TOAD Phishing: A Rising Threat for Hoteliers

Highlights

*TOAD (Telephone-Oriented Attack Delivery) is a phishing scam using multiple communication channels to steal sensitive data.

*TOAD attacks are rapidly growing with 10 million monthly attempts.

*Hoteliers need a proactive, multi-layered security strategy to combat TOAD and advanced phishing threats.

Introduction

Phishing remains a top online threat to organisations, responsible for 91% of successful cyberattacks.

However, an emerging technique is reshaping the familiar face of phishing that exploits multiple communication channels to increase its effectiveness.

Known as Telephone-Oriented Attack Delivery (TOAD) attacks, this scam mixes phone calls, emails, and texts to exploit victims’ trust and extract sensitive data. Worryingly, the TOAD risk is rapidly growing, with millions of these communications sent each month.

In this week’s feature of the VENZA Echo, we examine the TOAD attack vector, its growing impact, and what hoteliers can do to protect against the threat.

What is TOAD?

A TOAD attack is a sophisticated phishing method that combines emails, phone calls, and text messages to impersonate trusted figures, such as vendors or company executives.

By using multiple communication channels, these scams create a heightened sense of legitimacy and can trick employees into sharing sensitive credentials or bypassing security protocols.

The attack commonly unfolds as follows:

1. The victim receives a phone call or email from what appears to be a legitimate company, often about an invoice or suspicious activity, prompting them to contact a customer service number.

2. When the victim calls the customer service number, they speak with a scammer posing as support from a spoofed line.

3. The fraudster either tricks the victim into downloading malware disguised as a support tool or sends a follow-up email with malicious links, directing the victim to input their credentials, which are then stolen.

While TOAD attacks can target anyone, they often focus on business executives. Attackers gather personal information from social media and other public sources to craft more convincing scams, using this data to manipulate their targets.

    Threat Landscape

    The concept behind a TOAD attack is not new. Similar vishing schemes saw a significant rise during the pandemic, with the U.S. Federal Trade Commission reporting 26,000 complaints of business impersonation fraud in just the first quarter of 2020.

    What has changed, however, is the scale of attacks. Now, research indicates that around 10 million TOAD messages are sent every month. This surge reached a peak in August 2023 when cybersecurity agencies warned of an increase in attacks impersonating trusted brands such as Norton, PayPal, and McAfee.

    The widespread attacks continue into 2024, with recent mass campaigns leveraged against Hulu + subscribers and U.S. Social Security recipients.

    AI also adds a layer of complexity to these threats. Using widely available deepfake technology, attackers can now convincingly impersonate trusted individuals via phone or video. Though uncommon, AI-enhanced TOAD attacks have had devastating consequences. In one case, a multinational firm lost $200 million when an employee, tricked by a fake message from the company’s financial officer, was drawn into a video conference with what appeared to be real colleagues. The meeting, manipulated with deepfake technology, convinced them to authorize the fraudulent transactions.

    Defense

    To defend against the growing threat of sophisticated phishing like TOAD attacks, hoteliers should implement a multi-layered security strategy.

    This approach should include: 

    1. Employee Training: Ensure all staff receive ongoing, role-specific training on phishing and TOAD attacks with a focus on verifying vendors and identifying common phishing indicators.

    2. Multi-Factor Authentication (MFA): Enforce MFA across all systems to add an extra layer of security, requiring additional verification to prevent unauthorized access, even if login credentials are compromised.

    3. Communication Protocols: Implement clear protocols for handling sensitive requests, training staff to verify and confirm unfamiliar or urgent communications through callbacks or internal checks.

    4. Vendor Awareness: Increase awareness and secure communication practices with third-party vendors to minimize the risk of impersonation.

    5. Incident Response and Monitoring: Establish a strong incident response plan, with regular monitoring for suspicious activity. Use simulated phishing and vishing campaigns to assess employee susceptibility.

    Conclusion

    Phishing threats are constantly evolving, giving rise to new and increasingly sophisticated risks like TOAD attacks. As these attacks grow in prevalence and complexity, hoteliers must stay ahead by adopting proactive security measures.

    Feeling overwhelmed? Don’t worry. As a leader in hospitality data protection, VENZA provides tailored phishing and vishing simulations designed to pinpoint and address vulnerabilities within your human firewall.

    Ready to get started? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.

    ***

    Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

    Human Firewall

    Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

    ***

    Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.