What is TOAD?

TOAD stands for Telephone-Oriented Attack Delivery, a multi-stage social engineering attack that combines email phishing with voice (telephone) interaction. The attacker sends a phishing email containing no malicious links or attachments but urging the recipient to call a phone number. When the victim calls, a live operator impersonates a legitimate representative and uses social engineering to steal credentials, install remote access tools or malware, or extract financial information. TOAD is the industry-standard umbrella term coined by Proofpoint that encompasses callback phishing and hybrid vishing attacks. It is closely related to but distinct from pure vishing, where the attacker initiates the call to the victim.

How does TOAD work?

TOAD attacks follow a consistent sequence. First, the victim receives an email impersonating a legitimate company (Amazon, PayPal, McAfee, Norton, Netflix), typically containing a fake invoice or subscription renewal notice and a phone number—but no URLs or attachments. The email creates urgency or concern about a charge or account issue. Second, the victim calls the number, believing they need to cancel a charge or resolve an account problem. Third, a live attacker answers, posing as a customer service agent, building rapport and establishing urgency through natural conversation.

The attack then diverges into two primary paths. On the financial extortion path, the attacker directs the victim to install remote access software (AnyDesk, TeamViewer, Zoho, Syncro, or similar), then accesses the victim's banking or financial systems to steal funds or harvest sensitive financial information. On the malware delivery path, the attacker guides the victim to download and execute a file—such as a ClickOnce executable, BazarLoader, or other malware—establishing persistent access for subsequent data exfiltration, lateral movement, or ransomware deployment.

Post-exploitation activities vary based on attacker objectives. Some operators immediately exfiltrate data and move laterally to other systems. Others deploy ransomware or lock the victim out of their own systems to demand ransom. The sophistication of post-exploitation activity depends on whether the attacker is financially motivated, involved in espionage, or part of an organized ransomware operation.

Emerging tactics as of 2025 demonstrate attacker innovation. Free AI voice cloning tools can now replicate a person's voice from just a 30-60 second audio sample, enabling executive impersonation. Deepfake-enabled vishing (voice deepfake phishing) surged 1,600% in Q1 2025 compared to the end of 2024. Deepfake double-team attacks pair AI voice cloning with synthetic video on conference-call platforms. MFA code harvesting represents another evolution: attackers trigger real push notifications on the victim's phone (by attempting a login), then call the victim pretending to be security staff and ask them to read out the MFA code. Supply-chain pivoting attacks use fake invoices that piggyback on legitimate SaaS billing systems (Intuit, Zoho, DocuSign), increasing legitimacy. Multilingual call centers enable TOAD operators to switch languages mid-call to target global help desks and overcome employee skepticism.

How does TOAD differ from other social engineering attacks?

TOAD and callback phishing are nearly synonymous terms. Proofpoint popularized "TOAD" as the industry-standard terminology, while "callback phishing" is the more descriptive, colloquial term. Both refer to the same attack pattern where the victim initiates the phone call after receiving a phishing email.

The key distinction between TOAD and pure vishing is critical: in vishing, the attacker initiates an unsolicited call to the victim. In TOAD, the victim initiates the call after receiving a phishing email. This reversal is psychologically powerful for the attacker because the victim feels more in control and trusts the interaction more, since they made the call themselves.

Why does TOAD matter?

TOAD attacks are scaling rapidly and exploiting fundamental gaps in organizational defenses. Proofpoint data reveals the attack's prevalence: approximately 10 million TOAD attacks per month are detected on average, with a peak of 13 million in August 2023. In 2022, more than 600,000 TOAD attacks occurred per day at peak volume. According to Proofpoint's "2024 State of the Phish Report," 67% of businesses globally were affected by a TOAD attack in 2023. This means that two-thirds of organizations experienced at least one attempted TOAD attack last year.

The most alarming finding is the training gap. Only 23% of organizations educate their users on how to recognize and prevent TOAD attacks, according to Proofpoint. This leaves 77% of organizations vulnerable despite the technique being well-documented and predictable.

