For years, we and other cybersecurity professionals have been warning about the dangers of phishing and malware, and many organizations have indeed strengthened their digital defenses. Unfortunately, cybercriminals have adapted their tactics with TOADs (Telephone Oriented Attack Deliveries).
What Are TOADs and How Do They Operate?
Traditional phishing attacks have relied heavily on malicious links and attachments. However, years of security awareness training and increasingly sophisticated email filtering have made these attacks less effective. Users have learned to hover over links before clicking and treat unexpected attachments with suspicion.
That’s why cybercriminals have developed a more insidious approach. Rather than including suspicious links or attachments that might trigger security tools or user suspicion, they’ve turned to a method that exploits a common business practice: the customer service phone call.
To help you better understand what TOADs are, let’s take a look at how a typical TOAD attack unfolds:
- First contact via legitimate-looking email: The attack begins with an email that appears to come from a trusted source. Common scenarios include subscription renewal notices from well-known software companies, payment confirmations from financial platforms like PayPal, or urgent account security notifications from cloud services. These emails often pass standard authentication checks because attackers frequently embed information as images or using text obfuscation with invisible characters that fool security tools while remaining readable to humans.
- Baiting with a phone number: Instead of including suspicious links, the emails provide a phone number for “customer support,” “billing department,” or some other relevant point of contact. This approach immediately bypasses many technical security controls, as phone numbers don’t trigger the same red flags as malicious URLs. More importantly, email users don’t have the same ingrained suspicion toward phone numbers as they do toward links.
- The voice manipulation phase: When victims call the provided number, they encounter skilled social engineers posing as customer service representatives. The attackers then use scripts and psychological manipulation techniques to build trust and create pressure. They often have access to some personal information about the target to help them make their story more convincing. During the call, they might ask for additional information or, more dangerously, guide victims through steps that compromise their security.
The consequences of TOAD attacks can be severe and far-reaching. The attackers might convince victims to install software that contains malware, collect sensitive information for future attacks or identity theft, or manipulate victims into making fraudulent financial transactions.
Recent Examples of TOAD Attacks
The scale of TOAD attacks has grown dramatically in recent years. According to Proofpoint’s 2024 State of the Phish report, cybercriminals now launch approximately 10 million TOAD attacks every month, with 67% of businesses globally having been affected in 2023 alone.
One prominent example of a TOAD campaign is the so-called BazarCall campaign. It began with text-based emails, but the attackers soon realized that a more sophisticated approach was needed. In these cases, victims are instructed to visit a website that would directly download a malicious document with macros. Then, attackers guide the victim through the installation process over the phone. Once a machine is infected, the attackers use it to steal data, gather information about the internal network, and install additional malware.
The financial services sector has been hit particularly hard. SmarterMSP reported a case from Toronto where a financial services employee received what appeared to be a legitimate password reset notification from Apple. When they called the provided number, the attacker walked them through a fake reset process that actually gave the criminals access to their email account. The attackers then used this compromised account to send convincing internal emails that resulted in a fraudulent $5,000 payment being authorized by colleagues.
Perhaps most concerning is the emergence of specialized criminal services that make TOAD attacks accessible to less sophisticated attackers. Intel471’s research revealed a service known as QuattrO (also called CallMix), which offers multilingual “operators” who can conduct fraudulent calls in English, French, German, Italian, and Spanish. These services handle everything from initial research about target companies to the actual social engineering calls, effectively creating a “TOAD-as-a-service” model that lowers the barrier to entry for cybercriminals.
Actions to Protect Your Organization Against TOADS
While TOAD attacks present a sophisticated and growing threat, the good news is that organizations are not without defenses. With the right combination of awareness, technology, and procedural safeguards, you can significantly reduce the risk these attacks pose to your organization.
Teach Your Employees About TOADs
The first line of defense against TOADs is an informed workforce. Conduct regular training sessions to inform your employees about the threat and equip them with the skills to identify it and react appropriately. Emphasize how attackers use urgency, authority, or familiarity to manipulate victims.
Because TOAD attacks rely heavily on voice interaction, employees need practical experience in handling suspicious calls, so consider implementing simulated TOAD attacks as part of your training program to turn abstract security concepts into practical skills.
Implement Call Verification Procedures
Train your staff to never proceed with confidential discussions or follow instructions from unknown callers without first verifying their identity. In this regard, the most important practice is to always look up official contact numbers from trusted sources—not using the numbers provided in emails or by callers—and call back through these verified channels.
You should also implement a call logging system that records basic information about incoming calls. The logs can then help identify patterns of attempted attacks and provide valuable information for improving your security protocols.
Strengthen Your Technical Controls
While TOAD attacks primarily exploit human psychology, well-implemented technical controls can make it much more difficult for attackers to achieve their nefarious goals. One simple step is to enhance your spam filtering capabilities. While TOAD attacks often bypass traditional security measures that look for malicious URLs, better spam filters are not so easily fooled.
In addition, continuous monitoring and threat detection tools are essential to catch attackers in the act. If a TOAD attack is successful in getting an employee to download malicious software, then these tools can quickly detect and respond to the threat. Similarly, you should improve your multi-factor authentication (MFA) to prevent attackers from accessing sensitive data or systems even if they manage to obtain login information from an employee.
Conclusion
TOAD attacks are dangerous because they cleverly exploit our inherent trust in phone communication. However, with the right strategies in place—from employee education to fortified technical controls—you can keep TOADs at bay.
If navigating the complex world of cybersecurity, especially the emerging threats like TOADs, feels overwhelming, then we at OSIbeyond are here to help. We can help you assess your current security posture and implement the necessary safeguards so that you can focus on growing your organization knowing you’re protected. Schedule a free consultation today.