This content is viewable by Everyone

Apr 2025: TOAD & SCHWAB ASSET TRANSFER LURE

TOAD and Schwab Transfer Phish

Threat Alert: TOAD & SCHWAB ASSET TRANSFER LURE

  • Telephone-Oriented Attack delivery (TOAD) uses a social engineering message to lure the target into calling a specific number.
  • The target unknowingly engages with the threat actor, who tricks them into downloading remote access software.
  • Threat actors use social engineering tactics, like fake invoices and receipts, to scam people into believing they made purchases.

How is it used in the wild?

  • Targets receive an email claiming to be from Charles Schwab (a financial service company) with a subject line pertaining to an asset transfer.
    • NOTE: The threat actor uses various commercial email addresses, likely to attempt to bypass email-based detections
  • Subject lines include:
    • Asset Transfer Notification​
    • We’re confirming your recent asset transfer request. Please review the details below
  • The notification provides a phone number for disputing the asset transfer request.
  • If targets call the number, they connect with a threat actor who can use remote monitoring and management (RMM) tools for initial access to the network.
  • The asset transfer notification diverges from standard TOAD lures, focusing on subscriptions or consumer goods.

Key Action: Stay Alert!

  • Keep in mind that cybercriminals regularly abuse legitimate services like Schwab. Cybercriminals misuse legitimate services to gain credibility.
  • Confirm phone numbers provided in emails before calling. Avoid using phone numbers from emails; verify them on the company’s website instead.
  • Check emails carefully, paying attention to the sender, subject, and attachments. Be wary of unknown addresses and urgent messages.
  • Log into your investment accounts independently to verify any unexpected notifications or transfer requests.
  • Report ANY suspicious emails via Phish Alarm.