It is nearly Spring, and as the weather turns warm, one must watch out for TOADS. No, not the kind that catches flies and hops into ponds. These TOADS are more sophisticated, standing for Telephone Oriented Attack Delivery (TOAD). There was a reported uptick in TOAD attacks in 2021, and anecdotal evidence shows it will continue to gain steam in 2022.
TOAD attacks are sophisticated, multi-layered attacks that usually involve some form of phone, email, call centers, and slick mobile apps. “These types of attacks prey upon a person’s vulnerabilities, there’s a sense that calling a call center is somehow ‘safer’ than emailing back and forth, but sometimes these call centers are simply ruses,” says Dale Jones, an independent cybersecurity consultant in Toronto.
TOAD attacks continue to target consumer vulnerabilities
Jones tells SmarterMSP of an accounting firm in Toronto that sent $5,000 to a fraudulent organization. The execution was flawless, he explains.
A phishing email landed in an employee’s inbox requesting to call Apple to reset a password. Thinking a phone call wasn’t a security threat, she called “Apple,” and a specialist walked her through resetting her password. Once the password was obtained, the hackers could send what appeared to be legitimate emails from the employees’ accounts, and as a result, they received authorization to pay a $5,000 invoice. The accounting firm didn’t catch the mistake until it was too late.
“There’s just nothing that can be done if people are going to continue to fall for elaborate ruses,” Jones advises.
The steps needed to combat these attacks
Other TOAD lures include student loan funds, instant deposit funds, or even charitable causes to entice people.
“For MSPs, TOADs are difficult to combat because it goes beyond network security to human vulnerability. There’s not a patch or a software solution to help with that,” Jones warns, and TOAD mitigation requires a human-centric approach.
Here are some tips he recommends:
- Training: You can never have too much training, Jones advises. The more awareness there is, the less likely people will fall for scams. Training should involve pen-testing with results discussed with employees.
- Telephone Googling: Training, Jones explains, should include simple, 10-second verification tips. Someone should be able to Google a phone number for Amazon, Apple, or helpline and develop a legitimate result. If one doesn’t show up, that is a cause for suspicion.
- Buddy system: Any company should have controls before invoices are paid. Over a certain dollar amount, for example, should require two employees to authorize. That way, if one person is duped, a second one can act as a “check.”
- Listen to your gut: Jones says companies and MSPs should teach employees that if something doesn’t feel right, it probably isn’t.
The uptick in TOAD attacks is not surprising
It is still cheaper for hackers to produce a human-based attack that preys upon known weaknesses, than it is to try a brute force attack, password hack, or probe for other vulnerabilities.
“Humans remain the most reliable entry point into a network, but TOADs show that a lot of the training is working because hackers are now resorting to more granular and multi-level approaches to get in,” Jones states. But incorporating the old-fashioned phone and the human voice into an attack preys upon the human need for connection and the feeling of authority that a “supervisor” at a call center may project.
“Let’s face it, people are starved for connections after two years of COVID, and people are isolated and often disconnected. That is what makes incorporating a call center effective in scams. People want that connection, even if it is someone faceless at a call center,” Jones emphasizes.
Jones concludes that MSPs need to make people aware of their vulnerabilities, which would go a long way towards putting the hackers out of business. “Hackers are mostly cybercriminals, but they are also part psychologists’, good ones know how the human psyche works,” he says.
Photo: frank60 / Shutterstock
