No, Your Toll Payment Is Not Overdue

You know, Bob, right before we got on this call, one of our producers actually just got a text that I want to read to you.

Oh.

So it says, easy pass final notice.

Nope, Chinese scam.

Sorry.

Our colleague Bob McMillan covers cybersecurity, and he's been looking into the kind of scam that one of our producers just got fished with.

If you fail to pay within 24 hours, we will take the following actions.

Report to the DMV violation database, suspend your vehicle registration, and you may be prosecuted.

And then there's a link where you're supposed to pay.

Oh, that sounds awful.

You better pay that right away.

Don't tell people they might actually click it.

You may have received some of these texts yourself.

A lot of people have, all across the country.

So I've received several of these text messages telling me I owe $6.99 to Massachusetts EasyPass.

So just a couple of days ago, I get a text message talking about I need to pay my toll ways or my license is gonna be revoked at my nearest DMV.

Just got this one this morning from the toll roads team.

Toll Roads notice of toll evasion.

And sometimes it works.

The first and last time I really try to be responsible and pay my toll ways, my dumb ass gets scammed.

What is going on?

What are these text messages?

Where are they coming from?

Well, yeah, these easy pass, all the toll scams, apparently, are, according to the Department of Homeland Security, they're all being run by Chinese organized crime.

I mean, it's like a whole world of technologically advanced and kind of amazing world of scams.

And how big of a scam is this?

Like how widespread?

It's a massive scam.

The Department of Homeland Security estimated that it's made over a billion dollars so far.

I mean, just the fact that everybody who's listening to this has probably received one of these messages, you know, just speaks to the scale of the operation.

Welcome to The Journal, our show about money, business, and power.

I'm Jessica Mendoza.

It's Wednesday, October 22nd.

Coming up on the show, the billion-dollar scam that's popping up on cell phones across the U.S.

and around the world.

This episode is brought to you by Credit Karma.

A good podcast helps you connect the dots.

It pulls in interviews, backstories, and multiple POVs to help help you see the full picture.

It's what the journal aims for.

Credit Karma does the same thing, but for your money.

Just link your accounts and the app can show you ways to save, pay down debt, and build smarter spending habits.

Get the full picture of your money in one place.

Download Intuit Credit Karma to get started.

This episode is brought to you by Indeed.

When your fridge stops working, you don't sit around waiting for all your food to spoil.

You find a solution.

So why wait to hire the people your company desperately needs?

Use Indeed Sponsored Jobs to find great talent fast.

It moves your job posts to the top of the page, so it's the first thing relevant candidates see when they start searching.

And it truly does make a difference.

Sponsored jobs receive 45% more applications than non-sponsored jobs, according to Indeed data.

Plus, with sponsored jobs, there are no monthly subscriptions or long-term contracts.

You're only paying for results.

There's no need to wait any longer.

Speed up your hiring right now with Indeed.

Listeners of this show will get a a $75 sponsored job credit to get your jobs more visibility at indeed.com/slash journal.

That's indeed.com/slash journal right now.

And support the show by saying you heard about Indeed on this podcast.

Indeed.com/slash journal.

Terms and conditions apply.

Hiring, Indeed, is all you need.

Bob, what got you looking into this particular scam?

So a couple of weeks ago, the Secret Service made an announcement that was really alarming.

They said that the telecom infrastructure around New York was potentially under threat from these devices that they had found in the New York area.

And so I started wondering, what are these devices?

Bob quickly learned that many of those devices weren't meant to disrupt telecommunications.

They were actually being used to send out spam texts.

So a SIM box is what it's called.

and it's a black box with like a bunch of antennas on it and a bunch of slots for like little white sim cards, the things that you put in, like a mobile phone when you get a new phone.

And each sim card represents a phone number, and those cards are just pumping out the spam all the time.

All those sim cards and all those boxes, they make up what's called a sim farm.

And it turns out that sim farms exist all around the country.

So, how do these sim farms work?

Who's running them?

They're basically pitched as sort of a gig economy job.

Like, the criminals will give you one of these boxes.

You just plug it in in your home.

Wow.

You get it on your wireless network.

