The RiverLink scam is a smishing operation that impersonates RiverLink, the public-private toll authority that collects tolls on the three Louisville-area Ohio River bridges connecting Kentucky and Indiana. Victims receive a text message claiming a small unpaid toll balance and a link to “pay now” — the link leads to a phishing site that harvests card details, names, and addresses.

The RiverLink scam is part of a much larger toll-smishing wave that has swept across every major US toll authority since 2024. The same Chinese-linked criminal infrastructure that runs the RiverLink scam also runs near-identical campaigns impersonating BayAreaFasTrak, the Illinois Tollway, the Ohio Turnpike, NYTollServices, NC Quick Pass, and the Maryland DriveEzMD system.

What makes the RiverLink scam particularly effective is the small claimed amount. The fake unpaid-toll figure is almost always under $10 — sometimes as little as $2.95 — designed to feel trivial enough that the victim pays without examining the URL or the sender carefully. By the time the victim’s card details are stolen, the few dollars have been forgotten and the real fraud is just beginning.

The RiverLink scam targets victims by phone number rather than by actual toll usage. Lists of US mobile numbers are bought in bulk on dark-web markets, then bombarded with the RiverLink scam SMS regardless of whether the recipient lives in Kentucky, Indiana, or anywhere near an Ohio River bridge. Many victims have never even visited the Louisville area.

Despite the regional branding, the scam follows the same playbook as every other smishing fraud: a believable sender, a small urgent amount, a look-alike domain, and a payment form that captures card data. The same approach is documented in our phishing scam pillar and the traffic violation text scam sibling guide that covers the broader category these toll scams sit within.

The RiverLink scam follows the same six-stage pattern used by every smishing campaign that has hit US toll authorities since 2024. Recognising the structure makes the individual warning signs easier to spot before any payment information is entered.

Step 1: The Phone Number Harvest

The RiverLink scam begins with bulk phone-number lists. The criminals buy or obtain millions of US mobile numbers from data brokers, leaked breach dumps, and dark-web marketplaces. The lists are not filtered by location — anyone with a US mobile number is a potential RiverLink scam target.

This is why people who have never crossed an Ohio River bridge — or even visited Kentucky — still receive the smishing text. The criminals do not know or care whether the recipient has any genuine reason to interact with RiverLink. The volume of texts sent means even a tiny conversion rate is profitable.

Step 2: The Smishing Text

The RiverLink scam text arrives looking convincingly official. A typical message reads: “RiverLink: You have an outstanding toll balance of $3.45. To avoid late fees, please pay immediately at riverlink-pay.com/balance/[random-string].” Sender names include “RiverLink,” “RiverLinks,” “RiverLink Toll Services,” “KY Toll Roads,” or numeric short codes.

The text deliberately mimics a real notification from a US toll agency — short, urgent, low-dollar, and link-driven. The RiverLink scam also uses iMessage delivery where possible to add the apparent legitimacy of a blue-bubble message rather than an SMS short code.

Step 3: The Look-Alike Domain

The link in the smishing text never points to the real riverlink.com. Instead it points to a look-alike domain — riverlink-pay.com, riverlink-toll.com, kytolls-riverlink.com, riverlink.live, or hundreds of similar variations. These domains are registered in bulk, rotated every few days as they get blocked, and hosted on infrastructure designed to evade takedown.

The look-alike domain in the scam is the single most reliable verification check. The genuine RiverLink uses exactly riverlink.com — anything else, including subdomains, hyphenated variations, or alternative TLDs, is fraudulent.

Step 4: The Phishing Form

When the victim clicks the link, the RiverLink scam landing page renders a near-perfect clone of the real RiverLink payment portal. The logo, fonts, colours, and layout are copied. The victim is prompted to enter a name, address, phone number, and full card details — including the CVV — to pay the small claimed amount.

The form processes the payment for the trivial sum, then thanks the victim and closes. To the victim, the RiverLink scam appears resolved. In reality, the card details have been captured and the larger fraud is just beginning.

Step 5: Card Monetisation

Once the criminals have card details from this fraud, monetisation begins. The card is typically used for high-value online purchases routed through reshipping mules, or sold in bulk on dark-web markets to other criminals. The small “toll payment” was a tiny test charge to verify the card was live.

