- Initial contact: The victim receives an email from what appears to be a reputable company, like Amazon or PayPal.
- Fake invoice: The email contains a fake invoice for a large purchase, prompting the recipient to call a customer service number.
- Deception: A scammer, posing as a customer service agent, convinces the victim to download malware disguised as a support tool, granting the scammer access to the victim’s computer and personal information.
- Participate in security awareness training that includes vishing simulations to help employees recognize and respond to TOAD attacks.
- Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails.
- Use strong, unique passwords and enable multi-factor authentication (MFA), choosing authentication apps or hardware tokens over SMS text-based codes.
- Keep systems up to date and apply patches after appropriate testing.
- Reduce your digital footprint to decrease the likelihood of becoming a target for cybercriminals.
- Implement email filtering solutions, such as spam filters, to help block messages.
- The New Jersey Email Authorization & Authentication Set Up and the Sender Policy Framework - SPF Guide NJCCIC products provide information on establishing DMARC authentication.
- Utilize a combination of ML algorithms and advanced threat detection as a preemptive email security solution to identify and stop these threats.
- Employ technology solutions, such as bot and spoofing detection and voice biometric authentication technologies, to help verify callers' identities and block fraudulent numbers. Further details can be found in the Proofpoint blog post.
