When Your Inbox Rings: The Rise of Callback Phishing (TOAD Attacks)

Ever received an email from your "bank" about a suspicious charge, but instead of a suspicious link, it simply asks you to call a number?

Welcome to the world of Callback Phishing, or TOAD (Telephone-Oriented Attack Delivery)– where scammers have traded suspicious URLs for something far more convincing: your phone.

The Perfect Disguise 🎭

Unlike traditional phishing emails with their telltale signs (hello, typos and urgent demands!), TOAD attacks are the masters of disguise. They arrive in your inbox looking perfectly legitimate, often mimicking trusted brands like Amazon Prime, Netflix, PayPal or your bank.

Instead of asking you to click a link, they provide a phone number and politely request that you call to resolve an issue.

Why It's Clever (And Concerning)

Think about it: We've all been trained to be suspicious of links in emails. But a phone call? That feels safer, doesn't it? After all, you're the one making the call. This is exactly what makes TOAD attacks so effective –they flip the script on traditional phishing tactics.

The Numbers Tell the Story 📊

According to Proofpoint's 2024 State of the Phish report, these aren't just occasional attempts. We're talking about:

•       10million TOAD messages sent monthly in 2023

•       A peak of 13 million messages in August alone

•       Individual losses reaching up to $50,000 in some cases

How the Scam Unfolds

1. The Hook: You receive a professional-looking email about an "urgent account issue"
2. The Line: Instead of a suspicious link, there's just a phone number to call
3. The Sinker: When you call, a friendly "representative" guides you through solving the non-existent     problem

What's Really at Stake

This isn't just about unauthorized charges. When you call these numbers, scammers might:

•       Guide you to install "security software" (actually malware)

•       Request remote access to your computer to "fix issues"

•       Deploy serious threats like BazaLoader malware

•       Convince you to share sensitive account details

Protecting Yourself: The Smart Way

Do:

•       Verify numbers independently using official websites or statements

•       Take a moment to check your actual accounts if you receive alerts

•       Remember that legitimate companies rarely initiate urgent account-related contacts

Don't:

•       Call numbers directly from unexpected emails

•       Allow remote access to your computer

•       Feel pressured to act immediately