How criminals turned one-time passcodes into all-the-time spending power

Criminals exploit one-time passcodes

A surge of phony texts demanding payment for “overdue” highway tolls, postal fees or city fines has matured into a billion-dollar criminal business over the past three years, according to Homeland Security Investigations. The operation, tied to crime groups in China, harvests card details from victims and rapidly spends the balances on electronics, gift cards, clothing and cosmetics, the Wall Street Journal reported.

How the scheme works

Victims receive urgent SMS notices that mimic E-ZPass, USPS or local finance departments and are funnelled to convincing look-alike payment pages. Investigators say the sites—often spun up with turnkey kits traded on Telegram—capture every keystroke, from card numbers to one-time passcodes. Those credentials aren’t used to settle any “fees.” Instead, they’re the final step to enrol the victim’s card into Apple or Google Wallets running on phones in Asia.

With the card now “trusted” to a device, multi-factor checks largely fall away. Fraud crews then create a remote bridge between that phone abroad and a mule’s phone in the U.S., enabling tap-to-pay purchases at American checkouts as if the cardholder were present.

The infrastructure behind the spam flood

At the front end are SIM farms—rooms of network boxes stuffed with hundreds of SIM cards—that can spew messages at industrial scale. U.S. gig workers, recruited on WeChat and guided by manuals and live tech support, set up the hardware in places ranging from shared offices to auto shops. One agent said a single farm can blast traffic equivalent to “1,000 phone numbers.”

Researchers have identified at least 200 SIM boxes operating across roughly 38 sites in cities including Houston, Los Angeles, Phoenix and Miami. Proofpoint, which filters mobile spam, logged a record 330,000 toll-scam reports in a single day last month; monthly volumes are running about 3.5× January 2024 levels.

Cashing out: cheap labour, fast spend

Once cards are loaded into wallets, mules recruited in Telegram channels fan out to stores. Some buy high-value goods like iPhones; many convert balances into gift cards that are later used to purchase merchandise and shipped to China. Pay is meagre—around 12 cents per $100 in gift cards bought—while organizers keep the spread.

A Kentucky case underscores the speed: a man pleaded guilty after buying 70 gift cards totalling $4,825 using 107 different card numbers via tap-to-pay at a Meijer store, concealing the cards under larger items at self-checkout.

Why it’s escalating

Three ingredients have turbocharged the fraud: low-cost SMS blasting via SIM farms, off-the-shelf phishing toolkits that make professional-grade spoof sites trivial to deploy, and the persistent power of mobile wallets—once a bank “trusts” a device, crooks can keep spending without re-authenticating.

What officials and firms are saying

HSI officials describe a tightly integrated black market linking overseas operators, domestic gig workers and cash-out crews. Private-sector analysts say the turnkey nature of both the spam infrastructure and the phishing kits has lowered the barrier to entry, while remote wallet enrolment has shortened the time from “click” to “cash.”

The consumer takeaway

Treat unexpected fee or fine texts as hostile by default. Don’t click links; navigate directly to official sites or apps. If you’ve entered card details, call the issuer immediately, request a new number, and ask the bank to review any digital wallet enrolments tied to your account. On phones, disable wallet additions without secondary approval and watch for new-device alerts. For businesses, tighten gift-card policies and monitor contactless purchases that show unusually high card-per-device patterns.