Vishing Callback / TOAD Attack
A two-stage attack combining a phishing email with a fraudulent phone number, prompting the victim to call the attacker rather than the attacker calling them.
Also known as: TOAD attack, callback phishing, telephone-oriented attack delivery, call-back scam
Last reviewed: 1 June 2026
Telephone-Oriented Attack Delivery (TOAD) — also called callback phishing or vishing callback — inverts the traditional cold-call scam. Instead of calling victims unsolicited (which raises suspicion), attackers send phishing emails containing a phone number and an alarming but plausible premise — an unexpected subscription renewal, a suspicious transaction alert, or an expiring software licence. The victim, believing they are calling a legitimate support line, dials the number themselves.
Because the victim initiated the call, they are in a more trusting state of mind. A trained social engineer on the other end then guides them through 'troubleshooting steps' that actually install remote-access software, authorise fraudulent payments, or extract credentials and one-time codes.
TOAD attacks are especially effective against corporate targets: they bypass email security filters (the email contains no malicious link or attachment, only text), avoid caller-ID suspicion (the victim dialled out), and let the attacker control pacing. Defences include training employees to look up contact numbers independently and never call numbers listed in unsolicited emails.
Examples
- An employee receives an email saying their antivirus subscription has auto-renewed for £299 — they call the number in the email and are talked into installing remote-access software.
- A finance team member gets a 'suspicious transaction' notice from a fake bank, calls the number, and is led to authorise a large transfer.