Summary5 min read

Podcast Summary: The Journal.

Episode: No, Your Toll Payment Is Not Overdue
Hosts: Jessica Mendoza, Ryan Knutson
Guest/Reporter: Bob McMillan (Cybersecurity Reporter)
Date: October 22, 2025

Episode Overview

This episode explores a massive, sophisticated toll payment text scam that has defrauded people across the U.S. and internationally, generating potentially billions for Chinese organized crime groups. The discussion breaks down how the scam works, who orchestrates it, its technological backbone, why it's so hard to stop, and what consumers can do to protect themselves.

Key Discussion Points & Insights

1. Scams Are Widespread and Brazen

Toll Payment Scams:
- Listeners and producers of the show regularly receive scam texts demanding “overdue” payments for fake toll fees, often threatening DMV action.
- These texts prompt a sense of urgency, pushing victims to click payment links.

Quote:
“You may have received some of these texts yourself. A lot of people have, all across the country.”
— Jessica Mendoza (00:50)

Scope:
- The Department of Homeland Security estimates the scam has generated over $1 billion, and some researchers believe it could reach as much as $30 billion.

Quote:
“The Department of Homeland Security estimated that it’s made over a billion dollars so far.”
— Bob McMillan (02:02)

2. The Technology and Players Behind the Scam

a) SIM Boxes and SIM Farms (03:57—04:29)

SIM Box:
A device with multiple SIM cards that blasts spam texts, each from a different phone number.
SIM Farm:
Multiple SIM boxes working together, sometimes set up by U.S.-based “gig” workers for easy money.
Remote Control:
Criminals in China can remotely send thousands of scam texts through these U.S.-located boxes.

Quote:
“The neat thing that SIM boxes do is they allow somebody in China to connect to that box and then to send a bunch messages from all these different phone numbers.”
— Bob McMillan (04:42)

b) What Happens When You Click the Link? (05:13—06:12)

The victim is taken to a convincing fake website prompting for credit card details.
After entering the card, a prompt appears for a one-time passcode (OTP) sent via the victim's bank.
The scammer collects both the card info and the OTP in real time—letting them add the card into a digital wallet (like Apple Pay) on their own devices in China.

Quote:
“Every number as it’s coming gets entered into this software that, that is on the other side of the fake phishing website... And now your credit card number is in a Chinese scammer’s iPhone wallet.”
— Bob McMillan (06:11)

3. Laundering and Profiting from Stolen Cards

a) The Role of "Mules" (07:03—08:21)

Mules are recruited (often through platforms like WeChat) to use phones loaded with stolen cards to buy gift cards and luxury items at U.S. retailers, using tap-to-pay.
Often, a single mule is found with over 100 gift cards.
Goods are sold in the U.S. or shipped to China for resale.

Quote:
“They just basically will take one credit card, tap it, and buy. Buy a gift card. Often it’s an Apple gift card, or it could be a luxury good gift card... until the credit card stops working.”
— Bob McMillan (07:48)

b) Scale & Profitability

Profits are vast, even if margins are difficult to pin down. Organized crime in China efficiently organizes, recruits, and sells.

Quote:
“To make a billion dollars from this scam is pretty remarkable. And that’s a very low range of the estimate... could approach $30 billion.”
— Bob McMillan (09:13)

4. Why the Scam Persists

a) Success Rate (09:32—10:08)

Even with less than 1% of recipients duped, huge volumes make it lucrative.
The average victim loss is about $1,000.

b) Weak Points in the System

i. Tech/Telcos (11:05—11:49)

U.S. telecoms could spot and disrupt SIM farms but often don’t.
A researcher found 200 SIM boxes with only basic tools.

