TOAD Attacks Remain Prevalent Threat

Scams

June 20, 2024

The NJCCIC continues to observe attempted Telephone-Oriented Attack Delivery (TOAD) phishing email attacks, similar to open-source reporting. Prior to the attack, cybercriminals perform reconnaissance on victims, gathering information from various sources, such as past data breaches, social media profiles, and data purchased on the dark web. TOAD emails employ callback phishing in which cybercriminals use legitimate phone numbers to impersonate customer service or assistance representatives.

The emails typically contain a deceptive invoice or receipt for a large payment, which raises the victim’s alarm and prompts them to call the phone number provided in the email. This tactic relies on enticing victims to initiate the interaction and tricking them into divulging sensitive information or making fraudulent transactions. This type of attack may result in ransomware, substantial financial losses, and reputational damages.

Common TOAD attack examples:

  • Initial contact: The victim receives an email from what appears to be a reputable company, like Amazon or PayPal.
  • Fake invoice: The email contains a fake invoice for a large purchase, prompting the recipient to call a customer service number.
  • Deception: A scammer, posing as a customer service agent, convinces the victim to download malware disguised as a support tool, granting the scammer access to the victim’s computer and personal information.

According to Proofpoint’s 2024 State of the Phish report, analysts observed that TOAD attacks remain prevalent. In 2023, an average of 10 million TOAD messages were sent monthly, with over 13 million TOAD attacks at their peak in August. According to Experian, the reported monetary loss for impacted businesses in the US averaged $43,000 per incident, with some losses exceeding $1 million.

Recommendations

  • Participate in security awareness training that includes vishing simulations to help employees recognize and respond to TOAD attacks.
  • Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails.
  • Use strong, unique passwords and enable multi-factor authentication (MFA), choosing authentication apps or hardware tokens over SMS text-based codes.
  • Keep systems up to date and apply patches after appropriate testing.
  • Reduce your digital footprint to decrease the likelihood of becoming a target for cybercriminals.
  • Implement email filtering solutions, such as spam filters, to help block messages.
  • The New Jersey Email Authorization & Authentication Set Up and the Sender Policy Framework – SPF Guide NJCCIC products provide information on establishing DMARC authentication.
  • Utilize a combination of ML algorithms and advanced threat detection as a preemptive email security solution to identify and stop these threats.
  • Employ technology solutions, such as bot and spoofing detection and voice biometric authentication technologies, to help verify callers’ identities and block fraudulent numbers. Further details can be found in the Proofpoint blog post.

For any further questions, contact us here at Cyber Command.