within 12 hours or the late fees will be increased and reported to the DMV.
https://www.ezdrivemasa[.]xin/us
… The Toll Roads team wishes you a great day!
E-ZPass Final Reminder:
You have an outstanding toll.Your toll account balance is outstanding. If you fail to pay by March 24, 2025. You will be penalized or subject to legal action.
Now Payment:https://e-zpassny.com-[random characters].xin/us
… Please settle your toll immediately after reading this message to avoid penalties for delaying the payment.
Thank you for your cooperation.
Recent versions of these scams tend to have a lot in common. They are often delivered via iMessage; they might come from a U.S. area code, or from a +66 (Philippines) or +44 (UK) country code, or from an e-mail address. Often they reuse the line about replying, exiting, and reopening the message to activate the link. The top-level domain (the “dot something” at the end) that’s most common this week is “.xin”—a Chinese TLD.
Why is Apple failing to block so many iMessage scams?
As we’ve noted throughout this article, scammers are increasingly sending text messages like these through Apple’s own iMessage system. In theory, it should be more difficult to set up a plethora of Apple Accounts—especially ones attached to unique telephone numbers. And yet, somehow, scammers keep getting away with it.
One would think that after many users have reported similar scam messages to Apple that the company would put filters in place to block such messages from being sent—especially in bulk. Additionally, most of these messages reuse the same chunks of text, without any variation; it should be easy for Apple to filter out common scam instructions like replying and reopening the message to enable links, for example.
We reached out to Apple to ask what, if anything, the company is doing to improve the situation. Apple has not yet responded to our inquiry.
What should I do if I receive a scam text message?
If you enter personal information on a phishing site, be sure to immediately report it to the authorities. Go to the Internet Crime Complaint Center (ic3.gov) and click File A Complaint.
Even if you haven’t fallen for a scam, it’s important to report it to Apple and your mobile carrier. This can, in theory, help them block similar scam messages in the future.
Whenever you get a text message that you’re confident is a scam, tap on “Report Junk.” You’ll be asked to confirm; “Report this conversation as junk by sending it to [your carrier] and Apple from your phone number.” Tap the “Delete and Report Junk” button to proceed.
How can I learn more?
We’ve previously covered tons of similar scams; check out these articles for additional details:
- Scammers using new trick in phishing text messages: Google redirects
- How to spot fake Apple security alerts via text, phone, email, or web
- Beware of fake package delivery texts and e-mails! Here’s what to look for
- “Apple Inc sent you a payment request” Payoneer invoices; other Microsoft-enabled scams
- Money request and invoice scams via PayPal, Venmo, and Docusign
- Fake “Geek Squad” invoice scam, now using Housecall Pro servers (Jan 2024)
- Fake invoice scams: Norton, McAfee, PayPal, and more (Jun 2023)
- Top 10 online scams to beware of: from malvertising to deepfake kidnappings
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
