A fake notice passed off as coming from Autostrade per l’Italia for an alleged «unpaid toll» is forcefully returning “to the charge”. The text of the message is as follows: «Autostrade per l’Italia: there is an unpaid toll. Amount €6.50. Pay securely by (…) », followed by the date and the link which, however, once clicked, collects sensitive information from the victim of this scam. The mechanism of this new scam is only apparently simple: a message invites you to click on a link to avoid sanctions, but behind this request lies a complex technical infrastructure, designed to imitate the official Autostrade per l’Italia website. Being able to understand how the Autostrade per l’Italia fake SMS scam works is the starting point to be able to defend yourself from an online fraud that could potentially claim numerous victims.
How the Italian motorway toll scam works: SMS alert
In order to recognize the scam, one fact must be clear: Autostrade per l’Italia never requests urgent payments via SMS or e-mail. Failure to pay the toll can be regularized within 15 days without additional costs, and any authentic reminders always have a clear expiry date. If a message leverages psychological pressure, Surely it does not come from Autostrade per l’Italia. Another sign that should alert you concerns the request for personal data: passwords, card numbers, bank details, etc. are never requested via SMS, email or WhatsApp by serious companies, and Autostrade per l’Italia is no exception.
From a technical point of view, a key indicator is the URL, i.e. the address of the web page included in the communication received via SMS. If the URL begins with “http://” and not “https://” (therefore it does not include the “s”), you are certainly dealing with a dangerous address. Even if the “https://” protocol is present, however, you should still be careful: in some cases, scammers may still be able to use the latter to make their communications more convincing (as can be seen from the following screenshot).
To dispel any doubt, also check the domain name. In the most recent campaigns the typosquattinga technique that consists of registering domains that are very similar to real ones, with small variations in letters (for example “autostiade.com” and “autostedu.com” instead of “autostrade.it”).
To reiterate the importance of paying attention there is also CERT-AGID, the Computer Emergency Response Team of the Italian Public Administration, according to which the campaign in question mainly uses smishing, i.e. phishing via SMS. The malicious link included in the fake SMS attributed to Autostrade leads to a site that graphically copies the authentic one and asks for data such as license plate, telephone number and payment card. The most advanced part is that the behavior of the site changes based on the device: from a computer it can redirect to the real site, while from a smartphone it shows the fraudulent page. This serves to fool both the user and some automatic security scanners.
What makes the scam attempt serious is also the so-called phishing-as-a-service: “ready-to-use” packages sold on the Dark Web, which allow even inexperienced criminals to launch complex scams. These kits can intercept not only card data, but also OTP (One Time Password), i.e. the temporary codes used by banks and payment institutions, and 3D Secure codes, i.e. the security protocols used to authenticate transactions and make them more secure. The malicious server recognizes the card circuit (VISA, Mastercard, American Express, etc.) and shows a false page of the corresponding bank, imitating the interfaces of Italian institutions.
How to protect yourself from the Autostrade fake SMS scam
In light of what has been said, therefore, the only weapon we have available to defend ourselves from the Autostrade fake SMS scam is to learn to distinguish real communications from false ones. Once you have understood the fraudulent origin of a communication, you must then carry out these three important actions.
- Do not click on any links.
- Do not provide any personal data.
- Report the incident to Autostrade per l’Italia (using the email [email protected]) and to CERT-AGID (via the email address [email protected]).
