Attack of the Toads

Most people have heard of phishing and have, at some point, been targeted by a phishing attempt.

But would you know what to do if a TOAD attacks?

In this article, we’ll explain this new threat, the types of scams that operate, and how to protect yourself.

Although the phrase “TOAD attack” may sound bizarre, it’s an easy-to-remember descriptor for a dangerous new threat plaguing businesses and individuals.

TOAD stands for Telephone-Oriented Attack Delivery.

It’s a multi-layered attack that combines elements of fraudulent contact, such as text or instant message (smishing), voice call (vishing), QR Codes (QRishing), or email (phishing).

It includes social engineering techniques designed to trick users into compromising technology or disclosing company, personal, or financial data for the purpose of financial gain or malicious activity.

The rise of the TOAD

Before attacking, scammers will collect a victim’s credentials and contact details from various sources.

They will use previous data breaches, social media profiles and information purchased on the dark web.

The victim then receives a message impersonating a reputable company or trusted authority with a fictional request, which invokes a sense of urgency.

The scammer uses the information they’ve gathered to ‘prove’ they are who they claim to be.

After establishing trust, the perpetrator will likely call the victim to discuss resolving the invented ‘situation’, or they may send a supplementary text or email.

Either way, the goal is to encourage the victim to click on a malicious link.

This aims to install malware onto devices and download and enable them to bypass traditional cyber defences. Such as (e.g., 2-factor authentication) or trick the victim into completing actions that compromise their data and money.

Know your TOAD

According to the Proofpoint 2024 State of the Phish Report, 10 million TOAD attack messages are sent monthly, and 67% of businesses globally are affected by this type of attack.

Read about the top 5 online scams and how to stay safe

To help you spot and stop one, here are three common examples showing how the attacks can work:

Invoice: Subscription Scam.

Detail: You will receive an email stating that your account has been debited for auto-renewal of your subscription. The email also says you must contact the company to cancel the subscription.

Result: You are directed to a fake support site to download a file to ‘scan your system’ when the site is actually trawling your computer, collecting personal information and passwords.

Shopping: Purchase Scam

Detail: You receive an email letting you know about a purchase you have supposedly made and asking you to contact the company immediately if you did not place the order in question

Result: You confirm your account and personal details and are then directed to download remote access software, which gives the scammer access to your computer.

Financial: Bank Scam

Detail: You are contacted via text message and informed that a bank account has been opened in your name. You are then requested to call the financial institute to confirm.

Result: You call the scammer (or the scammer spoofs the actual bank’s phone number and calls you) and are instructed to transfer money. Which is redirected to the fraudster’s account.

Three simple steps to protect your and your firm from TOAD attacks

  1. Be cautious: Due to their multi-channel approach and targeting of specific individuals, we must all be on high alert for TOAD attacks. Check any emails/messages/calls you receive carefully for signs of phishing.
  2. Question everything: Before you act, ask yourself a few simple questions about the email/message/call: a. Were you expecting it?
    b. Do you know the person contacting you? Be aware contact details like senders names, phone numbers and email addresses can be faked
    c. What are you being asked to do? Is there a sense of urgency or an ‘act-now’ call to action
  3. Investigate: Check and verify any requests before you take action. Be cautious about calling phone numbers provided; always go to a reputable site and use the direct phone number listed or look the phone number up independently.

How we protect you.

At Spectrum, we understand the importance of keeping our clients’ information safe and secure.  We use proven, industry-recognised security tools and processes to protect against fraud and security breaches.

We regularly upgrade this protection in response to advances in security threats.

You should always report any online fraud scams to Action Fraud

If you have any questions or need help, contact us today.