And so, you're basically a spam pumping operation, you know, at that point.

The neat thing that the SIM boxes do is they allow somebody in China to connect to that box and then to send a bunch of messages from all these different phone numbers.

Got it.

And so, those texts about fake overdue tolls, these Sim Farms churn them out.

Okay, so if I did click on the link, what happens next?

What happens next in my journey?

Okay, yeah.

So you would click on a link and you'd be presented with a very legit looking website on your phone.

And it asks you for your credit card information to pay the fee.

So you put in your credit card number, expiration date, all this stuff.

Every number as it's coming gets entered into this software that is on the other side of the fake phishing website that you're entering your credit card information into.

So in China, the person is seeing your credit card numbers as you enter them.

And then there's one thing that pops up that's a little bit weird.

It says your bank's going to send you a one-time passcode.

You need to enter it here for this transaction to go through.

Those one-time passcodes, banks send them to verify your identity.

So you enter your one-time passcode and somebody at live is just typing that into this phone.

And now your credit card number is in a Chinese scammer's iPhone wallet.

That's wild.

And by giving the scammers that one-time passcode, you've told your bank that the criminal's phone is a trusted device.

Now, the scammers are free to use your credit card as they wish.

But the problem is, they can't then just go shopping in China.

The credit card company would refuse the charge and flag it as fraudulent.

To solve for that, these criminals came up with software that can share a digital wallet with another mobile phone, kind of like mirroring the information.

Okay, so I type in my credit card information.

I give them the one-time passcode.

They are then able to put my credit card in their wallet, their mobile wallet in China.

Yeah.

And then the software allows them to share that with somebody else.

Yes, anywhere in the world.

Yeah, that's right.

Yeah.

That's nuts.

It's crazy, yeah.

The criminals then use special software that lets the credit card that's stored in their digital wallet in China be used at cash registers half a world away, in the U.S.

or elsewhere.

Those operatives, called mules, are recruited on platforms like WeChat, according to Bob's reporting.

They have about four to five hundred mules all around the United States

who are walking around with these Android phones and they get the tap from China and they go to a point of sale system in California and they buy a gift card, $100 gift card, and then they buy a second gift card and then they just keep using them until they stop working, right?

Tap to pay, tap to pay, tap to pay.

Until they're maxed out, essentially.

Yeah, like dozens of gift cards easily.

We found a complaint about someone who just pled guilty to fraud charges who had like hundred and

more than a hundred gift cards in their possession when they were arrested.

So they just basically will take one credit card, tap it, and buy a gift card.

Often it's an Apple gift card or it could be a luxury good gift card.

Buy a second one, buy a third one,

until the credit card stops working, and then they go to the next card in the Apple wallet.

These mules use those gift cards to buy actual stuff, often luxury items like designer handbags and electronics, which the gangs then resell, sometimes in the US, but a lot of their haul actually gets shipped over to China.

How lucrative is this?

It seems like a lot of work for, you know, essentially you're like having to still re buy the items and then resell them.

It's like a lot.

Yeah, I mean, the converting the stolen credit cards to cash seems does seem like a lot of work.

And that's where Chinese organized crime really, really shines is they can get people to do stuff for not a lot of money.

They have ways of selling this stuff when it's in China.

So, I do think, you know, I don't know what their profit margins are like, but to make a billion dollars from this scam is pretty remarkable.

And that's a very low range of the estimate.

I've talked to researchers who think the amount that's been made in this scam could approach $30 billion.

Wow.

And it might even be more than that.

How many people who get these text messages actually fall for them?

I don't know.

The Chinese spammers are not super public about how

metrics, you know, and it doesn't need to be a high click-through rate.

Like, you know, it's probably less than 1%.

And we know that, you know, according to the self-reported statistics from the federal government, the average loss around these spam text messages is around $1,000.

Wow.

But if you send out like, you know, hundreds of millions of spam messages, then that adds up.

Coming up, can anyone stop this billion-dollar scam?

Growing a business is complicated.

Your network shouldn't be.

Connected workplace from T-Mobile for Business gives you fully managed business internet.

