Employees who call the fraudulent numbers are connected to trained social engineers who impersonate billing or tech support agents, with the goal of obtaining payment card numbers, bank account credentials, or remote access to corporate devices. A single successful call can result in direct financial loss or unauthorized access to internal systems if the victim is an employee with privileged access. Organizations in industries with high volumes of employees using personal accounts for software subscriptions (McAfee, Norton) or consumer financial services (PayPal) face elevated exposure because the lures are personally plausible, not obviously work-targeted.
You Are Affected If
Your employees receive external email and are not restricted from calling phone numbers embedded in inbound messages
Your email security platform does not extract and reputation-score phone numbers from email body content or PDF attachments
Your organization has employees who use PayPal, Geek Squad/Best Buy, McAfee, or Norton LifeLock accounts (personal or business)
Your CPaaS or telephony environment uses Sinch, Twilio, Bandwidth, Virtue, RingCentral, Verizon, or NUSO — meaning your outbound calls to fraudulent numbers may traverse the same providers used to provision scam infrastructure
You have not added TOAD-specific lure patterns (billing alert + embedded phone number + known brand impersonation) to your email filtering ruleset
Board Talking Points
Criminal call centers are sending fake billing alerts impersonating PayPal, Best Buy, McAfee, and Norton to trick employees into calling fraudulent phone numbers — and standard email security tools cannot catch this because the threat is a phone number, not a malicious link.
Security teams should immediately add phone-number extraction and cross-lure correlation to email filtering rules, and run targeted awareness training for all staff within 30 days.
Without action, a single employee call to one of these numbers could result in direct financial fraud or unauthorized access to internal systems through social engineering.
PCI-DSS — attack is specifically designed to capture payment card numbers through fraudulent billing-alert callbacks impersonating PayPal and subscription services; any employee with access to cardholder data environments who is successfully social-engineered represents a direct PCI scope concern
GLBA — organizations in financial services whose employees are targeted and successfully social-engineered may face customer financial data exposure through account credential theft
