Callback Phishing: The Scam That Wants You to Call Back

Most people have been trained to watch for suspicious links and dodgy attachments in emails. But what about an email that contains neither? Callback phishing — sometimes called telephone-oriented attack delivery (TOAD) — is a rapidly growing threat that sidesteps traditional email security entirely by using a simple, low-tech weapon: a phone number.

flowchart LR
    A["Fake Invoice Email"] --> B["Victim Calls Number"]
    B --> C["Attacker Answers"]
    C --> D["Requests Remote Access"]
    D --> E["Installs Malware"]
    E --> F["Data Stolen"]
  

Instead of embedding a malicious link or attaching infected files, callback phishing emails present a seemingly legitimate concern — an unexpected charge, an expiring subscription, or a suspicious account activity alert — and provide a phone number for the recipient to call. When the victim dials the number, they reach an attacker posing as a customer service representative, who then guides them through actions that compromise their computer, their credentials, or both.

This technique has grown significantly since it was first widely observed in BazaCall campaigns, and it now represents one of the most effective methods attackers use to breach small businesses. Here is how it works, why it is so dangerous, and what your organisation can do about it.

How Callback Phishing Works

Callback phishing attacks follow a consistent pattern that exploits both technology gaps and human psychology. The attack unfolds in several deliberate phases:

Phase 1: The Initial Email

The victim receives an email that appears to be a legitimate notification — typically an invoice, subscription renewal, or payment confirmation for a service they did not purchase. Common pretexts include a charge of several hundred pounds for an antivirus subscription renewal, a premium streaming service upgrade confirmation, a software licence purchase receipt, or a notification of a large pending transaction on their account.

The email is deliberately designed to cause alarm. The amount is large enough to provoke a reaction but not so large as to seem implausible. Crucially, the email contains no links and no attachments — just text and a phone number to call if the charge was not authorised. This is the key innovation that makes callback phishing so effective: with no malicious URLs or files to scan, traditional email security filters have nothing to flag.

Phase 2: The Phone Call

When the concerned recipient calls the number, they reach what appears to be a professional call centre. The attacker, posing as a customer service agent, confirms the "charge" and expresses willingness to help resolve the issue. They may even provide a fake case number or reference ID to add legitimacy.

The agent then explains that to process the cancellation or refund, the caller needs to follow some steps on their computer. This is where the social engineering shifts from email to voice — a technique closely related to vishing attacks but initiated through email rather than a cold call.

Phase 3: Remote Access and Compromise

The fake customer service agent directs the victim to visit a website and download what is presented as a cancellation form, verification tool, or remote support application. In reality, this software is either a remote access trojan (RAT), a legitimate remote desktop tool that gives the attacker full control of the victim's computer, or a malware dropper that installs additional malicious software.

Once the attacker has remote access, they typically disable security software, install persistent backdoors, harvest stored credentials from browsers and applications, access business email accounts, search for sensitive files and financial information, and deploy ransomware or data exfiltration tools.

Why Callback Phishing Bypasses Email Security

The genius of callback phishing lies in what the email does not contain. Modern email security systems are excellent at detecting malicious links, scanning attachments in sandboxes, and identifying known phishing domains. But callback phishing emails are, from a technical perspective, essentially clean text messages with a phone number.

Consider what an email filter sees when it analyses a callback phishing email: no embedded URLs to check against threat intelligence databases, no attachments to detonate in a sandbox, no scripts or macros to analyse, no known malicious sender domains (attackers often use freshly created or compromised legitimate email accounts), and formatting and language consistent with genuine business communications. The email may even pass SPF, DKIM, and DMARC validation if it is sent from a compromised legitimate account.

This creates a significant blind spot in organisations that have invested heavily in email security but have not trained their employees to recognise social engineering tactics that extend beyond the inbox. Callback phishing effectively transitions the attack from the digital domain, where security tools operate, to the voice domain, where the only defence is the employee's judgement and training.

The Fake Invoice and Subscription Cancellation Lure

The most common callback phishing pretexts revolve around financial anxiety. Attackers know that receiving an unexpected charge triggers an immediate emotional response — concern, confusion, and urgency — that overrides careful analysis. The most effective lures share several characteristics:

• Specific dollar amounts: Rather than vague references to a charge, the email includes a precise figure (for example, 349.99 pounds or 499.00 dollars) that feels real and consequential.
• Recognisable brand names: The email impersonates well-known companies — security software vendors, streaming services, cloud platforms, or business tool providers — that the recipient might plausibly have an account with.
• Time pressure: The email states that the charge will be processed within 24 hours unless the recipient takes action, creating urgency that discourages careful thought.
• Professional formatting: The email mimics the branding, layout, and tone of genuine transactional emails from the impersonated company.
• No cancellation link (by design): The email explicitly states that cancellations must be handled by phone, which serves the dual purpose of directing the victim to call and providing a plausible explanation for why there is no online cancellation option.

