Over the past few years, email providers and web browser companies have become better at recognizing and blocking suspicious links. We have also made strides on the human side of cybersecurity by educating users about social engineering techniques used by cyber attackers.

This forced the bad guys to adapt, as they always do, to create alternative methods to make a connection with future victims.

One of these methods is TOAD - Telephone Oriented Attack Delivery. Many of us refer to this as “Call Back Phishing.” The attack begins with an email and concludes with the victim calling the attacker. The advantage of this attack is that it relies solely on social engineering and doesn’t involve any links or attachments that could be flagged as malicious and blocked by security software.

This is an example that I recently received.

The email contains no links or attachments. It exploits my fear of being grossly overcharged for a product I don’t want and increases the pressure by creating a sense of urgency, claiming I only have “24 hours” to cancel the transaction. And how do I cancel and get my refund? Call the “toll-free” phone number, of course.

The phone will undoubtedly be answered by an overly eager customer service agent who desperately wants to help me correct this outrageous mistake made by his company. Of course, they need access to my bank account to apply a direct credit or to 'confirm” my credit card information to reverse the charge.

There are plenty of red flags.

1. Why would Norton send invoices from a private Google Gmail account?

2. Who is Jeremy X. Kay?

3. Who is Aaron Valerie?

4. Impersonal greeting

5. When was the last time you saw a legitimate company lead with a phone number? They do everything possible to prevent phone calls.

6. Why would they introduce language indicating this could be fraudulent?

7. A three-year plan?

8. A quick search shows that Norton/Lifelock is a $7.50 per month subscription. That would be $270 for 36 months. This increases the tension because not only was I charged for a product I didn’t want, but I was also grossly overcharged for it.

9. A window of only 24 hours creates a sense of urgency. What company only allows a refund for 24 hours?

This week, I received my first TOAD message delivered by text message.

The red flags are all there. First and foremost, why is Apple sending a text message from an email account? Even more, why is Apple sending notifications from a Hotmail email account?

Outrageous charge, sense of urgency, and an invitation to call. This one also contains spelling and grammar errors.

There's some trickiness in adding the actual URL for Apple billing. So what happens if you go there? It’s just a webpage and doesn’t provide any feedback on this specific charge. It adds a sense of authenticity, but doesn’t really help you find additional information, which leads you to take the quickest route—calling the phone number provided.

The News…

Kudos to the Texas legislature for recognizing the problem of financial crime and taking action, not just talking about it. The state quadrupled funding for the Texas Financial Crimes Intelligence Center and increased staffing from 15 to 41. Even more impressive, they actually have an organization dedicated to fighting financial crime. Meanwhile, in Pennsylvania, we’re still trying to count ballots from elections that no longer matter, and funding roads that will break apart in two years. https://www.yahoo.com/news/texas-financial-crimes-intelligence-center-031719561.html

I always get uncomfortable looks when I talk about insider threats because it distresses people to consider being betrayed by a coworker or even a friend. A French bank intern at Société Générale has been arrested for allegedly assisting SIM-swapping scammers in defrauding 50 clients, embezzling over one million Euros. The intern is accused of sharing sensitive information with accomplices, who used the victims' phone numbers to break into their accounts and steal money. https://www.bitdefender.com/en-us/blog/hotforsecurity/50-customers-of-french-bank-hit-after-insider-helped-sim-swap-scammers

And even more insider threat news… A Bank of America employee has been indicted in a significant U.S. healthcare fraud scheme involving a cross-border syndicate that attempted to steal $10.6 billion from Medicare, Medicaid, and other U.S. healthcare programs. The now-former employee has been accused of assisting in laundering some of the stolen funds and has been charged with money laundering and other crimes. Prosecutors state that he opened accounts for six medical supply companies controlled by the syndicate and had connections to the syndicate's leaders. The scheme involved using false invoices for medical supplies and moving funds through various countries and cryptocurrencies. https://www.moneylaundering.com/news/exclusive-unsealed-records-name-banker-in-massive-us-health-care-fraud/

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned Aeza Group LLC, a Russia-based bulletproof hosting provider, for enabling cybercriminals to conduct ransomware attacks and other malicious cyber activities. Curiously, the organization was using TRON cryptocurrency. https://www.chainalysis.com/blog/ofac-sanctions-aeza-group-bulletproof-hosting-crypto-payments-july-2025/

Proton challenges data brokers, claiming that 5,000 companies operate worldwide in this $270 billion market. https://proton.me/blog/data-brokers-ai

Ex-NFL player scammed out of 2.5 million dollars buy a bogus “wealth management” firm. https://www.cbssports.com/nfl/news/ex-dolphins-db-reshad-jones-scammed-out-of-2-58-million-in-grand-theft-money-laundering-scheme-per-report/

Silent Push discovers a massive phishing campaign with thousands of domains spoofing various payment and retail brands in connection to this campaign including (but not limited to): PayPal, Apple, Wayfair, Lane Bryant, Brooks Brothers, Taylor Made, Hermes, REI, Duluth Trading, Omaha Steaks, Michael Kors, and many, many more peddling everything from luxury watches to garage doors. https://www.silentpush.com/blog/fake-marketplace/

ICE is facilitating money laundering. No, not that ICE. Instant Cryptocurrency Exchanges. https://blocksecteam.medium.com/what-are-instant-crypto-exchanges-and-why-have-they-become-the-hotspot-for-money-laundering-b921a42c4aa8

Feedback: matt@threatswithoutborders[dot]com

Share Threats Without Borders

DFIR

I fell down the Windows incident response rabbit hole this weekend and found this post from Chad Tilbury. It's from 2023, but it’s a really good article on WMI. Windows Management Instrumentation (WMI) is a core management framework built into Microsoft Windows operating systems, allowing administrators, developers, and software (and attackers) to access, monitor, and manage system resources and configurations, both locally and remotely. Its value to the bad guys is obvious. https://www.sans.org/blog/finding-evil-wmi-event-consumers-with-disk-forensics/

Cool Job

VP of Fraud Reduction, Bank Policy Institute. https://paycomonline.net/v4/ats/web.php/jobs/ViewJobDetails?job=303121&clientkey=A15AEF4691E2E01F0016518C47919805

Cool Tool

One tool for all USB things https://usbdetective.com/

Next time you've got an issue with a company, let this AI tool help craft your angry email. https://sincerelykaren.net/

Irrelevant

For those in Florida, let’s keep it under 100. https://mynews13.com/fl/orlando/news/2025/07/03/fhp-breaks-down-florida-s-new-super-speeder-law

Truth

Sign Off

I am deeply saddened by the loss of life in Texas and hope you keep those families in your thoughts and prayers.

I really appreciate that you all show up every week to read the newsletter. There is so much noise out there vying for a minute of your attention, and I never take it for granted that you give me five minutes of your time each week.

Matt

Published every Tuesday, Threats Without Borders offers original commentary and educational pieces related to cybercrime investigations and information security topics. We also summarize and comment on news articles concerning active threat intelligence for the financial industry. The newsletter is of interest to everyone tasked with cybersecurity or involved in preventing, investigating, or addressing technology-enabled fraud, theft, or money laundering.

Legal: I am not compensated by any entity for writing this newsletter. Obviously, anything written in this space is my own nonsensical opinions and doesn’t represent the official viewpoint of my employer or any associated organization. Blame me, not them.

cybercrime phishing osint cybersecurity financial crime investigations cyficrime