The Silent Ring: How ‘Call This Number’ Scams Slip Past Email Defenses

Imagine opening your inbox to find a seemingly routine billing notification from a trusted brand - PayPal, DocuSign, or your bank. There are no suspicious links, no shady attachments. Instead, there’s just a phone number and an urgent message: call now to resolve an issue. This simple, almost innocent, tactic is at the core of a surging cyberattack trend that’s quietly bypassing even the most sophisticated corporate email gateways.

Phishing’s New Disguise: Why Phone Numbers Work

The art of phishing has always been about tricking people into dangerous clicks or downloads. But the latest twist - known as TOAD (Telephone-Oriented Attack Delivery) - relies on one of the oldest technologies in the book: the phone call. Attackers send emails that only contain a phone number, often under the guise of a billing problem or urgent account issue. When a victim calls, a scammer on the other end guides them into revealing sensitive information, granting remote device access, or even buying gift cards.

What makes TOAD so effective? It’s all about simplicity and stealth. Email security gateways, designed to spot malicious links or attachments, see nothing suspicious in a plain phone number. Blocking every email with a phone number and financial language would cause chaos for businesses that rely on legitimate billing notifications. This blind spot means TOAD emails slip through undetected, especially when attackers combine multiple evasion tricks - like sending messages via Google Calendar or hiding QR codes in PDFs.

Adaptive Attacks, Invisible Threats

Analysis from StrongestLayer, a leading email security provider, reveals that the most sophisticated phishing campaigns now mix and match techniques to bypass different detection systems. For example, an attacker might use Google SharePoint to evade reputation filters, hide a QR code in an attachment, and then prompt the target to call a number - moving the conversation out of the email channel entirely. In their recent study, a third of these attacks were “structurally invisible” - leaving almost no detectable trace for traditional defenses.

This is a nightmare scenario for organizations like law firms, which process thousands of legitimate DocuSign emails daily. Blocking all messages with billing language or phone numbers isn’t realistic. Meanwhile, the cost for attackers to create convincing, targeted phishing emails has dropped dramatically, thanks to generative AI tools that automate the process.

Defending Against the Silent Ring

So how can organizations fight back? Experts recommend advanced AI-powered detection models that look for subtle patterns and anomalies in email content. On the human side, training employees is essential - making it clear that legitimate invoices or payments will never require a random phone call, and that QR codes in emails should always be treated with suspicion. Ultimately, awareness and smarter technology must work together to close the gap before attackers ring in their next victim.

WIKICROOK

• TOAD: TOAD (Telephone-Oriented Attack Delivery) is a phishing technique where attackers use phone numbers to trick victims into sharing sensitive information.
• Email Gateway: An email gateway filters and scans emails for threats like spam and malware, protecting organizations by blocking harmful messages before they reach users.
• QR Code: A QR Code is a two-dimensional barcode that stores data like links or text, easily scanned by devices but can also hide malicious instructions.
• APT: An advanced persistent threat (APT) is a targeted, stealthy cyberattack by organized groups seeking long-term access to sensitive networks and data.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.

Reflection: As cybercriminals exploit the gaps left by legacy email defenses, the humble phone number is proving to be an unexpected weapon. The battle against phishing is no longer just about spotting suspicious links - it’s about questioning every detail, no matter how ordinary it seems.