Victims of the RiverLink scam often see fraudulent charges appear within hours or days. The amounts vary from a few hundred dollars to thousands. Card issuers usually reverse the charges under zero-liability policies — but only if the victim reports promptly.

Step 6: Identity Layer-On

Beyond the immediate card fraud, the RiverLink scam often harvests enough personal data to feed downstream identity theft. Name, address, phone, and card number provide a foundation that criminals combine with data from other breaches to attempt new-account fraud, mobile carrier port-outs, and synthetic identity theft. This is why the RiverLink scam overlaps with our identity theft scams guide.

The RiverLink scam is one of many regional smishing campaigns that share the same underlying infrastructure and playbook. The criminal networks rotate the impersonated brand based on the state list they are targeting — but the warning signs are identical. These are the five sister variants of the fraud.

The Louisville Commuter and the $4.95 Balance

A 47-year-old commuter who drives the Lincoln Bridge daily received a RiverLink scam text claiming a $4.95 unpaid balance. Because he genuinely had a RiverLink account and crossed the bridge that morning, the message seemed credible. He clicked the link, which led to a near-perfect RiverLink clone at riverlink-balance.com, and paid the $4.95 with his Visa.

Three days later, his card showed $2,847 in charges at electronics retailers in three different states. His bank reversed the fraudulent charges and issued a new card — but the criminals had also harvested his name, address, and phone number, which began appearing on phishing lists for unrelated frauds over the following months.

The lesson: legitimate use of a service does not validate every message claiming to be from it. RiverLink does not send SMS payment requests under any circumstances. Verifying the balance directly at riverlink.com would have exposed the RiverLink scam in under thirty seconds.

The Iowa Resident Who Has Never Visited Kentucky

A retired teacher in Des Moines, Iowa received three different RiverLink scam texts over two weeks. She has never driven through Kentucky and has no idea what RiverLink is. The first two texts she ignored; the third looked official enough that she searched the sender phone number, found warnings about the RiverLink scam, and reported the texts to the FTC.

She had not been a victim — but her phone number was clearly on a circulated criminal list. Over the same period she received variants impersonating BayAreaFasTrak, the Ohio Turnpike, and a fake “Pennsylvania Toll Bureau” that does not exist. All from the same campaign infrastructure, rotated across the toll brands.

The lesson: this scam targets phone numbers, not actual drivers. Receiving the text proves nothing about your real toll history. If you have never used RiverLink, the texts are fraud; if you have used RiverLink, the texts are still fraud because RiverLink does not contact customers this way.

The Family of Identity Theft Victims

A family of four in Indiana clicked through a RiverLink scam text on a shared family iPad. The wife entered the requested card details and a driving licence number to “verify the account holder.” Within a week, two new credit cards were opened in her name and her husband’s name. The fraudsters then attempted a SIM swap on her mobile number using the harvested data.

Over four months the family recovered most of the financial losses through dispute and chargeback processes — but spent dozens of hours filing reports, placing fraud alerts, freezing credit at all three bureaus, and resetting accounts. Their credit files showed unauthorised inquiries that took eighteen months to clear.

The lesson: the scam is not just about the small card payment — it is the entry point to a broader identity-theft attack that exploits any extra data the victim provides. Driving licence number and SSN have no role in paying a toll. Their request in a payment form is the second-layer warning that this is not just a card-skimming operation.

US consumer protection bodies and the toll authorities themselves have all issued public warnings about the RiverLink scam and the broader toll-smishing wave it belongs to.

The FBI’s Internet Crime Complaint Center (IC3) issued a public service announcement specifically about US toll-smishing in 2024 and has updated it since. The IC3 confirms that the RiverLink scam and its sister variants are part of a coordinated criminal infrastructure that has expanded to nearly every US state with major tolled roads. Report at ic3.gov.

The Federal Trade Commission has published consumer alerts about toll-text scams including the RiverLink scam. The FTC stresses three core rules: real toll agencies do not text you about unpaid tolls, look-alike domains are the giveaway, and reporting at reportfraud.ftc.gov directly helps the takedown effort against the criminals running these campaigns.

