A major investigation has uncovered a global smishing campaign that uses fake traffic fine, toll and parking penalty notifications to target drivers in multiple countries. Researchers detected more than 79,000 fraudulent SMS messages, over 31,900 malicious URLs and up to 40 active campaigns between December 2025 and April 2026, affecting at least a dozen countries, including the United States, Canada, Australia, New Zealand, France, Spain, Colombia, Brazil, India, the United Kingdom, Ireland and Luxembourg.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Fake Fines Used to Pressure Drivers
The messages impersonate transport authorities, toll operators and parking services, and are delivered in multiple languages, including English, Spanish, French, Portuguese and Hindi. According to Bitdefender, the messages are designed to create urgency, warning recipients about unpaid tolls, traffic fines or parking tickets and setting short deadlines, usually between 24 and 72 hours.
The messages often threaten consequences such as additional fees, licence suspension, legal action or arrest warrants. Victims are then prompted to click links that lead to fraudulent websites designed to resemble official government or toll payment portals.
Malicious Links Seek Data and Device Access
Once users land on the fake websites, they may be asked to enter sensitive details, including card information, personal data and in some cases banking credentials. In certain regions, the campaign goes beyond fake payment pages and delivers malware instead.
The attackers’ ultimate goal varies by campaign, ranging from financial theft and the extraction of personal and banking data to the installation of malware capable of intercepting SMS messages, accessing sensitive information on a victim’s device or taking full remote control.
Operation Road Trap Shows Global Coordination
Bitdefender said the activity, dubbed Operation Road Trap, appears widespread and highly coordinated. Researchers found no clear links between the campaigns beyond the use of similar lures and did not attribute the operation to any specific threat actor or group.
The investigation found that the campaigns use tactics such as impersonation of legitimate traffic authorities, fake websites that mimic official portals, shortened links, constant domain rotation and mobile-specific tricks. In some cases, users are asked to reply to the message to activate the malicious link.
