Montréal-based cybersecurity software company Flare claimed today that it has identified a new group of scammers that is actively defrauding Canadians using fake toll and parking violation texts disguised as messages from provincial agencies.
The texts are coming from a group that Flare calls PayTool, which is the name the scammers used on their initial websites. Flare says that PayTool has been impersonating authorities across Canada—from the Insurance Corporation of British Columbia (ICBC) to Ontario’s 407 Express Toll Route highway—as part of a series of localized SMS-based phishing or “smishing” campaigns targeting Canadians.
Adrian Cheek, Flare
“Never click on the link that you receive from a text message, especially if the message is unsolicited.”
Flare sells software that automates digital threat monitoring by trawling the open internet and the dark web for cybercrime, including the theft of company credentials or data leaks. The company says the PayTool scams typically look like something like this: Canadians receive an unsolicited text from a Canadian phone number claiming an “unpaid parking fine” or “toll evasion notice” for a small, specific amount, such as $6.97. That nominal fee and an explicit threat of late fees, licence suspension, or legal action without immediate payment are aimed at prompting recipients to pay quickly.
Those texts usually contain a hyperlink to a fake website designed to look like the provincial agency’s official payment portal, with similar logos and URLs, such as 4o7etr[.]com instead of 407etr[.]com. When a recipient clicks that link and attempts to pay the fine, they are prompted to enter sensitive data like credit card information, bank account details, or driver’s licence number. Attackers can then use this info to purchase goods and services elsewhere.
In an interview with BetaKit, Flare senior cybercrime researcher Adrian Cheek said that the initial payment is “small fries.” What attackers are really after, he said, is Canadians’ data.
While victims’ credit cards can be quickly blocked and unauthorized charges are often refunded, “your personal information has a value in the dark market ecosystem.” Cheek noted that this info can be sold and used to support ongoing criminal activity, like taking out fraudulent car loans or mortgages.
Flare claims that it is tracking 37 domains linked to PayTool and has identified more than 900 confirmed victims from the group’s campaigns, as well as additional victims from earlier campaigns it believes were also run by PayTool. Flare has clocked an increase in the frequency of newly registered sites associated with PayTool since last summer; in recent months, the company says that PayTool’s scams have become more believable.
Experts have warned that smishing attacks are likely rising thanks to AI. Last July, Canada’s Competition Bureau published a notice with its own guidance regarding smishing.
Cheek advised any Canadians who receive these smishing messages to go directly to the organization’s official website using their own internet search to verify the information. He added that most legitimate agencies would not inform Canadians of a parking or toll fine via text.
“Never click on the link that you receive from a text message, especially if the message is unsolicited,” he added.
ICBC has addressed the scam on social media, stating that it never contacts customers via text about driving infractions or outstanding debt, adding, “if you receive a suspicious message, please delete it—it’s a scam.”
As part of his investigation into PayTool, Cheek said he applied the same methodology he has used to track other groups conducting similar campaigns in the US to identify patterns in texts sent to different victims. Using open source research, he identified victims who posted on social media and forums. He added the data he gathered to Flare’s platform and ran it against the company’s existing datasets.
But Cheek says that PayTool’s smishing campaigns are unlike others he has seen south of the border because they are leveraging Canadian area codes and province-specific branding, which suggests they may have access to Canadian SIM infrastructure and be located in Canada.
RELATED: Flare raises another $30 million USD to fuel global cybersecurity expansion and acquisition plans
While smishing is considered a crime under Canada’s Criminal Code and anti-spam legislation, catching the perpetrators can be tough for the police, given that threat actors often use prepaid SIM cards and number spoofing to conceal their identities.
Cheek said that Flare actively shares cybercrime information and works with law enforcement agencies. Flare has not notified any of the impersonated organizations directly. While the company has not yet informed law enforcement of its PayTool findings at time of publication, Cheek said it intends to do so soon.
He argued it is possible to catch attackers provided that there is enough information sharing between researchers, telecommunications companies, and law enforcement agencies. Thanks to the right processes in the US, Cheek said some of his research outside of Flare has enabled the identification of individuals and locations tied to such scams.
Feature image courtesy Unsplash. Photo by Mark Aliiev.