Most organizations train employees to watch for suspicious links and attachments. Those threats are still common, but attackers are increasingly using a different method that bypasses many traditional security controls. They simply call your employees.
This tactic is known as a TOAD attack, short for Telephone-Oriented Attack Delivery. Instead of relying on malware or phishing links, attackers use phone conversations and social engineering to convince victims to reveal sensitive information or grant access to systems.
For small to mid-sized businessess, understanding how these attacks work can help prevent financial loss and data breaches.
What Is a TOAD Attack?
A TOAD attack is a cyberattack where the attacker initiates a phone call and uses the conversation to manipulate the victim into performing a risky action.
The attacker typically impersonates a trusted organization such as:
a bank
internal IT support
a software vendor
law enforcement or government officials
During the call, the attacker attempts to persuade the victim to:
share login credentials
approve multi-factor authentication prompts
install remote access software
transfer funds
reveal sensitive company information
Because the attack relies on real-time social engineering, traditional email filters and endpoint protection often cannot stop it.
Why Phone-Based Attacks Are Increasing
Phone attacks are growing for several reasons.
First, modern email security tools have become better at blocking malicious links and attachments. Attackers are adapting by moving the attack to channels that are harder for security tools to monitor.
Second, many people instinctively trust a phone conversation more than an unexpected email. A confident voice that sounds like IT support or a financial institution can quickly lower someone's guard.
Finally, attackers can adjust their story in real time based on the victim's responses, which makes social engineering far more effective.
Example 1: Bank Impersonation Targeting Businesses
One TOAD scenario affecting businesses involves attackers impersonating banks or financial institutions.
The attacker calls an employee and claims there is suspicious activity on a company account. The caller ID may even appear to come from the bank because spoofing phone numbers is relatively easy.
The caller creates urgency by saying fraudulent transactions are already happening. They then guide the employee through steps to "secure the account," which may include:
providing login credentials
confirming security codes
approving authentication prompts
Once access is obtained, attackers can quickly initiate fraudulent transfers or gain visibility into financial systems.
Law firms and financial services organizations are particularly frequent targets because of the accounts they manage.
Example 2: The Jury Duty Warrant Scam
Another phone scam that illustrates how these attacks work is the jury duty warrant scam, which has been reported across the Carolinas.
In this scam, the attacker calls the victim and claims to be a sheriff's deputy, court official, or U.S. Marshal. The caller states that the victim missed jury duty and now has a warrant for their arrest.
The attacker pressures the victim to resolve the situation immediately. Victims are told they must:
verify personal information
remain on the phone
pay a fine to avoid arrest
Payment is usually requested through prepaid cards, cryptocurrency, or payment apps. Some victims are even sent fake warrants that include real court names and officials to make the threat appear legitimate.
Courts have repeatedly warned residents that they do not call people demanding payment for missed jury service. Official communication is handled through mailed notices.
While this example targets individuals, the same tactics are frequently used against employees in business environments.
Why TOAD Attacks Are Effective
These attacks succeed because they exploit human psychology rather than technical vulnerabilities.
Attackers rely on several common tactics:
Authority
They impersonate banks, executives, law enforcement, or IT support.
Urgency
Victims are told immediate action is required to stop fraud or avoid consequences.
Fear
Threats of financial loss, legal action, or system outages pressure victims to act quickly.
Credibility signals
Caller ID spoofing and publicly available information make the story sound believable.
Because the victim is speaking directly with the attacker, the conversation can continue until the victim complies.
How Businesses Can Protect Against TOAD Attacks
Organizations can reduce the risk of these attacks with a few practical steps.
Train Employees to Verify Phone Requests
Employees should never provide credentials, MFA codes, or sensitive information to someone who initiated a phone call.
If the request seems legitimate, they should hang up and contact the organization using a known, verified phone number.
Require Verification for Financial Actions
Changes to payment instructions, account access, or financial transfers should always require secondary verification.
Implement Multi-Factor Authentication
MFA significantly reduces the impact of stolen credentials.
Include Phone Scams in Security Training
Many security awareness programs focus heavily on email phishing. Training should also prepare employees for phone-based social engineering.
The Bottom Line
Cybersecurity threats are no longer limited to suspicious emails or malware downloads. Increasingly, attackers are using simple phone calls to bypass technical defenses. Organizations that recognize these tactics and train employees to verify requests are far less likely to become victims. Understanding how TOAD attacks work is one of the simplest ways to reduce the risk.
If you want to evaluate how prepared your organization is for social engineering threats, ComTech works with businesses across the Carolinas to strengthen their cybersecurity through employee training, security tools, and practical risk reduction strategies. Contact us today for a risk assessment or to schedule free cybersecurity training.
