Too Good to Be True: Fraudulent SMS Text Message Regarding Tax Refund Circulates
A new wave of SMS text phishing messages (SMiShing) is being sent to NJ residents and those in other states nationwide. Like previous SMiShing campaigns referencing motor vehicle violations and toll fees, these text messages impersonate the New Jersey Department of the Treasury’s Division of Taxation and claim that a refund request was processed and approved. The user is requested to provide payment information so funds can be deposited, and failure to provide the payment information will result in forfeiture of the funds. The URL provided in the message likely leads to a webpage using stolen branding from the Division of Taxation and requesting financial account details.
These messages employ tactics similar to previous campaigns, where the user is instructed to “Reply ‘Y’” before clicking the link, a step intended to bypass security features. On iPhones, for instance, messages from unknown senders have clickable links disabled by default. Therefore, the threat actors activate the hyperlink by convincing the user to reply “Y” and reopen the message. This ploy and sending messages via iMessage or RCS (internet-based messaging) help the threat actors evade carrier SMS spam filters. The text sender IDs are often foreign phone numbers (e.g., Philippines, Canada, United Kingdom, etc.) or seemingly random email addresses, indicating that the text message is likely fraudulent.
Recommendations
- Identify red flags, such as unexpected requests for personal information, suspicious links, or urgent requests to take action.
- Forward the scam text message to your carrier’s spam reporting service (often 7726).
- Report these types of scams to the NJCCIC, IC3, and FTC.
- Block the number: Block the sender’s number to prevent further unwanted messages.
If you are unsure about the authenticity of a text message, contact the organization or individual mentioned in the message directly using their official phone number to verify the information and request. Be cautious of spoofed numbers, as scammers can disguise their phone numbers to appear as a trusted source.
Share information about SMS scams to help others stay safe.
Review the SMiShing at Scale: A Deep Dive into Toll Violation Text Scams NJCCIC post for further information on these types of schemes.
Look Both Ways Before Responding
The NJCCIC observed a phishing campaign imitating the US National Highway Traffic Safety Administration. In this campaign, threat actors send a phishing email containing a PDF file that looks legitimate and appears to be benign. To add credibility to the email, the threat actors use nhtsagov[.]org as the email domain, an attempt to typosquat the true domain—nhtsa[.]gov.
This type of social engineering attack resembles a Telephone-Oriented Attack Delivery (TOAD) campaign, where the true goal is to have a potential target contact the threat actors. If contacted, threat actors can exert further pressure to persuade the target to install a file, grant remote access, or inadvertently share credentials or personally identifiable information (PII).
Recommendations
- Facilitate user awareness training to include these types of phishing-based techniques.
- Refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders.
- Confirm requests from senders via contact information obtained from verified and official sources.
- Keep systems up to date and apply patches after appropriate testing.
Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks.
Report phishing and other malicious cyber activity to the NJCCIC and the FBI’s IC3.
Reported from the NJCCIC September 11, 2025 Weekly Bulletin