What Happens When Victims Call the Number

The phone interaction is where callback phishing becomes particularly dangerous, because the attacker can adapt their approach in real time based on the victim's responses. Unlike a static phishing page, a live conversation allows the attacker to build rapport, address concerns, and overcome resistance.

A typical call follows this progression: the "agent" verifies the victim's identity by asking for information that makes the interaction feel official (name, email address, the last four digits of a card number — information the attacker may already have from data breaches). The agent then confirms the charge and offers to process a refund or cancellation. To do so, they claim to need the victim to access their computer.

The agent may direct the victim to a website to download a "refund form" or "cancellation verification tool." Alternatively, they may ask the victim to download a legitimate remote support application — tools like AnyDesk, TeamViewer, or ConnectWise — explaining that the support team needs to verify the cancellation on their end. Because these are legitimate, widely used applications, they do not trigger antivirus or endpoint protection alerts.

Once connected, the attacker may display a fake refund interface while actually accessing the victim's banking portal, install malware under the guise of running a "security scan," harvest saved passwords from the victim's browser, or access company email and file sharing systems. Throughout this process, the attacker maintains a calm, professional demeanour, reassuring the victim that everything is normal.

How to Train Employees to Recognise Callback Phishing

Because callback phishing evades technical controls, employee training is your most important defence. However, traditional phishing awareness training that focuses exclusively on identifying malicious links and attachments will not prepare your team for this threat. Your training programme needs to address the specific characteristics of callback phishing.

Key Training Points

• Treat unexpected invoices with suspicion regardless of format: An email with no links or attachments is not automatically safe. If you did not make a purchase, the email itself is the red flag.
• Never call a number provided in an unexpected email: If you need to verify a charge, navigate directly to the company's official website and use the contact information listed there. Do not use the phone number in the email.
• Establish a verification protocol: Create a simple internal process for employees who receive suspicious invoices or charge notifications. This should involve forwarding the email to the IT or finance team for verification before taking any action.
• Never download software at a caller's request: No legitimate company will ask you to install remote access software to process a refund or cancellation. This is always a red flag, regardless of how professional the caller sounds.
• Recognise the emotional manipulation: Train employees to pause when they feel urgency or alarm. Attackers deliberately create these emotions to bypass rational decision-making. The more urgent an email feels, the more carefully it should be scrutinised.

Including callback phishing scenarios in your phishing simulation programme is one of the most effective ways to build resistance to this threat. Simulated callback phishing exercises — where employees receive test emails with phone numbers that lead to a recorded awareness message — help staff develop the reflexes needed to recognise and report these attacks before calling.

Organisational Defences Against Callback Phishing

Beyond employee training, several organisational measures can reduce your exposure to callback phishing attacks:

• Implement a clear software installation policy: Establish and enforce a policy that prohibits employees from downloading or installing software without IT approval. Use endpoint management tools to restrict installation privileges where possible.
• Block or monitor remote access tools: If your organisation does not use remote desktop applications, block them at the endpoint or network level. If you do use them, restrict connections to authorised destinations only.
• Deploy application control: Use application whitelisting to prevent the execution of unauthorised software, ensuring that even if an employee downloads a malicious tool, it cannot run on your managed devices.
• Create a financial verification workflow: Establish a process where any unexpected invoice, charge notification, or payment request must be verified through an independent channel before any action is taken. This applies equally to emails, phone calls, and letters.
• Monitor for business email compromise indicators: Callback phishing is often a precursor to BEC attacks. If an employee's account is compromised through a callback phishing attack, the attacker may use that access to conduct further social engineering against other employees or business partners.

Callback phishing represents the evolution of social engineering from purely digital tactics to hybrid approaches that combine email, voice, and hands-on-keyboard exploitation. As email security tools become more effective at blocking traditional phishing, expect attackers to increasingly shift to techniques that operate outside the email filter's field of vision. The organisations that will be best protected are those that train their people to recognise manipulation regardless of the channel it arrives through — not just the link they are asked to click, but the number they are asked to call.