Quote:
“The telcos could put some pressure on the operators of these spam faucets... make it more expensive for them to operate, to make it shut them down more quickly, [and] work with law enforcement to seize the equipment.”
— Bob McMillan (11:29)

ii. Device Makers (11:49—12:24)

Platforms like Android are rolling out AI features to warn users.

iii. Banks & Credit Cards (12:24—13:13)

Payment systems send device information at transaction time. Banks could use device profile changes to catch fraud but are wary of creating too much friction for real customers.

Quote:
“...the banks could be better about doing risk analysis given that information... there are breadcrumbs in these Apple wallet transactions that the banks could be better at identifying.”
— Bob McMillan (12:32)

Banks struggle to balance security and customer experience.

Quote:
“They have to walk this line between ease of use and security, and they have to get it right.”
— Bob McMillan (13:13)

iv. Law Enforcement (13:38—14:13)

U.S. law enforcement can catch mules within the country, but the kingpins in China remain untouchable due to lack of extradition treaties.

Quote:
“No. The United States doesn't have the ability to extradite people from China.”
— Bob McMillan (13:59)

Memorable Quotes & Moments

On the Scam’s Scale:
“It's a billion dollar scam... and it might even be more than that.”
— Bob McMillan (09:22)
On Urgency as a Red Flag:
“Anytime you find yourself reaching for your wallet with a sense of, like, urgency... stop. Just take a breath, you know, and ask yourself, is this a scam?”
— Bob McMillan (15:01)
On the Futility of Policing:
“It's global, it's extremely lucrative. It's not going to stop. The people doing this... can't be extradited.”
— Bob McMillan (14:30)

Timeline of Key Segments

00:06–02:22: Introduction to text scam and its enormity
03:30–04:29: SIM boxes, SIM farms, and how texts are sent
05:13–06:12: What happens when a victim clicks the link
07:03–08:21: How “mules” help cash out stolen funds
09:32–10:08: Scale, success rates, and victim losses
11:05–13:13: What telcos, tech companies, and banks could do
13:47–14:13: Challenges with law enforcement and international criminals
15:01: Final advice to listeners: Be wary of urgency and unsolicited payment requests

Conclusion & Listener Takeaway

Practical advice:

Don’t click on suspicious payment links in texts.
Be especially cautious if a message creates a sense of urgency about payments or account suspensions.
When in doubt, step back and independently verify the claim before taking action.

“Anytime you find yourself reaching for your wallet with a sense of, like, urgency... stop. Just take a breath, you know, and ask yourself, is this a scam?”
— Bob McMillan (15:01)

The episode closes by affirming both the sophistication and scope of the scam, the limitations agencies face in combatting it, and the importance of individual vigilance.

For those who haven't listened:
This episode lays bare the high-tech and labor-intensive machinery of modern, globalized text scams. It's an essential listen (or read) for anyone with a cell phone, credit card, or concern about digital security.

