Beware of callback phishing: How hackers trick you into calling them
Callback phishing is one of the latest and most deceptive phishing techniques, designed to bypass traditional security measures and fool even experienced professionals. This method blends phishing emails with vishing (voice phishing), making it harder to detect and more effective for cybercriminals. Cybercriminals often use an automated voice message to deceive victims into providing sensitive information.
In this article, we’ll explore what callback phishing is, how it works, and what you can do to protect yourself from falling victim to this sophisticated scam. Learn more about how vishing and smishing work and how to stay protected.
What is callback phishing scams?
Most people are familiar with traditional phishing emails, where hackers use social engineering tactics to trick recipients into clicking malicious links or downloading infected attachments. These emails often appear to come from managers, financial institutions, or well-known companies, creating urgency to prompt immediate action.
However, as people and email security programs have become better at identifying and blocking phishing attempts, cybercriminals have adapted. Instead of relying solely on links and attachments, they now use callback phishing scams to bypass security filters and directly manipulate victims. In a callback phishing scam, scammers send emails with instructions to call a seemingly legitimate number, leading victims to disclose sensitive information under the guise of addressing an urgent issue. Awareness and proactive measures are crucial to protect against these types of scams.
How callback phishing works: Social engineering tactics
1. The deceptive email
A callback phishing attack starts with an email that appears legitimate. Instead of containing suspicious links or attachments, it asks the recipient to call a phone number. These emails often claim to be related to:
-
Urgent account security issues
-
Subscription renewals or cancellations
-
Invoices that need immediate attention
-
IT support or software troubleshooting
Since there are no malicious links or files, traditional security tools often fail to flag these emails as phishing attempts. Additionally, calling unknown phone numbers provided in these emails can lead to users disclosing sensitive information, making them vulnerable to reverse vishing attacks.
2. The phone call trap
If the recipient calls the number provided in the email, they are connected to a scammer posing as customer support, an IT specialist, or a company representative. From here, the hacker may:
-
Request personal information, such as credit card details or login credentials
-
Convince the victim to install remote access software
-
Persuade them to authorize fraudulent transactions
-
Direct the victim to download malicious files, bypassing traditional email security measures
3. Remote access exploitation of sensitive information
In some cases, hackers trick victims into granting remote desktop access, claiming they need to troubleshoot an issue. Once connected, the hacker can:
-
Install malware or spyware
-
Steal sensitive company or personal data
-
Gain full control over the victim’s computer
This method completely bypasses security measures like email filters, antivirus programs, and firewalls, as the victim willingly engages with the attacker. If you suspect you have fallen victim to a callback phishing scam, it is crucial to monitor your credit report for any suspicious activity. Explore how firewalls can strengthen your defenses.
Evasion techniques used by hackers
Hackers behind callback phishing scams are adept at evading detection by traditional email security tools, making their attacks particularly insidious. One of their primary tactics is to use text-based emails that lack the usual red flags, such as malicious links or attachments. This makes it significantly harder for email filters to identify the email as a threat.
Another common strategy involves social engineering tactics designed to create a sense of urgency or panic. For instance, an email might claim that your bank account has been compromised or that a subscription is about to renew, prompting you to call a provided phone number immediately. This sense of urgency can cloud judgment, leading victims to act without proper verification. nderstanding how social engineering works can help you recognize and avoid these manipulative tactics.
Hackers also employ text obfuscation techniques, such as adding invisible characters to their messages. This can prevent detection by email security tools that scan for known phishing patterns. These sophisticated evasion techniques highlight the importance of security awareness training and education. By understanding these tactics, individuals and organizations can better recognize and respond to potential threats.
Real-world examples of callback phishing attacks
Real-world examples of callback phishing attacks illustrate the severe consequences these scams can have. One prominent case is the BazarCall/BazaCall campaign. In this scheme, victims received emails warning them about an upcoming payment for a subscription or the end of a free trial. When users called the provided phone number, they were tricked into installing BazarBackdoor malware, which gave hackers a backdoor into their computers and networks.
Another significant example is the Conti ransomware operation. In this attack, cybercriminals used callback phishing to impersonate various legitimate companies. They convinced victims to establish remote desktop sessions, allowing the hackers to deploy ransomware and gain control over the victims’ systems. These attacks resulted in substantial financial losses and data breaches.
These examples underscore the importance of being cautious when receiving unsolicited phone calls or emails. Always verify the authenticity of the communication by contacting the company through official channels before providing any sensitive information. By learning from these real-world incidents, you can better protect yourself and your organization from falling victim to similar phishing campaigns.
How to protect yourself from callback phishing
1. Be skeptical of unsolicited emails
Always question emails that ask you to call a number, especially if they create urgency.
Verify the legitimacy of the email by contacting the sender through official channels (not the number provided in the email).
2. Verify phone numbers
-
If an email requests that you call a customer service number, check the official website of the company before dialing.
-
For internal company communications, confirm directly with your manager or IT team.
3. Avoid granting remote access
-
Never allow remote desktop access unless you are 100% sure of the request’s authenticity.
-
IT support teams usually communicate through official channels and scheduled meetings, not unsolicited emails.
4. Implement email security measures
-
Use email filtering tools that flag unusual senders and domains.
-
Enable multi-factor authentication (MFA) to prevent unauthorized access to sensitive accounts.
5. Conduct regular security awareness training
-
Educate employees on the dangers of callback phishing.
-
Conduct phishing simulations to test awareness and reinforce best practices.
-
Emphasize the need for vigilance against not only callback phishing but also other phishing attacks.
Final thoughts
Callback phishing is a dangerous and evolving cyber threat that bypasses traditional email security measures. By combining phishing emails with voice manipulation tactics, hackers increase their chances of successfully deceiving their targets.
The best defense against callback phishing is a combination of skepticism, verification, and cybersecurity awareness.
If you suspect a callback phishing attempt, report it to your IT department immediately and never engage with suspicious emails or phone numbers.
This post has been updated on 19-03-2025 by Sarah Krarup.

Sarah Krarup
Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.
View all posts by Sarah Krarup