These days, being online feels like a digital cat-and-mouse game, with cybercriminals lurking around every corner, looking for ways to extract and exploit personal information. Although callback phishing has been used over the last few years, it has become a preferred attack technique in recent months, with research showing a 140% spike in these campaigns between July and September 2024.
Cybercriminals are no longer limited to sending malicious emails and texts. They’re making direct, human-to-human contact, catching even the most cautious off-guard.
What is Callback Phishing?
At its core, callback phishing, or Telephone-Oriented Attack Delivery (TOAD), is a multi-stage attack that employs phishing emails designed to lure victims into phone conversations where scammers work to steal personal information, passwords, and other personal details. Put simply, this is a new level of social engineering.
The typical callback phishing scam starts with an attacker sending a phishing email that appears legitimate and urgent, often posing as an order invoice or account termination notice. The email lists a contact number and urges the recipient to call immediately to resolve the “issue.” When the target calls, a live scammer answers, posing as a customer service representative but ready to reel them in.
From this point, the scam can take multiple directions. The cybercriminal may work to coax sensitive information from the caller (a tactic called voice phishing or vishing) or, in more sinister cases, direct victims to a website or file that downloads malware directly onto the victim’s device.
Why Callback Phishing Works
The success of most digital scams depends on impersonal tricks—emails or links that can be blocked, flagged, or ignored. The hybrid, multi-staged approach of callback phishing breaks through these barriers by transforming the scam into a human-to-human interaction. Unlike emails that are easy to dismiss and often read like spam, a phone call brings urgency and legitimacy to the ploy. Speaking to a live person, especially someone who sounds like a helpful customer service representative, adds pressure and makes people prone to making hasty decisions. Additionally, the human-to-human interaction gives the scammer more flexibility to adapt to the situation of the specific victim on the other end.
Callback phishing is harder for security teams to trace and block than standard phishing emails. While emails can be logged and reviewed, a phone call often leaves no digital trail, making it a case of the victim’s word against empty air.
Scammers can further enhance their deception by impersonating trusted brands, like PayPal, QuickBooks, and YouTube, banking on brand familiarity to build trust and lure targets into compliance.
Best Practices for Staying Safe
With phishing scams only getting smarter, cybersecurity awareness is more important than ever. To better protect employees from callback phishing schemes, share the following training and tips:
-
Be Skeptical of Unexpected Emails: If an email urges action to call a number, don’t. Verify the information directly to the company’s official contact page, ensuring the contact is a legitimate representative rather than falling prey to a scam. Additionally, remember that genuine organizations typically do not ask for sensitive information through unsolicited emails.
-
Limit What You Share: Avoid sharing personal details unless requested through a verified source when speaking to customer service. This means refraining from providing sensitive information like passwords or social security numbers. Legitimate companies will never ask for this data over the phone in an unsolicited call.
-
Monitor Banking Activity: If you receive an email about a strange transaction, check your bank accounts independently before responding. This proactive step can help identify unauthorized transactions early and prevent potential financial loss. Regularly reviewing account statements and transaction history also allows those targeted to identify suspicious activities that may go unnoticed.
- Stay Updated: Businesses should regularly train employees in phishing tactics. Knowledge is a powerful defense against evolving scams, and informed employees are better equipped to recognize and respond to potential threats. Implementing ongoing training programs and sharing the latest phishing techniques will create a culture of vigilance and encourage employees to be proactive about cybersecurity.
As phishing tactics shift and grow, awareness remains our best defense. Callback phishing and platform abuse are stark reminders of the need to stay informed and vigilant in safeguarding our personal and financial information.
While security tools advance, so do the schemes meant to bypass them. By staying alert, educated, and proactive, organizations can better outmaneuver these evolving threats, keeping ourselves—and our data—safe from modern phishing.