Loading summary

Transcript64 lines

[00:07]
Jessica Mendoza
You know, Bob, right before we got on this call, one of our producers actually just got a text that I want to read to you.
[00:14]
Bob McMillan
Oh.
[00:16]
Jessica Mendoza
So it says, easy pass, final notice.
[00:19]
Bob McMillan
Oh, Chinese scam. Sorry.
[00:24]
Jessica Mendoza
Our colleague, Bob McMillan covers cybersecurity and he's been looking into the kind of scam that one of our producers just got fished with. If you fail to pay within 24 hours, we will take the following report to the DMV violation database. Suspend your vehicle registration and you may be prosecuted. Then there's a link where you're supposed to pay.
[00:46]
Bob McMillan
Oh, that sounds awful. You better pay that right away.
[00:51]
Jessica Mendoza
Don't, don't tell people. They might actually click it. You may have received some of these texts yourself. A lot of people have, all across the country. So I've received several of these text.
[01:02]
Bob McMillan
Messages telling me I owe 699 to.
[01:05]
Jessica Mendoza
Massachusetts E Z Pass.
[01:06]
Caller/Listener
So just a couple days ago, I get a text message talking about I need to pay my tollways or my license gonna be revoked at my nearest dmv.
[01:12]
Jessica Mendoza
Just got this one this morning from the toll roads team. Toll roads. Notice of toll evasion. And sometimes it works.
[01:23]
Caller/Listener
The first and last time I really try to be responsible and pay my tollways, my dumb ass gets scammed.
[01:33]
Jessica Mendoza
What is going on? What are these text messages? Where are they coming from?
[01:37]
Bob McMillan
Well, yeah, these Easy Pass, all the toll scams apparently are, according to the Department of Homeland Security, they're all being run by Chinese organized crime. I mean, it's like a whole world of technologically advanced and kind of amazing world of scams.
[01:58]
Jessica Mendoza
And how big of a scam is this, like, how widespread?
[02:02]
Bob McMillan
It's a massive scam. The Department of Homeland Security estimated that it's made over a billion dollars so far. I mean, just the fact that everybody who's listening to this has probably received one of these messages, you know, just speaks to the scale of the operation.
[02:23]
Jessica Mendoza
Welcome to the Journal, our show about money, business and power. I'm Jessica Mendoza. It's Wednesday, October 22nd. Coming up on the show, the billion dollar scam that's popping up on cell phones across the US and around the world. When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans. Send event invites and pin messages so no one forgets. Mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone. Learn more@WhatsApp.com Bob, what got you looking into this particular scam?
[03:30]
Bob McMillan
So a couple of weeks ago, the Secret Service made an announcement that was really alarming. They said that the telecom infrastructure around New York was potentially under threat from these devices that they had found in the New York area. And so I started wondering, what are these devices?
[03:48]
Jessica Mendoza
Bob quickly learned that many of those devices weren't meant to disrupt telecommunications. They were actually being used to send out spam texts.
[03:57]
Bob McMillan
So a SIM box is what it's called and it's a black box with like a bunch of antennas on it and a bunch of slots for like little white SIM cards, the things that you put in like a mobile phone when you get a new phone. And each SIM card represents a phone number and those cards are just pumping out the spam all the time.
[04:17]
Jessica Mendoza
All those SIM cards and all those boxes, they make up what's called a SIM farm. And it turns out that SIM farms exist all around the country. So how do these SIM farms work? Who's running them?
[04:29]
Bob McMillan
They're basically pitched as sort of a gig economy job. Like the criminals will give you one of these boxes, you just plug it in in your home.
[04:37]
Jessica Mendoza
Wow.
[04:37]
Bob McMillan
You get it on your wireless network and so you're basically a spam pumping operation. You know, at that point, the neat thing that the SIM boxes do is they allow somebody in China to connect to that box and then to send a bunch messages from all these different phone numbers.
[04:55]
Jessica Mendoza
Got it. And so those texts about fake overdue tolls, these SIM farms, churn them out. Okay, so if I did click on the link, what happens next? What happens next in my journey?
[05:13]
Bob McMillan
Okay, yeah. So you would click on a link and you'd be presented with a very legit looking website on your phone and it asks you for your credit card information to pay the fee. So you put in your, your credit card number, expiration date, all this stuff. Every number as it's coming gets entered into this software that, that is on the other side of the fake phishing website that you're entering your, your credit card information into. So in China, the person is seeing your credit card numbers as you enter them. And then there's one thing that pops up that's a little bit weird. It says your bank's going to send you a one time passcode. You need to enter it here for.
