{
	"id": "8d6a9f2a-b372-45be-b8ac-56cf036aa5a0",
	"created_at": "2026-04-06T01:32:23.470712Z",
	"updated_at": "2026-04-10T03:27:55.913749Z",
	"deleted_at": null,
	"sha1_hash": "4356d0eae86ee2c009804bd4a032ed2fac17538d",
	"title": "The 411 on Call Center Scams \u0026 Fraud | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4569663,
	"plain_text": "The 411 on Call Center Scams \u0026 Fraud | Proofpoint US\r\nBy November 04, 2021 Selena Larson, Sam Scholten and Timothy Kromphardt\r\nPublished: 2021-10-29 · Archived: 2026-04-06 00:39:04 UTC\r\nKey Takeaways\r\nProofpoint researchers observe tens of thousands of telephone oriented cyberattacks daily.\r\nThere are two types of these threats regularly observed by Proofpoint. One features traditional call center\r\nfraud, such as fake tech support, to steal money. The second leverages call centers to distribute malware\r\nthat could be used for secondary compromises.\r\nProofpoint is aware of individual victims losing nearly $50,000 per attack. It is likely that number is\r\ngreater.\r\nMalware distributed in some of the observed campaigns could lead to ransomware and pose a greater risk\r\nto business operations.\r\nOverview\r\nProofpoint researchers have observed an increase in attacks perpetuated by threat actors leveraging a robust\r\necosystem of call center-based email threats. The attacks rely on victims to call the attackers directly and initiate\r\nthe interaction. Email fraud supported by call center customer service agents is prolific and profitable. In many\r\ncases, victims lose tens of thousands of dollars stolen directly from their bank accounts.\r\nThere are two types of call center threat activity regularly observed by Proofpoint. One uses free, legitimate\r\nremote assistance software to steal money. The second leverages the use of malware disguised as a document to\r\ncompromise a computer and can lead to follow-on malware. The second attack type is frequently associated with\r\nBazaLoader malware and is often referred to as BazaCall. Both attack types are what Proofpoint\r\nconsiders telephone-oriented attack delivery (TOAD). \r\nTOAD\r\nFraud BazaCall\r\nPhone-based X X\r\nInitial objective: financial gain X\r\nhttps://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery\r\nPage 1 of 9\n\nInitial objective: malware installation X\r\nUses commercially available remote access software X\r\nLeads to follow on activity X\r\nIn recent attacks, threat actors email a victim claiming to be representatives from entities like Justin Bieber ticket\r\nsellers, computer security services, COVID-19 relief funds, or online retailers, promising refunds for mistaken\r\npurchases, software updates, or financial support. The emails contain a phone number for customer assistance.\r\nWhen the victims call the number for help, they are connected with a malicious call center attendant directly and\r\nthe attack begins.\r\nProofpoint detects and blocks tens of thousands of email threats related to TOAD every day. Our researchers\r\ntracked down the perpetrators to multiple areas of operations, and through email data, phone conversations, and\r\nmessage and infrastructure artifacts, can now provide an exclusive look at how the thriving call center threat\r\nbusiness profits on lies.\r\nCall Center Threats \r\nMost consumers are familiar with phone-based fraud and regularly receive unsolicited phone calls from people\r\npretending to be, for instance, tech support or the Department of Motor Vehicles. According to a 2021\r\nstudy conducted by Truecaller, nearly 60 million Americans have reportedly lost money due to phone fraud, losing\r\n$29.8 billion between 2020 and 2021. The recent spike in TOAD threats observed by Proofpoint is a subset of\r\nthese threats, combining old-fashioned phone fraud with unsolicited emails as an initial communication vector.\r\nThese types of attacks include elaborate infection chains requiring significant victim interaction to infiltrate a\r\nvictim’s computer or smartphone. The threat actor sends an email typically with a receipt for a large purchase\r\nmasquerading as a company or organization and instructs the recipient to call the number in the email to cancel or\r\ndispute their purchase. The email address is usually a Gmail, Yahoo, or other freemail account. If the user calls the\r\nphone number provided in the email, a customer service representative will verbally guide the user to visit a\r\nwebsite or mobile app store. They will guide them through different types of user interaction such as downloading\r\na malicious file, allowing them to remotely access their machine, or downloading a malicious application for\r\nremote access.\r\nWhile the two distinct TOAD types begin the same – victim receives an email and is directed to call a customer\r\nservice representative – the attack paths diverge depending on the objective.\r\nFinancial extortion actors typically use invoice lures associated with companies like Amazon, Paypal, or security\r\nsoftware. Once a person calls the number listed in the email, the actor will direct the victim to install remote\r\naccess software such as AnyDesk, Teamvier, Zoho, etc. and provide them access to interact with the machine\r\nunder the guise of customer service. Often, the victim is directed to login to their bank account to get a refund, or\r\nhttps://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery\r\nPage 2 of 9\n\npurchase gift cards. Once the attacker is connected, they blackout the screen to hide their activities. They might\r\nedit the HTML of the banking webpage to show a different amount or attempt to steal the money directly. \r\nFigure 1: Financially motivated attack path.