This content is viewable by Everyone
Apr 2025: TOAD & SCHWAB ASSET TRANSFER LURE
Threat Alert: TOAD & SCHWAB ASSET TRANSFER LURE
- Telephone-Oriented Attack delivery (TOAD) uses a social engineering message to lure the target into calling a specific number.
- The target unknowingly engages with the threat actor, who tricks them into downloading remote access software.
- Threat actors use social engineering tactics, like fake invoices and receipts, to scam people into believing they made purchases.
How is it used in the wild?
- Targets receive an email claiming to be from Charles Schwab (a financial service company) with a subject line pertaining to an asset transfer.
- NOTE: The threat actor uses various commercial email addresses, likely to attempt to bypass email-based detections
- Subject lines include:
- Asset Transfer Notification
- We’re confirming your recent asset transfer request. Please review the details below
- The notification provides a phone number for disputing the asset transfer request.
- If targets call the number, they connect with a threat actor who can use remote monitoring and management (RMM) tools for initial access to the network.
- The asset transfer notification diverges from standard TOAD lures, focusing on subscriptions or consumer goods.
Key Action: Stay Alert!
- Keep in mind that cybercriminals regularly abuse legitimate services like Schwab. Cybercriminals misuse legitimate services to gain credibility.
- Confirm phone numbers provided in emails before calling. Avoid using phone numbers from emails; verify them on the company’s website instead.
- Check emails carefully, paying attention to the sender, subject, and attachments. Be wary of unknown addresses and urgent messages.
- Log into your investment accounts independently to verify any unexpected notifications or transfer requests.
- Report ANY suspicious emails via Phish Alarm.