That means network configuration and equipment tailored to your business needs and performance monitoring to keep systems and operations running smoothly.

One cost-effective solution to connect and support across locations so you can focus on what's next.

Accelerate your growth on America's most advanced 5G network.

Start now at t-mobile.com slash connected workplace.

This episode is brought to you by FirstNet.

During September 11th, First Responders struggled to communicate and respond because the networks and systems they relied on were overloaded or destroyed.

Today, they rely on FirstNet.

FirstNet was built with and for first responders, ensuring they have reliable communication wherever and whenever they need it.

FirstNet covers more first responders than any other network.

That's why it matters for every American.

FirstNet, built with ATT.

Learn more at firstnet.com/slash public safety first.

For this text scam to work, it has to go through a host of different players at each step of the process, starting with telecommunications companies.

According to Bob, these companies could shut down some SIM farms.

They can spot them on their networks, and they could definitely do a better job of just preventing them from being in operation.

Like, I talked to a researcher who identified 200 SIM boxes just using tools that he had at his disposal, which are not as good as the telcos tools.

And he found like 200 of these SIM boxes, right, around the United States.

He knew what cities they were in.

So the telcos could put some pressure on the operators of these spam faucets in the United States, make it more expensive for them to operate them, make it, you know, shut them down more quickly,

work with law enforcement to seize the equipment.

In an email, a wireless telecommunications industry group known as CTIA said, quote, the wireless industry works both individually and collaboratively with with law enforcement every day.

Another player that could potentially stop these text scams are the phone makers.

Google, for example, has added AI detection tools in its Android platform to warn users of scammy messages.

So we've been talking about tech solutions here, but all of this is happening through stolen credit cards, right?

What are the credit card companies and banks doing to stop these scams?

I mean, the easiest solution here is at the point of payment, the phones do transmit information about the device that's being used to initiate the point of sale transaction.

And so in this case, the banks could be better about doing risk analysis given that information.

For example, say I use an iPhone 11, and then suddenly there's a transaction coming from an iPhone 10, you know, on my Apple Wallet.

Like, okay, something's changed there, right?

So, you know, if you flag that as suspicious, like there are breadcrumbs in these, in these Apple Wallet transactions that the banks could be better at identifying.

Banks are in a tricky spot.

They want to prevent fraud, but they don't want to create friction for customers.

They're running this tension because if they reject too many transactions, if they're too tough on this, then people won't want to use their credit cards, right?

So they have to walk this line between ease of use and security, and they have to get it right.

Because if you're legitimately trying to buy something and your stupid credit card isn't going through, because

the bank thinks you're a Chinese scammer and you're not, like, that's super frustrating.

So, telecom companies and banks haven't solved the scam problem.

And on the law enforcement side of things, stopping the people involved has been slow going.

They can bust the mules and they're doing that, but it's tough because,

you know, there are just so many of them and they're so easily recruited.

And, you know, that's a problem.

Has anyone in China been busted yet?

No, the United States doesn't have the ability to extradite people from China.

So, even if we had identified the criminals there, China would not ship them to the U.S.

for prosecution.

Even as law enforcement gets a better understanding of these text message scams, the fact is criminals are constantly innovating and changing tack.

They've always got a new scam.

So, what does all of this say about the state of scamming today?

It's global.

It's extremely lucrative.

It's not going to stop.

I mean, the fact that the people doing this, you know, can't be extradited, you know, there's a couple of places that a lot of bad things come out of.

And

they're regions of the world where the United States just can't, you know, law enforcement just can't touch people.

So if there's something that you want people to remember, is it just like, don't click the link?

Don't do it.

Yeah, obviously, yeah.

Be careful what you click for sure.

But also,

anytime, this is what I tell people: anytime you find yourself reaching for your wallet with a sense of like urgency, like I need to get this done quickly because of whatever the consequence might be, stop.

Just take a breath, you know, and ask yourself,

is this a scam?

That's all for today, Wednesday, October 22nd.

The journal is a co-production of Spotify and the Wall Street Journal.

If you like our show, you can find us on Spotify or wherever you get your podcasts.

We're out every weekday afternoon.

Thanks for listening.

See you tomorrow.