Podcast Summary: The Journal.
Episode: No, Your Toll Payment Is Not Overdue
Hosts: Jessica Mendoza, Ryan Knutson
Guest/Reporter: Bob McMillan (Cybersecurity Reporter)
Date: October 22, 2025
Episode Overview
This episode explores a massive, sophisticated toll payment text scam that has defrauded people across the U.S. and internationally, generating potentially billions for Chinese organized crime groups. The discussion breaks down how the scam works, who orchestrates it, its technological backbone, why it's so hard to stop, and what consumers can do to protect themselves.
Key Discussion Points & Insights
1. Scams Are Widespread and Brazen
- Toll Payment Scams:
- Listeners and producers of the show regularly receive scam texts demanding “overdue” payments for fake toll fees, often threatening DMV action.
- These texts prompt a sense of urgency, pushing victims to click payment links.
Quote:
“You may have received some of these texts yourself. A lot of people have, all across the country.”
— Jessica Mendoza (00:50)
- Scope:
- The Department of Homeland Security estimates the scam has generated over $1 billion, and some researchers believe it could reach as much as $30 billion.
Quote:
“The Department of Homeland Security estimated that it’s made over a billion dollars so far.”
— Bob McMillan (02:02)
2. The Technology and Players Behind the Scam
a) SIM Boxes and SIM Farms (03:57—04:29)
- SIM Box:
A device with multiple SIM cards that blasts spam texts, each from a different phone number. - SIM Farm:
Multiple SIM boxes working together, sometimes set up by U.S.-based “gig” workers for easy money. - Remote Control:
Criminals in China can remotely send thousands of scam texts through these U.S.-located boxes.
Quote:
“The neat thing that SIM boxes do is they allow somebody in China to connect to that box and then to send a bunch messages from all these different phone numbers.”
— Bob McMillan (04:42)
b) What Happens When You Click the Link? (05:13—06:12)
- The victim is taken to a convincing fake website prompting for credit card details.
- After entering the card, a prompt appears for a one-time passcode (OTP) sent via the victim's bank.
- The scammer collects both the card info and the OTP in real time—letting them add the card into a digital wallet (like Apple Pay) on their own devices in China.
Quote:
“Every number as it’s coming gets entered into this software that, that is on the other side of the fake phishing website... And now your credit card number is in a Chinese scammer’s iPhone wallet.”
— Bob McMillan (06:11)
3. Laundering and Profiting from Stolen Cards
a) The Role of "Mules" (07:03—08:21)
- Mules are recruited (often through platforms like WeChat) to use phones loaded with stolen cards to buy gift cards and luxury items at U.S. retailers, using tap-to-pay.
- Often, a single mule is found with over 100 gift cards.
- Goods are sold in the U.S. or shipped to China for resale.
Quote:
“They just basically will take one credit card, tap it, and buy. Buy a gift card. Often it’s an Apple gift card, or it could be a luxury good gift card... until the credit card stops working.”
— Bob McMillan (07:48)
b) Scale & Profitability
- Profits are vast, even if margins are difficult to pin down. Organized crime in China efficiently organizes, recruits, and sells.
Quote:
“To make a billion dollars from this scam is pretty remarkable. And that’s a very low range of the estimate... could approach $30 billion.”
— Bob McMillan (09:13)
4. Why the Scam Persists
a) Success Rate (09:32—10:08)
- Even with less than 1% of recipients duped, huge volumes make it lucrative.
- The average victim loss is about $1,000.
b) Weak Points in the System
i. Tech/Telcos (11:05—11:49)
- U.S. telecoms could spot and disrupt SIM farms but often don’t.
- A researcher found 200 SIM boxes with only basic tools.
Quote:
“The telcos could put some pressure on the operators of these spam faucets... make it more expensive for them to operate, to make it shut them down more quickly, [and] work with law enforcement to seize the equipment.”
— Bob McMillan (11:29)
ii. Device Makers (11:49—12:24)
- Platforms like Android are rolling out AI features to warn users.
iii. Banks & Credit Cards (12:24—13:13)
- Payment systems send device information at transaction time. Banks could use device profile changes to catch fraud but are wary of creating too much friction for real customers.
Quote:
“...the banks could be better about doing risk analysis given that information... there are breadcrumbs in these Apple wallet transactions that the banks could be better at identifying.”
— Bob McMillan (12:32)
- Banks struggle to balance security and customer experience.
Quote:
“They have to walk this line between ease of use and security, and they have to get it right.”
— Bob McMillan (13:13)
iv. Law Enforcement (13:38—14:13)
- U.S. law enforcement can catch mules within the country, but the kingpins in China remain untouchable due to lack of extradition treaties.
Quote:
“No. The United States doesn't have the ability to extradite people from China.”
— Bob McMillan (13:59)
Memorable Quotes & Moments
-
On the Scam’s Scale:
“It's a billion dollar scam... and it might even be more than that.”
— Bob McMillan (09:22) -
On Urgency as a Red Flag:
“Anytime you find yourself reaching for your wallet with a sense of, like, urgency... stop. Just take a breath, you know, and ask yourself, is this a scam?”
— Bob McMillan (15:01) -
On the Futility of Policing:
“It's global, it's extremely lucrative. It's not going to stop. The people doing this... can't be extradited.”
— Bob McMillan (14:30)
Timeline of Key Segments
- 00:06–02:22: Introduction to text scam and its enormity
- 03:30–04:29: SIM boxes, SIM farms, and how texts are sent
- 05:13–06:12: What happens when a victim clicks the link
- 07:03–08:21: How “mules” help cash out stolen funds
- 09:32–10:08: Scale, success rates, and victim losses
- 11:05–13:13: What telcos, tech companies, and banks could do
- 13:47–14:13: Challenges with law enforcement and international criminals
- 15:01: Final advice to listeners: Be wary of urgency and unsolicited payment requests
Conclusion & Listener Takeaway
Practical advice:
- Don’t click on suspicious payment links in texts.
- Be especially cautious if a message creates a sense of urgency about payments or account suspensions.
- When in doubt, step back and independently verify the claim before taking action.
“Anytime you find yourself reaching for your wallet with a sense of, like, urgency... stop. Just take a breath, you know, and ask yourself, is this a scam?”
— Bob McMillan (15:01)
The episode closes by affirming both the sophistication and scope of the scam, the limitations agencies face in combatting it, and the importance of individual vigilance.
For those who haven't listened:
This episode lays bare the high-tech and labor-intensive machinery of modern, globalized text scams. It's an essential listen (or read) for anyone with a cell phone, credit card, or concern about digital security.
