A new type of phishing e-mail doesn’t need you to click, open an attachment, or push reply.

It works by getting you on the phone.

When it comes to phishing, the warning has gone out over the last 20 years more times than anyone can count.

Don't click suspicious links. Don't open unexpected attachments.

For the most part, people have gotten pretty good at following that advice most of the time.

Email security tools have gotten smarter, so criminals did what criminals always do: they adapted.

Meet the TOAD — Telephone-Oriented Attack Delivery. Send someone a convincing email with no malicious link, no dangerous attachment, nothing for a security scanner to flag: just a phone number. Then wait for the victim to pick up the phone and call them.

Industrialized Scams

Some cybersecurity firms have said there are now approximately 10 million TOAD attacks every month. Researchers have measured a 554% year-over-year jump in telephone-enabled phishing campaigns.

This is organized, professionalized crime. Underground platforms rent out multilingual call centre "agents," auto-diallers, and spoofed caller ID systems for a monthly subscription fee.

No technical skill required.

What Happens

A target receives an email saying they’ve been charged an amount for a subscription they do not recognize. There's a number to call to cancel. If the target calls that number, a friendly, professional-sounding person answers, asks for their name, then says they need remote access to the target’s computer to process the refund. From there they quietly install malware, harvest banking credentials, or drain accounts while keeping the target

We don’t question what a helpful customer service representative tells us the same way we’d question the same instructions in an e-mail.

It works because while we’ve learned to be suspicious of links, we still trust the human voice too much.

Criminals know this. And with AI voice cloning now able to reproduce someone's voice from less than a minute of audio, those voices are getting harder to question.

Five Things You Can Do Right Now

1. Treat unexpected invoices as guilty until proven innocent. Don't call the number in the email. Find the company's official contact info on their actual website. Be careful with Google and Bing ads that can pretend to be official website.

2. No legitimate business will ever ask you to download software to get a refund. If someone on the phone asks you to install anything, hang up.

3. Urgency is a manipulation tactic. Legitimate customer service doesn't pressure you. Slow down; when you do, you’ll find that the scam often falls apart.

4. Verify callers through channels you control. If someone claims to be from your bank, hang up and call the number on the back of your card. Caller ID can be spoofed.

5. Report it, don't just delete it. If a suspicious email lands in your inbox, use your organization's "Report a Phish" button to flag it for your IT or security team. Every report helps your defenders spot patterns, block future attacks, and protect your colleagues.

‍ The Best Defense

The only limit on cybercriminals in today’s world is their imagination. They’ll try to manipulate you by e-mail, text, social media, and by phone. With AI, they can do this better and faster than ever before.

Despite all the advanced cybersecurity technology trying to stop them, criminals continue to find ways to get their attacks delivered to their targets.

People continue to be an organization’s strongest line of defence against highly targeted advanced manipulation.

Stay educated, stay motivated, and stay safe!