Although the phrase "TOAD attack" may sound bizarre, it's a descriptor for a dangerous new attack type plaguing businesses..
TOAD stands for telephone-oriented attack delivery, a form of multi-layered phishing attack that combines elements like text or instant message (smishing), voice (vishing), or email with social engineering to trick users into disclosing proprietary, personal, or financial data.
According to Proofpoint's 2024 State of the Phish report, 10 million TOAD attacks are made every month, with 67% of businesses globally having been affected by a TOAD attack in 2023.
The increase in TOAD attacks can be partially attributed to more sophisticated phishing attacks enabled by AI, says Tope Olufen, a senior analyst at Forrester. In addition, as more organizations embrace multi-factor authentication (MFA), threat actors have had to become more creative with social engineering, he adds.
"Vishing attacks are a big threat to business and with the rise of generative AI enabling technology to sound more human than before, it could leave businesses more vulnerable to voice scammers," adds Shelby Flora, managing director for Security at Accenture UK and Ireland. "In business, we're seeing more threats to high-value targets like executives, who can become compromised by effective voice scammers."
Anatomy of a TOAD attack
Before attacking, scammers will collect a victim's credentials from a variety of sources, such as previous data breaches, social media profiles and information purchased on the dark web. Armed with this, they'll then reach out to the individual via applications such as WhatsApp, or call them up.
"Social engineering is on the rise and becoming more sophisticated. Cyber criminals will try to build a detailed profile on their potential victims – like C-suite and board level individuals – details of their children, what college they went to, whether they're a keen horse rider etc, and message to try to elicit a response," says Joel Stradling, IDC research director, European Security, and Privacy.
Victims may receive a call or message from someone claiming to be a colleague, a client, or from a reputable call center who then uses the information they've gathered to 'prove' they are who they claim to be.
After trust is established, they're likely to send a text or email to the victim encouraging them to click on a malicious link or download an attachment that enables them to bypass an organization's traditional cyber defenses, such as MFA.
And these techniques continue to advance. One of the more sophisticated aspects of TOADs can be number or email spoofing, where they take the identity of someone you know to contact you. "This could be anyone from your mum to your bank," Stradling notes.
In one case, from Toronto, Canada, an employee received an email requesting them to call Apple to reset a password. They did so, and a 'specialist' walked them through the process. Once they had obtained their password, the cyber criminals were able to send emails out from the employee's account and trick colleagues into authorizing a fraudulent payment of $5,000, reports SmarterSMP.
AI is lowering the barrier to entry for TOAD attacks. Earlier this year a Hong Kong executive was tricked into transferring HK$200m – £20m GBP – of company money to cyber criminals posing as senior officials in a deepfake video conference call.
A significant risk to businesses
Due to their dual-channel approach and targeting of specific individuals, businesses must be vigilant of TOAD attacks, says Kevin Curran, a senior member of the IEEE and a professor of cybersecurity at Ulster University.
Mitigating these threats requires a comprehensive strategy that encompasses employee training, advanced email filtering, verification procedures for sensitive transactions and robust incident response plans, Curran adds.
Employees continue to be one of an organization's biggest cybersecurity weaknesses, which is why staff education needs to be at the heart of your strategy if you wish to securely defend your organization from wily TOADs.
By prioritizing this and focusing on the risks posed by such attacks and the current tactics the criminals are using, you'll reinforce good cyber behaviors.
This should involve regular training and simulation exercises which will enable employees to better recognize and respond to TOADs.
Keeping the TOADs at bay
A robust strategy for keeping the TOADs at bay should also include implementing advanced email security solutions equipped with AI and ML, which can help detect and block phishing emails, Curran points out.
"Establishing verification processes for unsolicited calls requesting sensitive information is also crucial, as is the use of MFA to secure access to corporate systems. Regular security audits and updates are necessary to identify vulnerabilities and apply necessary patches and an incident response plan should be established to address and mitigate any breaches.
"Collaborating and sharing information with other businesses and industry groups can provide valuable insights into new or emerging threats and defense strategies," he continues. "By combining technology, processes, and people, organizations can create a robust strategy against TOAD attacks."
Stradling adds, however, that there's also a collective responsibility for governments and bodies such as the EU to protect the private sector and public consumers from TOAD attacks, noting that he's concerned many of the regulations and laws appear to be a couple of steps behind what the criminals are doing.
"The public sector, private sector, governing bodies, law enforcement, industry frameworks, and hyperscalers are collectively responsible and should be collaborating and cooperating to help protect businesses and individuals," he points out.
TOAD attacks are becoming more sophisticated
The future of TOAD attacks is likely to be characterized by their evolution rather than extinction, says Curran. Forrester expects TOAD attacks to evolve and become more widespread, "which is why organizations must remain vigilant," says Olufsen.
As cyber criminals refine their tactics, we can expect TOAD attacks to become more sophisticated and potentially leverage new technologies. Businesses and cyber security professionals must respond by developing more sophisticated detection and prevention techniques, enhanced employee training programs, and stronger regulatory frameworks to mitigate these threats.
"Ultimately, while the threat of TOADs is unlikely to die out completely, their impact may be curtailed through proactive security measures, heightened awareness and robust risk management strategies," Curran says.