[05:52]
Jessica Mendoza
This transaction to go through those one time passcodes. Banks send them to verify your identity.
[05:59]
Bob McMillan
So you enter your one time passcode and somebody at Live is just typing that into this phone. And now your credit card number is in a Chinese scammer's iPhone wallet.
[06:12]
Jessica Mendoza
That's wild. And by giving the scammers that one time passcode, you've told your bank that the criminal's phone is a trusted device. Now, the scammers are free to use your credit card as they wish, but the problem is they can't then just go shopping in China. The credit card company would refuse the charge and flag it as fraudulent. To solve for that, these criminals came up with software that can share a digital wallet with another mobile phone. Kind of like mirroring the information. Okay, so I type in my credit card information, I give them the one time passcode, they are then able to put my credit card in their wallet. Their mobile wallet in China.
[06:52]
Bob McMillan
Yeah.
[06:52]
Jessica Mendoza
And then the software allows them to share that with somebody else.
[06:56]
Bob McMillan
Yes. Anywhere in the world. Yeah, that's right. Yeah.
[06:59]
Jessica Mendoza
That's nuts.
[07:01]
Bob McMillan
It's crazy. Yeah.
[07:04]
Jessica Mendoza
The criminals then use special software that lets the credit card that's stored in their digital wallet in China be used at cash registers half a world away in the US or elsewhere. Those operatives, called mules, are recruited on platforms like WeChat.
[07:19]
Bob McMillan
According to Bob's reporting, they have about 4 to 500 mules all around the United States who are walking around with these Android phones. And they get the tap from China and they go to a point of sale system in California and they buy a gift card, $100 gift card, and then they buy a second gift card. And then they buy. They just keep using them until they stop working. Right. Tap to pay, tap to pay, tap.
[07:45]
Jessica Mendoza
To pay until they're maxed out, essentially.
[07:48]
Caller/Listener
Yeah.
[07:48]
Bob McMillan
Like dozens of gift cards, easily. We found a complaint about someone who just pled guilty to fraud charges, who had like more than 100 gift cards in their possession when they were arrested. So they just basically will take one credit card, tap it, and buy. Buy a gift card. Often it's an Apple gift card, or it could be a luxury good gift card. Buy a second one, buy a third one until the credit card stops working, and then they go to the next card in the Apple wallet.
[08:21]
Jessica Mendoza
These mules use those gift cards to buy actual stuff, often luxury items like designer handbags and electronics, which the gangs then resell sometimes in the US But a lot of their haul actually gets shipped over to China. How lucrative is this? It seems like a lot of work for, you know, essentially you're like having to still rebuy the items and then resell them. It's like a lot.
[08:47]
Bob McMillan
Yeah, I mean, the Converting the stolen credit cards to cash seems, does seem like a lot of work. And that's where Chinese organized crime really, really shines is they, they can get people to do stuff for not a lot. They have ways of selling this stuff when it's in China. So I do think, you know, I don't know what their profit margins are like, but to make a billion dollars from this, this scam is pretty remarkable. And that's a very low range of the estimate. I've talked to researchers who think the amount that that's been made in this scam could approach $30 billion.
[09:22]
Jessica Mendoza
Wow.
[09:23]
Bob McMillan
And it might even be more than that.
[09:28]
Jessica Mendoza
How many people who get these text messages actually fall for them?
[09:33]
Bob McMillan
I don't know. They don't. The Chinese spammers are not super public about like how they don't share their data metrics, you know, and it doesn't need to be a high click through rate. Like you know, it's probably less than 1% and we know that, you know, according to the self reported statistics from the federal government, the average loss around these spam text Messages is around $1,000.
[09:58]
Jessica Mendoza
Wow.
[09:59]
Bob McMillan
But if you send out like, you know, hundreds of millions of spam messages then that, that adds up.
[10:08]
Jessica Mendoza
Coming up, can anyone stop this billion dollar scam?
[10:19]
Caller/Listener
This episode is brought to you by FirstNet. During September 11, first responders struggled to communicate and respond because the networks and systems they relied on were overloaded or destroyed. Today they rely on FirstNet. FirstNet was built with and for first responders ensuring they have reliable communication wherever and whenever they need it. FirstNet covers more first responders than any other network. That's why it matters for every American. FirstNet built with AT&T. Learn more@firstnet.com Public Safety First.
