Callback Phishing: What Is It & How to Avoid Being a Victim
Criminals have added a new trick to their playbook. It starts innocently enough with an email or text message that looks like it's from your bank, a retailer you frequent, or even a government agency.
The message will express some vague urgent concern, like suspicious activity detected on your account or an important document that needs your review. But here's the twist - instead of asking you to click a link, the message urges you to call a provided phone number to resolve the issue.
If you call, a scammer claiming to represent the supposed organization will try to pressure you into handing over sensitive information like login credentials, financial details, or personal data. It's like phishing, but instead of trying to get someone to click on a link, swapping emails for phone calls to catch unsuspecting victims. This is called callback phishing.
What is Callback Phishing?
Callback phishing, also known as telephone-oriented attack delivery (TOAD), is an increasingly common type of social engineering scam that relies on voice communication to deceive victims.
The way it works is that the victim receives an email, text message, or even a phone call that appears to be from a legitimate company or organization. The message might say there's an urgent issue with the person's account or order that needs to be resolved right away or that you have won something. Rather than providing a link to click on, the message instructs the target to call a phone number to resolve the issue.
Instead of connecting to a legitimate business or organization, the phone number actually connects to the scammer, who then tries to pressure the victim into giving up sensitive information like login credentials, financial details, or remote access to their computer. This is a crafty spin on traditional phishing that exploits people's trust in phone calls as a "safe" communication channel.
How Does Callback Phishing Differ From ‘Traditional’ Phishing
Traditional phishing attacks usually involve a highly targeted email from a bad actor designed to trick the recipient into opening a malicious attachment or clicking on a malicious link. The goal is to direct the user to an attacker-controlled webpage.
Phishing emails, like those used in business email compromise (BEC) scams, often impersonate a familiar individual or organization in an attempt to gain the target's trust. These emails may include a Microsoft Word document or link that the victim is likely to open, as they would normally trust the source.
Callback phishing tricks users into calling a number provided in the email or text message. Once someone calls that number, cybercriminals use social engineering tactics to obtain sensitive information over the phone.
Types of Callback Phishing
There are several different types of callback phishing attacks that cybercriminals employ to try to steal sensitive information.
One common tactic is voice phishing or "vishing," where the attacker leaves a voicemail pretending to be from a legitimate company and urgently requests a callback to a provided number. When the victim calls back, they are prompted to share private details like account numbers or passwords. Email phishing uses a similar approach, with the phishing email instructing the recipient to call a number, which connects them to a scammer.
‘One-ring’ phone scams involve the attacker calling the victim's number and hanging up after just one ring. Many people instinctively return these "missed calls," not realizing they're being connected to a premium-rate overseas number that racks up a hefty charge. The fact that these numbers charge a fee upon connection means that even if you hang up straight away, you’ve still lost money.
Callback spam takes a slightly different approach. It bombards victims with unsolicited texts or emails containing a callback number. These messages often use social engineering tactics, like claiming the recipient has won a prize or alerting them to an "urgent" security issue.
In all cases, the attackers are hoping to either extract sensitive data from their victims or trick them into paying exorbitant international calling rates. SMS phishing sends deceptive text messages to lure victims into calling back. Cybercriminals also launch phishing attacks on social media, posting messages that appear to come from a trusted company and include a callback number. Regardless of the delivery method, the goal is always to trick the victim into calling the attacker and revealing confidential data.
What Does a Callback Phishing Attack Look Like?
In a typical attack, a person receives an email claiming to be from a known company or service provider, urgently requesting that they call a provided phone number to resolve a supposed security issue or suspicious account activity. When the person calls, a convincing scammer impersonates a help desk agent or support representative and uses social engineering techniques to trick the victim into revealing sensitive information like login credentials, financial details, or other valuable data.
This type of phishing is extremely effective because it circumvents email security filters, catches victims off-guard since they initiated the contact themselves, and abuses the natural human tendency to trust real-time voice interactions.
How to Spot a Callback Phishing Scam
Vigilance is key. Since these types of emails do not contain malicious links or attachments, they can bypass email spam filters. Spotting a callback phishing scam requires awareness of the tactics scammers use.
Be on the lookout for unsolicited emails, texts, or calls claiming there's an urgent issue with your bank account, credit card, taxes, or online accounts that requires immediate action. The message will instruct you to call the provided phone number to resolve the supposed problem. If you do call, the scammer on the other end will pressure you to share sensitive info like account numbers, login credentials, or your social security number - or even try to convince you to send them money.
Don't fall for it. Legitimate companies will never contact you out of the blue demanding personal data or payments over the phone. If you're concerned there may really be an issue, contact the company directly using a verified phone number from their official website or your account statements.
When in doubt, err on the side of caution. A healthy dose of skepticism can go a long way toward protecting yourself from becoming the next victim of a callback phishing scam.
Common Indicators of Phishing Attempts
Generally speaking, always exercise caution with any unsolicited communications you receive, and remember these steps:
Be careful of any random emails that show up in your inbox, especially if they seem to be from a legitimate company. Before you click on any links, make sure to hover over them to see if the URL matches the company's website address. If it doesn't, don't click on it - it could be a trap.
Be mindful of e-mails that have an urgent or threatening tone. Look for phrases like ‘Your account will be locked unless you act now.’ or ‘Dangerous new virus detected on your system.'
A generic greeting from a sender who usually sends personalized greetings or vice versa is a common phishing red flag.
Subject lines with unusual or unexpected words like "Warning," "Free," "Your funds," and "Casino" should set off alarm bells. Strange punctuation, like too many exclamation points or underscores, is also a standard indicator of phishing.
Any message containing an enticing offer in the subject line or copy should be viewed with suspicion, especially if:
The offer provides something in return for nothing (or almost nothing)
It is unexpected
It originates from a source that usually doesn’t extend such offers
If you have doubts, contact the company directly through their official channels rather than responding to numbers provided in a suspicious email or text. It's better to be safe than fall victim to a scam.
What to do If You Suspect You're a Victim
If you suspect you've been scammed by a callback phishing attempt, key steps to take are:
Contact the Legitimate Company. Reach out to the company that the phishing email appeared to be from, explaining the situation and providing details about the suspicious communication.
Change Passwords. Immediately change your password on the affected account, and any other accounts where you use the same password.
Enable Multi-Factor Authentication. If possible, activate multi-factor authentication on your accounts to add an extra layer of security.
Monitor Your Accounts. Regularly check your bank statements, credit card activity, and online accounts for any suspicious activity.
Freeze Credit Reports. Contact Credit Bureaus / Agencies and place a freeze on your credit reports.
Report The Scam. Contact the Federal Trade Commission (FTC) to report the phishing attempt and provide details about the scammer.
Conclusion
The best defense against callback phishing is constant vigilance. Treat all unsolicited calls and emails with caution, and never call any phone numbers provided in suspicious messages.
If you're concerned about a potential issue, look up the organization's contact information independently and reach out to them directly to confirm the legitimacy of the request. By staying alert and following security best practices, you can thwart callback phishing attempts and keep your sensitive data secure.
General Information
What is Multi-Factor Authentication? (Microsoft.com)
What is a Credit Bureau? (Equifax.com)
Report a Scam
Report a Cyber-Enabled Crime (Internet Crime Complaint Center, IC3)
State Attorney General Listing (USA Gov)
Financial Crime Resource Center (National Center for Victims of Crime)
National Elder Fraud Hotline (Office for Victims of Crime)
Victim Support Information
Fraud Victim Support Group (AARP.org)
Financial Crime Resource Center (National Center for Victims of Crime)