Phishers are increasingly impersonating electronic toll collection companies

Steam was the most imitated brands by phishers in the first quarter of 2025, followed by Microsoft and Facebook/Meta, Guardio researchers have revealed.

“Historically, the #1 spot has been dominated by the usual suspects – big tech companies like Meta, Microsoft, or even USPS. But this quarter, it’s Steam, and by a significant margin. Scammers have been targeting the massive gaming community by impersonating Steam to warn users about supposed account issues, like payment failures or suspicious login attempts. These fake messages are designed to trick victims into entering their login credentials on counterfeit websites, which then steal their account information,” the researchers noted.

“If you get an unexpected email or text about your Steam account or a supposed gift card reward, always double-check the URL and resist clicking on any links until you’re absolutely sure it’s legitimate.”

Electronic toll collection-related phishing surges

The top 10 most imitated brands in Q1 2025 were, according to the company:

1. Steam (digital game distribution service by Valve)
2. Microsoft
3. Facebook/Meta
4. Roblox (online game platform and game creation system)
5. SunPass (electronic toll collection company)
6. E-ZPass (electronic toll collection company)
7. USPS (US Postal Service)
8. EZDrive Massachusetts (electronic toll collection company)
9. Netflix (streaming service)
10. WeTransfer (file transfer service)

The most interesting thing here is that three separate US electronic toll collection companies made it into the list.

“Scammers have been sending out text messages claiming you have an unpaid toll fee, directing victims to fake websites designed to steal sensitive information. Guardio detected a staggering 604% increase in toll fee scam texts since the start of the year, with March seeing a 98% jump in scam activity from the previous week alone,” the researchers said.

This surge is most likely related to the popularity of phishing-as-a-service (PhaaS) platforms like Darcula and Lucid, which include phishing templates designed to impersonate postal services, courier companies, road toll systems, and tax refund agencies around the world and allow users to easily generate a phishing kit for any brand.

“The [Lucid] platform employs an automated attack delivery mechanism, deploying customizable phishing websites distributed primarily through SMS-based lures. To enhance effectiveness, Lucid leverages Apple iMessage and Android’s RCS technology, bypassing traditional SMS spam filters and significantly increasing delivery and success rates,” Prodaft researchers recently explained.

Another interesting trend is phishers impersonating popular fashion brands that announced store closures: Forever 21 (after filing for Chapter 11 bankruptcy in March 2025) and JOANN (in February 2025, after the company failed to obtain a buyer).

“Knowing shoppers are familiar with ‘going out of business’ sales, they created fake ads and websites to lure people into entering payment information for goods that will never arrive,” Guardio researchers noted.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!