\r\nIn malware focused attacks like BazaCall, the invoice lures are often more elaborate, including themes such as\r\nJustin Bieber concerts, lingerie, and fake movie sites. The victim is directed to a malicious website where they are\r\ntold to download a document to facilitate a refund, but instead are infected with malware.\r\nFigure 2: BazaCall attack path.\r\nOnce the attackers have obtained access to the device, they can access banking, email, and other private accounts\r\nor download follow-on malware including ransomware. By leveraging attack chains that require a lot of human\r\ninteraction, threat actors can bypass some automated threat detection services that only flag on malicious links or\r\nattachments in email.\r\nPopular Call Center Lures\r\nThe lures and themes threat actors send to victims vary, from very low effort attempts to leveraging legitimate\r\nbranding and document downloads. Our researchers frequently engage with threat actors to better understand the\r\nattack paths and behaviors exhibited by these actors.\r\nPayPal Lure\r\nFor example, our researcher identified a financially motivated TOAD threat masquerading as a PayPal invoice\r\nfrom a U.S. weapons manufacturer.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery\r\nPage 3 of 9\n\nFigure 3: PayPal lure masquerading as the U.S. company Springfield Armory.\r\nOur researcher called the number in the invoice and connected with “David” pretending to be a PayPal\r\nrepresentative. “David” followed a script and told our researcher to download AnyDesk and login to his bank\r\naccount. The attacker also claimed that someone had tried to purchase a weapon using his PayPal account and\r\nwarned him that “hackers” regularly access people’s accounts to make purchases. In total, the conversation took\r\napproximately an hour.  \r\nJustin Bieber Lure\r\nOther campaigns use pop culture themed lures, including posing as ticket sellers to The Weeknd concerts or the\r\nupcoming 2022 Justin Bieber world tour. These lures are associated with BazaCall threats. When our researcher\r\ncalled the number in the Justin Bieber email, he was immediately placed on hold with the pop star’s music.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery\r\nPage 4 of 9\n\nFigure 4: Justin Bieber themed email purporting to be tickets for an upcoming concert.\r\nWhen our researcher called the BazaCall threat actors, a person named “John Edwards” claimed someone had\r\nerroneously placed an order on his credit card and to visit ziddat[.]com/code.exe to get a refund. Our researcher\r\ndownloaded the executable in a virtual machine, and told “John” nothing came up on the screen. BazaLoader was\r\nsuccessfully downloaded, and “John” said he could take care of the issue before abruptly hanging up. In total, the\r\ncall took approximately 10 minutes.\r\nThreat Actors\r\nAlthough it is difficult to narrow down activity into specific threat activity groups associated with TOAD threats,\r\nProofpoint researchers have identified multiple activity clusters located in India. Most of the activity occurs in\r\nthree cities: Kolkata, Mumbai, and New Delhi.  \r\nProofpoint was able to pin down multiple physical locations of activity clusters based on the threat actors’\r\ninteractions with Proofpoint researchers as well as open-source information shared on fraud forums and YouTube.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery\r\nPage 5 of 9\n\nThe following map represents a sample of identified call centers.\r\nFigure 5: Locations of TOAD threat operators.\r\nDuring our research, threat actors accessed researchers’ computers directly, and Proofpoint researchers were able\r\nto siphon data such as IP information from the remote access connections. Additionally, some independent “scam\r\nbaiters” have remote access to threat actors’ physical location and share their findings on YouTube and TikTok.\r\nBased on publicly available information, Proofpoint was able to identify the office allegedly used by one cluster of\r\ntech support TOAD actors located in Kolkata.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery\r\nPage 6 of 9\n\nFigure 6: Matrix Tower in Kolkata where TOAD threat actors allegedly operate listed on a property management\r\ncompany website.\r\nThese threat actors reportedly targeted people in Germany, the U.S., Australia, and India with fraudulent tech\r\nsupport claims.\r\nMalicious call centers are architected like legitimate businesses. Owners sign leases on buildings purporting to be\r\ntelemarketers or other phone-based businesses, and recruit local jobseekers to support the operation. Due to job\r\nscarcity in areas of operation and potential for higher earnings than alternative employment, the lucrative phone\r\nfraud jobs are alluring. While conducting calls with the threat actors, Proofpoint researchers overheard floor\r\nmanagers guiding employees through a script on how to speak to victims. Employees’ pay varies. According to the\r\nBBC, earnings may start at 1 rupee for every $1 stolen and increase to $50,000 per month.