[10:55]
Jessica Mendoza
For this text scam to work, it has to go through a host of different players at each step of the process, starting with telecommunications companies. According to Bob, these companies could shut.
[11:06]
Bob McMillan
Down some SIM farms, they can spot them on their networks and they could definitely do a better job of just preventing them from being in operation. Like I talked to a researcher who identified 200 SIM boxes just using tools that he had at his disposal which are not as good as the telcos tools. And he found like 200 of these SIM boxes right around the United States. He knew what cities they were in. So the telcos could put some pressure on the operators of these spam faucets in the United States, make it more expensive for them to operate, to make it shut them down more quickly, seize the work with law enforcement to seize the equipment.
[11:50]
Jessica Mendoza
In an email, a wireless telecommunications industry group known as CTIA said, quote, the wireless industry works both individually and collaboratively with law enforcement every day. Another player that could potentially stop these text scams are the phone makers. Google, for example, has added AI detection tools in its Android platform to warn users of scammy messages. So we've been talking about tech solutions here, but all of this is happening through stolen credit cards, right? What are the credit card companies and banks doing to stop these scams?
[12:25]
Bob McMillan
I mean, the easiest solution here is at the point of payment. The phones do transmit information about the device that's being used to initiate the point of sale transaction. And so in this case, the, the banks could be better about doing risk analysis given that information. For example, say I use an iPhone 11 and then suddenly there's a transaction coming from an iPhone 10, you know, on my Apple Wallet, like, okay, something's changed there, right? So you know, if you flag that as suspicious, like there are breadcrumbs in these, in these Apple wallet transactions that the banks could be better at identifying.
[13:07]
Jessica Mendoza
Banks are in a tricky spot. They want to prevent fraud, but they don't want to create friction for customers.
[13:13]
Bob McMillan
They're running this tension because if they reject too many transactions, if they're too tough on this, then people won't want to use their credit cards, right? So they have to walk this line between ease of use and security, and they have to get it right. Because if you're legitimately trying to buy something and your stupid credit card isn't going through because you know the bank thinks you're a Chinese scammer and you're not, like, that's super frustrating.
[13:39]
Jessica Mendoza
So telecom companies and banks haven't solved the scam problem. And on the law enforcement side of things, stopping the people involved has been slow going.
[13:47]
Bob McMillan
They can bust the mules and they're doing that. But it's tough because, you know, there are just so many of them and they're so easily recruited. And you know, that's a problem.
[13:58]
Jessica Mendoza
Has anyone in China been busted yet?
[14:00]
Bob McMillan
No. The United States doesn't have the ability to extradite people from China. So even if we had identified the criminals there, China would not ship them to the US for prosecution.
[14:13]
Jessica Mendoza
Even as law enforcement gets a better understanding of these text message scams, the fact is criminals are constantly innovating and changing tack. They've always got a new scam. So what does all of this say about this state of scamming today?
[14:30]
Bob McMillan
It's global, it's extremely lucrative. It's not going to stop. I mean, the fact that the people doing this, you know, can't be extradited. You know, there's a couple of places that a lot of bad things come out of, and they're regions of the world where the United States just can't, you know, law enforcement just can't touch people.
[14:54]
Jessica Mendoza
So if there's something that you want people to remember, is it just like, don't click the link? Don't do it?
[15:01]
Bob McMillan
Yeah, obviously, yeah. Be careful what you click, for sure. But also, anytime. This is what I tell people. Anytime you find yourself reaching for your wallet with a sense of, like, urgency, like, I need to get this done quickly because of whatever the consequence might be, stop. Just take a breath, you know, and ask yourself, is this a scam?
[15:39]
Jessica Mendoza
That's all for today. Wednesday, October 22nd. The Journal is a co production of Spotify and the Wall Street Journal. If you like our show, you can find us on Spotify or wherever you get your podcasts. We're out every weekday afternoon. Thanks for listening. See you tomorrow.