How TOAD Scams Manipulate and Cheat Customers

Published: June 6, 2024 by Alex Lvoff

Imagine receiving a phone call informing you that your antivirus software license is about to expire. You decide to renew it over the phone, and before you know it, you have been “TOAD-ed”!

What is a TOAD attack?

Telephone-Oriented Attack Deliveries (TOADs) are an increasingly common threat to businesses worldwide. According to Proofpoint’s 2024 State of the Phish Report, 10 million TOAD attacks are made every month, and 67% of businesses globally were affected by a TOAD attack in 2023. In the UK alone, businesses have lost over £500 million to these scams, while in the United States the reported monetary loss averaged $43,000 per incident, with some losses exceeding $1 million.

TOADs involve cybercriminals using real phone numbers to impersonate legitimate callers, tricking victims into divulging sensitive information or making fraudulent transactions. This type of attack can result in substantial financial losses and reputational damage for businesses.

How TOAD attacks happen

TOAD attacks often involve callback phishing, where victims are tricked into calling fake call centers. Before they strike, scammers will gather a victim’s credentials from various sources, such as past data breaches, social media profiles, and information bought on the dark web. They will then contact the individual through applications like WhatsApp or call their phone directly. Here is a common TOAD attack example:

  1. Initial contact:The victim receives an email from what appears to be a reputable company, like Amazon or PayPal.
  2. Fake invoice:The email contains a fake invoice for a large purchase, prompting the recipient to call a customer service number.
  3. Deception:A scammer, posing as a customer service agent, convinces the victim to download malware disguised as a support tool, granting the scammer access to the victim’s computer and personal information.

These techniques keep improving. One of the cleverer tricks of TOADs is to spoof a number or email so they contact you as someone you know.Vishing is a type of phishing that uses phone calls, fake numbers, voice changers, texts, and social engineering to obtain sensitive information from users. It mainly relies on voice to fool users. (Smishing is another type of phishing that uses texts to fool users, and it can be combined with phone calls depending on how the attacker works.)

According to Rogers Communication website, an employee in Toronto, Canada got an email asking them to call Apple to change a password. They followed the instructions, and a “specialist” helped them do it. After receiving their password, the cyber criminals used the employee’s account to send emails and deceive colleagues into approving a fake payment of $5,000.

Artificial intelligence (AI) is also making it easier for TOAD phishing attacks to happen. A few months ago, a Hong Kong executive was fooled into sending HK$200m of his company’s funds to cyber criminals who impersonated senior officials in a deepfake video meeting.

Effective countermeasures

To combat TOAD attacks, businesses must implement robust solutions.

  • Employee training and awareness: Regular training sessions and vishing simulations help employees recognize and respond to TOAD attacks.
  • Authentication and verification protocols: Implementing multi-factor authentication (MFA) and call-back verification procedures enhances security for sensitive transactions.
  • Technology solutionsBots and spoofing detection and voice biometric authentication technologies help verify the identity of callers and block fraudulent numbers.
  • Monitoring and analytics: Advanced fraud detection and behavioral analytics identify anomalies and unusual activities indicative of TOAD attacks.
  • Secure communication channels: Ensure consumers have access to verified customer service numbers and promote secure messaging apps.

A strong strategy should also involve using advanced email security solutions with AI fraud detection and machine learning (ML) to effectively defend against TOAD threats. These can help identify and stop phishing emails. Regular security audits and updates are necessary to find and fix vulnerabilities, and an incident response plan should be prepared to deal with and reduce any breaches.

By integrating technology, processes, and people into their strategy, organizations can develop a strong defense against TOAD attacks.

Keeping TOADS at bay with Experian®

By working and exchanging information with other businesses and industry groups, you can gain useful knowledge about new or emerging threats and defense strategies. Governments and organizations like the Federal Communications Commission (FCC) have a shared duty to defend the private sector and public consumers from TOAD attacks, while many of the current rules and laws seem to lag behind what criminals are doing.

By combining the best data with our automated ID verification processes, Experian® helps you protect your business and reputation. Our best-in-class solutions employ device recognition, behavioral biometrics, machine learning, and global fraud databases to spot and block suspicious activity before it becomes a problem.

*This article includes content created by an AI language model and is intended to provide general information.