\r\nWhile financially motivated and malware-focused TOAD actors have similar techniques, Proofpoint researchers\r\nhave observed that BazaLoader threat actors do not appear to use physical call center facilities, and fake customer\r\nservice agents are usually not located in India. Proofpoint assesses with moderate confidence the actors use\r\ninbound call center software then route the calls to geographically dispersed customer service agents. The agents\r\ndistributing BazaLoader do not remotely access victims’ machines; rather they direct them to a website to\r\nhttps://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery\r\nPage 7 of 9\n\ndownload a malicious file that loads the malware. Thus, the fake customer service agents do not require as much\r\ntechnical aptitude as other cybercrime actors.  \r\nThe increasingly widespread adoption of threats requiring victims to initiate engagement with their attackers\r\nindicates that participants in the cybercriminal ecosystem likely learn from each other and will shape tactics,\r\ntechniques, and procedures (TTPs) based on efficacy observed by their fellow threat actors.\r\nVictimology\r\nCall center-based email threat actors do not appear to specifically target people via demographics, jobs, location,\r\netc., but likely procure their contact lists from legitimate data brokerages or other telemarketer resources. And\r\nwhile the public typically hears about activities impacting victims from vulnerable communities including the\r\nelderly and disabled, according to the 2021 TrueCaller report, men are impacted more than women, and younger\r\nmen are more likely than older men to be victims of a phone scam. (Analyst note: This data includes all phone-based spam and scams and are not specific to call center-based email threats.)\r\nLike many victims of crime, people who lose money to cyberattacks may feel ashamed and embarrassed, and do\r\nnot share details of what occurred. This makes it difficult for researchers, law enforcement, and the public to\r\nunderstand the true number of people impacted by call center-based email fraud. But the losses can be life-altering. Proofpoint is aware of victims losing nearly $50,000 in one attack, with the threat actor masquerading as\r\na NortonLifeLock representative. And the fallout of cybercrime – like the financial toll, and emotional well-being\r\n– reportedly disproportionally impact Black, Indigenous, and people of color (BIPOC) communities.  \r\nFigure 7: Known victim of TOAD threat.\r\nImpacts to Organizations\r\nTOAD threat actor targeting is indiscriminate and includes both personal email accounts – Gmail, Yahoo, Hotmail,\r\netc. – and corporate email addresses. Proofpoint has observed BazaCall operators targeting employees of large\r\norganizations, and a successful infection could compromise the entire enterprise network leading to follow on\r\nattacks such as ransomware.\r\nTargeting individuals’ private email addresses could have follow-on impacts to corporations. For example, as\r\nCOVID-19 has caused a shift to remote work, more people are accessing personal information online from work\r\nhttps://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery\r\nPage 8 of 9\n\ndevices or accounts. Additionally, TeamViewer and AnyDesk are legitimate enterprise software services that may\r\nbe already installed on corporate machines; if the software allows external connections, the activity could bypass\r\nother enterprise security protections that may be in place to detect and block remote access attempts. A threat actor\r\nmay successfully obtain remote access to a corporate managed device and install malware that could facilitate\r\nfollow-on activity such as ransomware.\r\nProofpoint assesses small and medium-sized businesses are at greatest risk for TOAD threats impacting the\r\ncorporate environment. \r\nAPPENDIX\r\nThe following is a list of company names Proofpoint regularly observes in call center-based email threat\r\ncampaigns.\r\nNorton\r\nMcafee\r\nEbay\r\nNort-Pro\r\nPayPal\r\nGeekSquad\r\nNortonLifeLock\r\nCovid-19 relief /AOL Fund\r\nAOL Committee\r\nVakıfBank\r\nSantander Bank\r\nIMF Giving\r\nAmazon\r\nJustin Bieber Justice World Tour\r\nThe Weeknd T O U R\r\nSpringfield Armory\r\nSymantec\r\nMeagher Auto Insurance\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery\r\nhttps://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery"
	],
	"report_names": [
		"caught-beneath-landline-411-telephone-oriented-attack-delivery"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38",
			"created_at": "2023-01-06T13:46:39.487358Z",
			"updated_at": "2026-04-10T02:00:03.344509Z",
			"deleted_at": null,
			"main_name": "BazarCall",
			"aliases": [
				"BazzarCall",
				"BazaCall"
			],
			"source_name": "MISPGALAXY:BazarCall",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439143,
	"ts_updated_at": 1775791675,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4356d0eae86ee2c009804bd4a032ed2fac17538d.pdf",
		"text": "https://archive.orkl.eu/4356d0eae86ee2c009804bd4a032ed2fac17538d.txt",
		"img": "https://archive.orkl.eu/4356d0eae86ee2c009804bd4a032ed2fac17538d.jpg"
	}
}