TOAD Attacks: What They Are and How To Prevent Them

Scams evolve and change as scammers’ tactics are forced to adapt to technological shifts. Sometimes, this means shifting tactics back to methods that rely on deception and misleading a person instead of relying heavily on technology. TOAD (Telephone-Oriented Attack Delivery) attacks are hybrid attacks that take the idea of phishing a step further.

We rely on our phones for a majority of our day-to-day activities. They contain a wealth of information and allow us to easily access finances, accounts, and contacts. This also makes them a target to scammers and bad actors looking to exploit flaws in security.

What Is a TOAD Attack?

A TOAD attack can involve several steps to exploit different issues, falling under social engineering scams and phishing. 

Here are some of the key elements a TOAD attack may contain and how it could play out:

• Spoofed calls, texts, or emails: Initial contact will likely be a spoofed method. Spoofing is where a scammer mimics the phone number or email address of a person or company their victim may recognize. This increases the likelihood someone will interact with the scammer. Spoof attacks often impersonate businesses or government agencies to pass off as a credible contact.  
• A message or invoice: A scammer will create a carefully crafted message that may appear to be a notification from a bank, an invoice, or a charge from a trusted account like Amazon or provide a fake notification about an account issue. They may ask you to click a link, call a specific number, or provide sensitive information.  
• The response: The scammer relies on creating a sense of urgency to get their target to reply without investigation. They may provide a text message with language and branding similar to those of the company they imitate to build a sense of trust. Their victim may engage with the number by calling or texting and interacting with the link they provided. If the target interacts, information can be compromised. 
• Exploitation: With the information gathered, a scammer can carry out identity theft, engage in financial attacks, or use the information to further attack you or people you know. You may not be initially aware of a breach in your personal information, and it could be days before there are signs of identity theft. Further still, it can take weeks to get control of your accounts again.
  

These attacks can be carried out through calls or text where the scammer pretends to be from a company you may have an account with. Their ability to spoof numbers and emails means they can make themselves appear legitimate to any potentially doubtful recipients. 

They may send an email before they engage in text or a call, and they may ask for their victim to contact them through the methods they provide. The attack can be successful because they’ve already gathered information about you that is publicly available online.

How To Prevent a TOAD Attack

TOAD attacks are preventable, and there are plenty of steps you can take to protect yourself from them. 

Let’s go over some of the main ways that you can keep yourself safe from these types of attacks:

• Secure your accounts: Keep social media accounts private, don’t share information online that you don’t want a stranger to know, and avoid posting information that is personal and could lead to identifying you. Enabling 2FA (two-factor authentication) and MFA (multi-factor authentication) is a great way to keep your accounts safe.
  

• Verify calls: If a supposedly important call comes in, don’t rely just on your caller ID. You can verify the call by asking to speak with the person back, looking up the company, and calling a number from their official website.
  

• Block or filter calls and texts: Use call and text blocking apps and features on your phone. Use your phone’s built-in blocking feature if you receive calls or texts from the same number. Apps designed to help filter spam calls and texts can automatically block them.
  

• Avoid links and attachments: Don’t click on links from unverified sources. Even with links from trusted sources, check the URL before clicking on the link. Links and attachments can compromise your information.
  

• Be cautious: You should take a cautious approach to online activity. Any unsolicited messages, especially ones that expect you to act immediately, should be carefully vetted.
  

In a business setting, teams should cover these vulnerabilities to avoid potential compromising of data. Your company should audit its security measures and devices to ensure there haven’t been data breaches or overlooked security issues. Precautions can be taken by covering the above issues with a team so that everyone is on the same page.

What To Do if You’ve Been a Victim of a TOAD Attack

If you suspect you or your team has been exposed to a TOAD attack, it’s important to act quickly. 

Here are some steps you can take to minimize the damage and potentially undo any attacks that are already in motion:

1. Change passwords and set up authentications on any accounts that may have been compromised.
   
2. If the account in question is related to a financial institution or credit card, contact the bank or company to put an identity theft warning out. The companies and banks can issue new cards, close accounts, and put safety measures in place to mitigate any other damage.
   
3. Contact the FTC to file a report about a scam. Digital Forensics can help you and your team shut down the attack and get control of the situation. 

Digital Forensics Corp is made up of industry professionals who are experienced in all aspects of cybersecurity. Our team is composed of digital forensics engineers, former law enforcement officials, and certified digital forensic examiners. 

We have the tools to help stop a breach, identify attackers, document the methods used to carry out the attack, and set up a plan that can help you and your team avoid the issue in the future.

Sources:

New FTC Data Spotlight offers illuminating insights into impersonation scams | FTC

U.S. News & World Report Identity Theft Survey 2023 | US News

On the Internet: Be Cautious When Connected | FBI

What To Do if You Were Scammed | FTC