Despite its science-fiction sounding name, TOAD attacks are a serious threat. According to recent research, about 10 million TOAD attacks occur each month affecting 67% of US businesses.

Security products adapt to new and evolving cyber threats making it harder for criminals to get past firewalls and infiltrate the targeted network using electronic or mechanical strategies. Luckily for them, no matter how robust these defenses are, humans continue to be the weak point in security. So while the industry provides us with the strongest locks available, criminals use strategies like phishing and other forms of social engineering to trick end-users into unlocking those safeguards and opening the door.  In response, IT specialists advocate for end-user education and training to create a security-savvy workforce who know how to protect themselves and their organizations using things like the SLAM method to evaluate the legitimacy of emails before clicking on any links in the email. A savvy workforce leaves criminals looking for new modalities to get us to unlock the doors. Thus, cue the TOADs.

TOAD attacks have about as much to do with amphibians and phishing attacks have to do with salmon. TOAD stands for telephone-oriented attack deliveries. TOAD attacks combine phone calls and emails to trick users into providing criminals with protected information such as login credentials or installing malicious software.

 One morning, Rob was checking his email and saw a message from his antivirus software that read, “Your antivirus subscription has ended. To resume service and keep your device protected, please call us immediately.”  He dialed the number and a professional voice answered, assuring him that they could renew the software right away. All Rob needed to do was click a link.  Rob followed their instructions. You can guess at the rest of this study.

Since people are wary of opening email links, scammers are shifting to a phone based approach. Posing as a familiar or authoritative figure gives them credibility, making users more likely to trust them, especially since they initiated the call themselves. To avoid falling for these scams always look up the companies official phone number and contact them that way rather than using a number provided in a text or email.  If you find yourself on a phone call and feeling some thing is not quite right hang up. Lastly, never install software from an outside source. If you get an email that seems to come from a legit company, contact your IT team.

If your organization is not engaged in on going cyber-security training, reach out to us to learn about our affordable, engaging end-user education program that empowers your team and prepares them to defend your business and your customers from cyber-attacks.