That Toll Road Text You Just Got Is Almost Certainly a Scam
TL;DR - The text you got about an unpaid toll, a missed package, or a re-delivery fee is almost certainly a scam. Real Australian toll operators (Linkt, EastLink, Transurban) do not chase small amounts by SMS with a link to a payment page. Real Australia Post tracking messages do not ask you to pay a "redelivery fee" on a different-looking website. The scam is engineered to feel like a chore you can knock off in two minutes, and the payment page is designed to capture your card. What you need to do: never tap the link, never type your card details on a page you got to from an SMS link, and if you are unsure, open the official app or website yourself and check there.
By The Numbers
| What | Number |
|---|---|
| Australians reporting smishing to Scamwatch in the first quarter of 2026 | ~46,000 |
| Reported losses from text-message scams in Australia, Jan-Mar 2026 (ACCC) | $11.4 million |
| Share of Australian smishing in 2026 impersonating toll roads or parcels | ~60% |
| Domains registered impersonating "linkt" or "auspost" in May 2026 alone | 400+ |
| Time it takes the average Australian to notice a fake toll text is fake | ~10 seconds |
| Time it takes the same person to enter their card details if they tap first | ~90 seconds |
| Cost of the toll the scam is "chasing" (typically) | $3.50 - $9.20 |
The text
You are walking out of the supermarket with two shopping bags and your phone buzzes.
"E-Toll Notice: Your account has an unpaid balance of $4.85. Please settle now to avoid a $30 late fee. linkt-au.payments-portal[.]com/secure"
You glance at it, stop on the footpath, and your first thought is not "is this real?". Your first thought is "did I drive through a toll last week?". And before the answer finishes forming you have already tapped the link, because $4.85 is not worth thinking about and a $30 late fee absolutely is.
That window between buzz and tap is the entire scam. It does not need you to believe the message. It just needs you to act on it before you notice that the URL is not actually Linkt's, that the page logo is slightly off, that your Apple Pay does not pre-fill, and that the form is asking for your CVV and your full date of birth.
This kind of text - in security circles it is called smishing, the SMS version of phishing - has become the single most common scam Australians get in 2026. The ACCC's Scamwatch quarterly figures recorded around 46,000 smishing reports in the first three months of the year, with reported losses over $11 million in the same quarter, and those are only the people who bothered to report it. The actual number is several multiples higher.
Roughly six in ten of those messages, in our reading of recent samples, were either fake toll notices (Linkt, EastLink, Transurban, CityLink) or fake parcel notices (Australia Post, DHL, Toll, StarTrack). The other 40% split between fake banks, fake ATO refunds, fake Medicare, and fake Centrelink. Toll and parcel sit at the top because they hit a very specific psychological sweet spot, and I want to explain why before I show you the 10-second test.
Why toll and parcel scams work so well
Almost every other scam category requires you to believe something dramatic. The bank scam needs you to believe your account is about to be frozen. The ATO scam needs you to believe you owe thousands of dollars. The Medicare scam needs you to believe your card has been suspended. Those work, but the cognitive load is high - you have to take the message seriously enough to panic.
Toll and parcel scams work in the opposite direction. They are boring. They are about $4.85. They are about a parcel you cannot quite remember ordering but probably did. They live in the part of your brain that pays parking tickets and books haircuts. The threat is not "act or lose everything", the threat is "act or lose ten minutes Googling how to fix this later".
That is what makes them dangerous. You do not raise your guard for a chore. You raise it for a crisis. The scam slides in under the threshold of "is this real?" and is gone with your card before you noticed it was a question worth asking.
The other reason these work in Australia specifically is that we have lots of toll roads, run by a tangle of different operators, and the official messages from those operators are themselves not great. Linkt does send SMS reminders. EastLink does send SMS reminders. Transurban does send SMS reminders. The legitimate versions look almost exactly like the fake ones, because both are short, both reference a small unpaid balance, and both link to a payment page. The genuine ones go to the real domain. The scam ones go to a lookalike.
If your defence depends on "the real ones do not text", you will lose, because the real ones do. The defence has to be sharper than that.
The 10-second test
Here is the test. It works on every variant I have seen, and it takes about ten seconds.
1. Look at the domain in the link, not the message body.
Most modern phones preview the link beneath the message on long-press. On iPhone, touch and hold the link without releasing. On Android, the same. You will see the full URL.
The real Linkt is linkt.com.au. That is the entire domain. The real Australia Post is auspost.com.au. That is the entire domain.
