Threat Alert: TxTag, You're It! 

• Credential phishing threats frequently use payment-themed lures to deliver malicious links that lead to theft of payment and banking information.
• Lures often highlight the amount due in the message body to create a sense of urgency and convince the user to interact with a link or attachment to resolve the purported payment issue.
• In recently observed activity, attackers abused TxTag, the electronic toll collection system for Texas, in payment-themed phishing activity. 

How is it used in the wild?

• A campaign attempted to distribute messages purporting to come from TxTag’s customer service department, containing  fraudulent notifications of account suspensions and unpaid tolls
• The messages included an embedded link in the body that appeared to lead to a TxTag site where users could pay their supposed overdue fees and prevent account suspension.
• If clicked, the link actually led to a TxTag lookalike page that prompted users to enter credit card payment and personally identifiable information (PII).
  

Key Action: Stay Alert!

• Don’t Take the Bait: Be wary of unexpected notifications of late fees or unpaid tolls. Assess email headers and URLs for context. For example, would Indiana be trying to enforce Texas tolls? Stay alert for the tactic of threatening negative actions unless a specified amount is paid.
• Verify Requests: Log in to your account directly to independently verify any fees or unpaid tolls. Avoid selecting any links associated with unexpected emails.
• Go beyond surface clues: These attacks often include branding from the GovDelivery platform, but this does not guarantee authenticity. Note that the popup here uses the .cfd TLD, which legitimate toll payments would not use.
• Report ANY suspicious emails via Phish Alarm.