AI-driven vishing is amplifying the threat significantly. According to Deep Strike's "Vishing Statistics 2025," vishing (the broader category including TOAD with deepfake voice cloning) surged 442% in 2025 as AI deepfakes fueled $40 billion in global fraud. AI-related fraud attempts surged 194% in 2024 compared to 2023. Deepfake-enabled vishing surged 1,600% in Q1 2025 compared to the end of 2024. High-profile incidents demonstrate the real-world impact: a Hong Kong firm lost $25 million in 2024 after a deepfake video and voice impersonation during a live meeting. An Italian businessman was stolen nearly one million euros in 2025 via an AI-cloned voice impersonating the Italian Defense Minister.

What are the limitations of TOAD attacks?

TOAD has several structural constraints. First, call centers must be staffed with convincing, language-fluent operators, which is expensive and limits scale. AI voice cloning is reducing this barrier but is not yet flawless—current AI voice cloning can exhibit artifacts such as unnatural pauses and tonal inconsistencies that trained listeners can detect. Second, the victim must take an active step by calling the number, introducing friction that reduces conversion rates compared to click-based phishing. Third, phone infrastructure can be traced; phone numbers can be reported, blacklisted, and traced by law enforcement, forcing attackers to frequently rotate numbers. Fourth, awareness training is highly effective because the attack depends entirely on social engineering. Employees trained to verify through official channels can reliably defeat TOAD attacks. However, only 23% of organizations currently provide TOAD-specific training, representing a critical vulnerability. Fifth, there is no persistent technical indicator in TOAD emails—because the email contains no malicious payload, there is no IOC (indicator of compromise) to share across threat intelligence platforms from the email alone. Sixth, while AI voice cloning is making TOAD attacks more convincing and cheaper to execute, current cloning can still exhibit detectable artifacts that discriminating listeners can identify.

How can organizations defend against TOAD attacks?

TOAD-specific security awareness training is foundational. Standard generic phishing training is insufficient. Organizations must train employees specifically on the TOAD pattern: suspicious invoices combined with phone numbers and no links, often claiming urgent action is needed. Training should include simulated TOAD exercises where employees receive mock phishing emails with phone numbers and are tested on whether they correctly identify the scam. According to Proofpoint's "Reduce Your Organization's Risk from TOAD Attacks" (2024), this is the most cost-effective control.

Advanced email security with AI/ML is essential. Deploy solutions that detect social engineering patterns in email body text even when no malicious URLs or attachments are present. Solutions from Proofpoint, Abnormal AI, and similar vendors analyze email composition, sender behavior, and context to flag suspicious messages. These tools cannot rely on technical indicators alone but must understand the semantics of social engineering.

Mandate an independent verification policy requiring employees to never call numbers from unsolicited emails. All billing or account issues must be verified through official company websites or known contact numbers. According to the New Jersey Cyber & Infrastructure Crime Center (NJCCIC), "Increase in TOAD Attacks" (2024), this simple process is highly effective.

Implement endpoint application controls using application whitelisting or EDR to prevent installation of unauthorized remote access tools (AnyDesk, TeamViewer, Splashtop, etc.). According to Unit 42's analysis of Luna Moth (2022), even if an employee grants remote access during a TOAD call, endpoint controls can prevent attacker execution.

Multi-factor authentication (MFA) protects against credential theft but should be deployed with caution, as it is itself a target of TOAD attacks through MFA code harvesting. Use phishing-resistant MFA (FIDO2/WebAuthn) where possible, according to Keepnet Labs (2024). These hardware-based authentication methods cannot be compromised via phone social engineering.

Use phone number reputation and blocking services to identify and block known scam phone numbers. However, this is not a primary defense because sophisticated attackers rotate phone numbers and use legitimate-looking numbers that can be difficult to distinguish from legitimate businesses.

Establish specific procedures for TOAD incidents, including immediate disconnection of remote access sessions, credential resets, and comprehensive forensic investigation of affected systems. Rapid incident response minimizes attacker dwell time and data exfiltration.