Callback Phishing (TOAD)

Timeline: The Cat and Mouse

2021 ← Attack emerges → 2022 ← Goes mainstream → 2023 ← Detection improves → Present

The Evolution

Key Events with Sources

Overview

Callback phishing (also called TOAD - Telephone-Oriented Attack Delivery) flips the traditional phishing model. Instead of sending malicious links or attachments, attackers send emails with phone numbers. When victims call, live operators use social engineering to guide them through malware installation or financial fraud.

The Attack

How It Works

┌────────────────────────────────────────────────────────┐
│  EMAIL                                                 │
│                                                        │
│  Subject: Subscription Renewal - $399.99               │
│                                                        │
│  Your annual subscription to Premium Security Suite    │
│  has been renewed for $399.99.                         │
│                                                        │
│  If you did not authorize this charge, call us at:     │
│  1-888-XXX-XXXX within 24 hours for a full refund.     │
│                                                        │
│  [No links, no attachments]                            │
└────────────────────────────────────────────────────────┘
                          │
                          ▼
              Victim calls number
                          │
                          ▼
┌────────────────────────────────────────────────────────┐
│  CALL CENTER (Attacker-Operated)                       │
│                                                        │
│  "To process your refund, I need to connect to your    │
│   computer to verify the transaction. Please go to     │
│   support-teamviewer.com and enter session ID..."      │
└────────────────────────────────────────────────────────┘
                          │
                          ▼
        Attacker has remote access to victim's computer
                          │
                          ▼
        Malware installed, data stolen, or fraud executed

Why It Bypasses Security

No Malicious Content:

• No links to scan
• No attachments to analyze
• No URLs to reputation check
• Email is just text

Human-Driven:

• Live operator adapts in real-time
• Can overcome objections
• Builds rapport and trust
• Guides victim through security warnings

Authority + Urgency:

• Fake charge creates alarm
• Time limit creates pressure
• “Refund” motivates action
• Professional call center appearance

Common Lures

Subscription Charges:

Norton LifeLock: $499.99
McAfee Antivirus: $399.99
GeekSquad: $349.99
Amazon Prime: $139.99

Order Confirmations:

"Your order for MacBook Pro ($2,499) is confirmed"
"iPhone 15 Pro shipping to [address]"

Account Alerts:

"Suspicious login detected - call to verify"
"Your account will be closed - call to prevent"

The Call Center

Attackers operate actual call centers:

• Often offshore locations
• Trained operators with scripts
• Multiple operators for volume
• Technical knowledge to guide victims

Typical Script:

1. Verify caller identity (builds trust)
2. Express concern about the “fraud”
3. Offer immediate refund
4. Require remote access to “process refund”
5. Once connected: install malware, steal data, or transfer funds

Malware Delivery Path

1. Victim grants remote access (TeamViewer, AnyDesk, etc.)
2. Operator "checks" computer
3. Opens browser, downloads malware
4. Executes with victim watching (disguised as "scanner" or "removal tool")
5. BazarLoader, IcedID, or similar malware installed
6. Later: Ransomware deployment

Financial Fraud Path

1. Victim grants remote access
2. Operator opens banking site
3. Asks victim to log in
4. "Accidentally" transfers too much as "refund"
5. Asks victim to wire back the difference
6. Victim sends real money; "refund" was fake/reversed

Defenses

Email Detection

SEGs can flag:

• Phone numbers in emails from unknown senders
• Subscription/charge language + contact number
• Numbers matching known fraud databases
• Patterns indicating callback phishing

Phone Number Reputation

Databases track:

• Numbers used in fraud
• Temporary/VoIP numbers
• International numbers with fraud history

User Training

Critical training points:

• Legitimate companies don’t ask for remote access for refunds
• Never call numbers from suspicious emails
• Use official contact methods from known sources
• Hang up and call official number if uncertain

Remote Access Controls

• Block unauthorized remote access tools
• Alert on remote access tool installation
• Require approval for remote sessions

Attacker Adaptation

Multiple Phone Numbers

Rotate numbers to avoid reputation:

Call 1-888-111-XXXX or 1-888-222-XXXX

Legitimate-Seeming Numbers

• US toll-free numbers (1-800, 1-888)
• Local area codes
• “Official-looking” formats

Callback Scheduling

"We're experiencing high volume. Leave your number
and we'll call you back within 2 hours."

Attacker calls victim—harder to verify legitimacy.

Legitimate Platform Abuse

Use real support chat/callback features:

• Compromise vendor support accounts
• Use legitimate scheduling systems
• Harder to distinguish from real support

Current State

Status: Active

Callback phishing is highly effective:

Detection Guidance

Email Indicators

Flag emails with:

• Phone numbers + charge/subscription theme
• Urgency + contact request
• No links/attachments (unusual for notifications)
• Slightly off branding

User Reports

Encourage reporting:

• Unexpected subscription emails
• Requests to call unfamiliar numbers
• Anyone asking for remote access

Endpoint Monitoring

Watch for:

• Remote access tool installation
• Remote sessions from unknown IPs
• Browser navigation to remote access sites

SIEM Correlation

email.body CONTAINS phone_number
AND email.body MATCHES (subscription|charge|renewal|refund)
AND email.links.count = 0
AND email.attachments.count = 0