RiverLink itself has issued multiple public warnings on its official site at riverlink.com and via local press releases. RiverLink confirms it never sends payment-due SMS messages and operates only the one domain. Any RiverLink-branded text demanding payment is the RiverLink scam by definition.

The Kentucky Transportation Cabinet and the Indiana Department of Transportation have both warned their state residents about the RiverLink scam through public-safety bulletins. These advisories note the criminal pattern is identical to the parking-fine and traffic-violation smishing operations the same networks run in the UK and Europe.

Mobile carriers including AT&T, T-Mobile, and Verizon have all set up the 7726 (SPAM) short code as a free reporting route. Forwarding the smishing text to 7726 helps carriers block the sender at the network level — an effective community-level mitigation against the campaign.

Treat Every Toll-SMS as Fraud by Default

The single most effective protection against the scam is to treat any text claiming to be from a toll authority as fraud, regardless of how authentic it looks. RiverLink, BayAreaFasTrak, Illinois Tollway, the Ohio Turnpike, and every other US toll system have publicly confirmed they do not send payment-due SMS messages. The arrival of the text is itself the proof of the fraud.

This single rule defeats the overwhelming majority of toll-text fraud at first contact. The criminals depend on the small fraction of recipients who do not know the rule. Once you know it, the RiverLink scam cannot reach you regardless of how convincing the message appears.

Verify Balances Only via Official Channels

If you genuinely use RiverLink and want to confirm your toll balance, type riverlink.com directly into your browser. Do not click any link in any text. Do not search for “riverlink login” and click the first result — sponsored search ads for the fraud look-alikes have been documented. Type the URL directly.

You can also call RiverLink customer service at 855-RIV-LINK (855-748-5465) — the number printed on official RiverLink mail and on the genuine riverlink.com site. If the text wants you to call a different number, that number is part of the criminal infrastructure.

Forward Suspicious Texts to 7726

Every major US mobile carrier supports the 7726 (SPAM) reporting short code. Forward the smishing text to 7726 and the carrier’s spam-filtering system processes it — helping block similar messages to other customers and contributing data to the takedown effort.

Forwarding is free, takes seconds, and works regardless of carrier. After forwarding, delete the smishing text from your inbox so you do not accidentally tap the link later.

Block the Sender and Report on iMessage

On iPhone, long-press the RiverLink scam message and choose “Report Junk” — Apple’s built-in tool that reports the sender to Apple for blocking. On Android, use the “Report spam” option in your messaging app. Both options take a few seconds and help shrink the senders’ reach.

Block the sender number afterwards so future RiverLink scam variants from the same source do not reach your inbox. The criminals will rotate to new numbers, but blocking each one slows them down.

Never Enter Card Details After Clicking an SMS Link

If you accidentally clicked a RiverLink scam link, close the tab immediately. Do not enter any details — name, email, card number, anything. Closing the tab before entering data means no information was captured beyond the click event itself, which by itself is not enough for the criminals to use against you.

If you did enter data, contact your card issuer through the number on the back of the card and request a fraud freeze. Then change passwords on any account that uses the same email address you entered.

Educate Family Members — Especially Elderly Drivers

The RiverLink scam disproportionately targets older drivers who are less likely to scrutinise URLs or recognise smishing patterns. Show this guide to elderly relatives who drive. Explain that no US toll authority — RiverLink, FasTrak, Illinois Tollway, anyone — sends payment-due texts under any circumstances.

One conversation prevents the RiverLink scam from reaching the most-targeted demographic. Most prevention happens at this conversation, not at the bank’s fraud department after the fact.

Watch Card Activity for Weeks After Any Click

Even if you only clicked the RiverLink scam link without entering anything, the criminals now know your phone number actively engages with their messages. You will likely receive more smishing attempts. Watch card and bank activity for at least 30 days after any click, and consider enabling transaction alerts on every account so unauthorised charges surface immediately.

If you have already entered card details or personal information through a RiverLink scam link, act quickly. The steps below give you the best chance of limiting the damage and preventing the downstream identity-theft attacks that often follow.