Outsmarting a TOAD: How Two Savvy Friends Foiled a Phone-Based Scam

Author: Jeff Weeks, Senior Vice President and Chief Information Security Officer

What Is a TOAD Attack?

A Telephone-Oriented Attack Delivery (TOAD) scheme is a multifaceted cyberattack that uses phone calls as a central element of the attack. The attack combines the phone call with other social engineering tactics such as phishing emails or text messages in an attempt to make the attack seem like it’s a legitimate request coming from a known entity. The goal of the attack is to manipulate individuals into compromising their security or divulging sensitive information.

This month I’d like to share a fictional story with you about two recent retirees, Eleanor and Brenda. Eleanor and Brenda are both savvy computer users and keep up with phishing schemes. Let’s see what happens when Eleanor experiences a TOAD.

The Call

It’s early Monday morning, Eleanor has started the coffee pot and awaits her friend Brenda’s arrival. Just as Brenda arrives, Eleanor receives a call. The caller ID on her cell phone indicates the call is coming from City General Hospital.

Eleanor considers quickly whether the call could be an emergency, or a follow-up call from her visit a few months ago. She excuses herself and answers, “Hello?”

The voice on the other end is brisk and businesslike. "Yes, Mrs. Henderson? This is the billing department at City General Hospital. We're calling about an overdue balance on your recent bill."

A wave of confusion washes over Eleanor. That's odd, she thinks to herself. I distinctly remember receiving and paying my bill several weeks ago. A seed of doubt begins to sprout in her mind.

Trust Your Instincts

The caller continues, "We've sent you multiple email notifications regarding this, Mrs. Henderson, but we haven't received a response."

Eleanor mutes her phone and motions for Brenda’s attention. "Brenda, this sounds like that phishing scam we read about. A TOAD attack, wasn't it? The one where a fraudster calls you and emails you.”

Eleanor hits the speaker button so Brenda can hear the call. The caller urges Eleanor to use the link in the email sent to her to pay the bill immediately to avoid it going to collections.

Confirming her growing suspicion, Eleanor mutes the call and moves over to her laptop. Following her gut feeling, she quickly navigates to her email inbox. There, near the top of the list, is an email that looks remarkably like it had come from City General Hospital. Her heart sinks a little at the apparent confirmation, but a cautious part of her urges further inspection. She hovers her mouse cursor over a link embedded within the email's text.

When Eleanor hovers over the “Pay Here” box, the real link address appears: https://www.citygeneral.payyourbill.com.

Brenda's eyes widen in recognition. "You're right! The hospital would usually send a paper bill, especially for something overdue, and the link address doesn’t point to the hospital’s domain! The link points to a domain ‘payyourbill.com.’ Remember, the domain is the part of the URL before ‘.com.’ Let’s call the hospital to verify, using the number on their website just to be sure.”

With newfound confidence, Eleanor returns to the phone. She takes a deep breath and speaks firmly into the receiver. "Thank you for the information. However, I will reach out to the City General Hospital billing department directly to clarify this matter."

The caller responds harshly, and Eleanor ends the call.

Brenda bursts out laughing in relief and amusement. Eleanor can't help but chuckle herself, a wave of triumph washing over her. They had recognized the signs, trusted their instincts, and successfully thwarted a cybercriminal's attempt.

Raising their steaming coffee mugs, Eleanor and Brenda clink them together in a celebratory toast.

"Well, Brenda," Eleanor says, a wide smile spreading across her face, "it seems we foiled a hacker today!"

"To outsmarting the criminals!" Brenda replies, her eyes sparkling with shared victory. The morning coffee, now imbued with the sweet taste of success, feels even more satisfying.

Just like Eleanor and Brenda, make sure you’re staying educated and trusting your instincts when it comes to phishing attacks. Use these tips to help keep your information safe.

Tips for Avoiding TOAD Schemes

• Be suspicious of emails, especially those that promote a sense of urgency to entice you to call a phone number.
• Similarly, be suspicious of call that prompts you to click on a link in an unsolicited email.
• Never call phone numbers, or click on links, contained in unsolicited emails.
• If you have concerns, look up the customer service number from a legitimate website or another trusted source.
• Call the legitimate number to verify whether they contacted you.

Images are generated by Artificial Intelligence.

About the Author

Jeff has been with First National Bank of Omaha for more than 26 years and is currently the Senior Vice President and Chief Information Security Officer. The executive leadership and oversight provided by Jeff in the development, management, and execution of information security for FNBO enables the company’s ability to posture and protect private, personal information, and assets of the company’s clients, employees, and business partners.