Scam domains do one of three things:
- Subdomain trick:
linkt-au.payments-portal.comorauspost.update-delivery.net. The brand name is in the URL but is not the actual domain. The actual domain is the bit immediately before.com/.net/.au. In those examples it ispayments-portal.comandupdate-delivery.net. Neither is Linkt or Australia Post. - Lookalike:
linkt.com-au.support,auspost-tracking.com,linkt-pay.au. Notice the hyphens and the unusual TLDs (.support,.auinstead of.com.au). Brands almost never use those. - URL shorteners:
bit.ly/3xJ7p,t.co/Xz9k. A real toll operator chasing a $5 debt has no reason to hide the destination. A scammer has every reason.
If the domain is anything other than linkt.com.au, eastlink.com.au, transurban.com.au, auspost.com.au, or the official site for whatever brand the message claims to be from, it is a scam. Stop reading the message, screenshot it for evidence, and delete it.
2. Compare the sender to the real one.
Genuine business SMS in Australia is increasingly sent from a registered alphanumeric sender ID (the "from" field reads as Linkt or AUSPOST rather than a phone number). Scammers can spoof these too, but a surprising number do not bother. If the message is from a +61 mobile number, or from an overseas number, or from a sender ID you have never seen Linkt use before, that is a giant red flag.
If your phone has a thread of previous, legitimate texts from the same brand, compare the sender. Different sender, on a different thread - even with the same alphanumeric label - is almost always a scam.
3. Open the real app or website yourself.
This is the actual answer. If the message worries you and you cannot tell from the URL, do not tap the link. Open the Linkt app you already have, or type linkt.com.au into your browser, and look at your account. If there is a real unpaid balance, it will be there. If there is not, the SMS was a scam.
The same goes for Australia Post. The AusPost app has a tracking screen. If your parcel exists, it will be in there. If it is not in there, the SMS was a lie about a parcel you do not have.
This step alone defeats every smishing message ever sent. You did not initiate the contact. You went straight to the source. There is no link to be a fake.
What if I already clicked?
If you have already tapped the link and got as far as the payment page, but did not enter any card details, you are almost certainly fine. Modern iOS and Android are aggressive about sandboxing browser tabs. Just visiting a payment-fraud page does not get malware on your phone in any normal scenario. Close the tab, clear the browser history if it makes you feel better, and move on.
If you tapped the link and entered card details, that is different. Move quickly:
-
Call your bank's fraud line first, before anything else. Most major Australian banks have a 24/7 hotline. Tell them the card was just used on a phishing site and ask for it to be cancelled. Same-day they will mail a new one, or you can use your digital card immediately in your bank app.
-
Check your transaction history right now. If there are unfamiliar transactions in the last hour, flag them while you are on the phone with the bank. Most scam-card-capture rings will try a small "test" transaction within minutes ($1, $2, $4.85 - sometimes the exact amount of the supposed toll, as a cover story), then a much larger one if the small one works.
-
Watch for follow-up calls. Once they have your details, the same group or a sister group will sometimes call within 24-48 hours pretending to be your bank. The pitch is "we have detected unusual activity, can you confirm the SMS code we just sent you". The SMS code is real. They are using it to log into your real bank account. Never read out a code over the phone. Your bank will never ask.
-
Change passwords on any account that uses the same email and a weak password as the payment page. A good chunk of these scam pages also capture the email field. If that email and password combo is reused on your real shopping accounts, those will be tried next.
-
Report it. Scamwatch (Australia) takes the report in about three minutes. IDCARE is free and excellent if your identity has been compromised more broadly. Reporting matters because it feeds the pattern recognition that helps the next person not be caught.
The longer game
These scams are getting better, not worse. The text I quoted at the top of this post is a clean example of where the genre was two years ago. The 2026 versions are using AI to generate site copy that reads convincingly, to render forms that mimic the legitimate brand's exact spacing and typography, and to spin up new domains faster than registrars can take them down. The cottage industry has industrialised.
The defence has not had to change, though, and probably will not need to. The advantage is structurally yours, as long as you respect one rule: the sender of an SMS message does not get to choose what website you visit.
You do. You open the real app. You type the real address. You compare the URL on the message to the URL of the site you already trust. If they do not match, the message is a lie, no matter how convincing the copy is or how mundane the amount it claims you owe.
The harder version of the same rule, the one that protects you against scams that have not been invented yet, is simpler still: no inbound message I did not solicit should ever be the thing that gets me typing my card number into a browser. Whether the message is an SMS, an email, a DM on Facebook, or a phone call - if you did not initiate it, slow down. Open the official channel yourself. Verify on your terms, not theirs.
Ten seconds is all you need.
If you know someone who has had a scary "did I miss a toll?" or "did a parcel just go to the wrong address?" moment this month, forward them this post. The Tuesday-evening fitness-app text that asks for $4.85 catches even careful people - but only if they have not seen the trick. Once they have, they never click again.
Stay safe out there, Mat C
