Cyber-security researchers at Cisco Talos say telephone-oriented attack delivery, or TOAD, is accelerating as fraudsters embed phone numbers in malicious PDF attachments that impersonate trusted brands. An analysis of PDF-based phishing emails collected between 5 May and 5 June 2025 found Microsoft and DocuSign were the most spoofed names, followed by PayPal and several consumer-software vendors. Victims are urged to call the listed support lines, where attackers posing as help-desk agents coax them into disclosing credentials or installing remote-access malware. The U.S. Federal Bureau of Investigation has issued a separate alert linking the technique to the Luna Moth crime group and warning that threat actors often recycle Voice-over-IP numbers for days to run multi-stage social-engineering assaults. The same report highlights a parallel shift toward artificial-intelligence tooling. Criminals are weaponising Vercel’s v0 AI site-builder to spin up convincing login pages from simple text prompts, while other gangs exploit Microsoft 365’s Direct Send feature to push phishing emails that appear to originate from inside more than 70 target organisations, according to data from Varonis. Researchers say the convergence of branded PDFs, live callback scams and AI-generated web content lowers the cost and raises the success rate of credential-theft operations. They recommend tighter brand-impersonation detection, blocking of VoIP numbers linked to scams and user training that treats unsolicited phone calls with the same caution as suspicious links.