Don’t Miss the Call on Call-Back Fraud: Understanding TOAD Attacks

You’ve probably gotten pretty good at spotting phishing emails. That suspicious link? You’re not clicking it. That urgent message from your “bank”? You’re checking the sender’s address first. You’re doing exactly what security experts have been teaching for years.

Unfortunately, cybercriminals know you’ve gotten smarter. They’ve noticed that email filters are catching more malicious links, and users are finally questioning those “click here immediately” buttons. So, they’ve adapted with a surprisingly low-tech twist on an old scam by getting you to call them instead.

TOAD stands for Telephone Oriented Attack Delivery, though you might also hear it called Call-Back Fraud. It’s a social engineering attack that weaponizes something we still largely trust: our telephone and the voice on the other end. Instead of trying to sneak a malicious link past increasingly sophisticated email security systems, attackers send emails designed to make you pick up the phone and dial a number.

The brilliance of this approach is that it sidesteps all those technical defenses we’ve built up. Your email security can’t scan a phone conversation. Your antivirus software can’t detect a fraudulent voice on the other end of a call. And many people still inherently trust phone interactions more than digital ones.

The attack typically begins with an email that creates urgency or concern. Common scenarios include fake invoices for expensive purchases you didn’t make, subscription renewals for services you don’t use, or security alerts about your account. The key element? A prominent phone number encouraging you to “call immediately to cancel” or “contact customer service to resolve this issue.”

• 1 – Best Buy/Geek Squad does not send invoices from Gmail email addresses
• 2 – Prominently displayed phone number to call
• 3 – Excessive charge to create an emotional response
• 4 – Confirmation that you have been charged
• 5 – A limited time opportunity to cancel to create a sense of urgency

When you call that number, you’re connected to a fraudster posing as a legitimate customer service representative. They’re prepared, professional, and convincing. During the call, they may ask you to:

• Provide personal information like your full name, address, or date of birth
• Share financial details including credit card or bank account numbers
• Install “security software” that’s actually malware giving them remote access to your computer
• Purchase gift cards as “refunds” or to “secure your account”
• Verify account credentials or passwords

The attacker uses the phone conversation to build trust and exploit the natural human tendency to want to resolve problems quickly. They create pressure, use technical jargon, and leverage your desire to fix what seems like a legitimate issue. Stay safe with these preventive measures:

Verify independently. If you receive an unexpected email about charges, subscriptions, or account issues, don’t use the contact information provided. Instead, look up the company’s official website yourself and use the contact details listed there.

Question urgency. Legitimate companies rarely demand immediate action. Pressure tactics are a red flag.

Never provide sensitive information. Real customer service representatives won’t ask for passwords, full credit card numbers, or remote access to your computer through unsolicited contact.

When in doubt, hang up. There’s no penalty for ending a call if something feels wrong. You can always initiate contact through official channels if needed.

The technology protecting us is impressive but remember: the most effective security tool is still your good judgement. Stay skeptical, verify independently, and don’t let fear and urgency override your common sense.

Share: