Callback phishing is one of the newest methods of phishing - a method that can fool even email systems and experienced phishing experts. We'll go through what it is and what to look for in your emails. Callback phishing can look like legitimate emails.
The new type of phishing
Most people are familiar with the classic phishing email, where a hacker uses social engineering to lure people into the phishing trap. Often, they will pretend to be a manager who needs an answer to a query - and this answer needs to come quickly. In addition to the short deadline, you typically have to click on links or download attached files. And this is the moment the hacker gets access to your computer and personal data if you click on the link.
However, the general awareness of phishing has led people to be more cautious of them. They've also gotten better at spotting and avoiding malicious emails. Not only have we become better at spotting them, but our email programs have also become better at distinguishing between malicious emails and the legitimate emails we receive from our colleagues. Unfortunately, hackers have realized this and have come up with a new and more cunning form of phishing.
This new form of phishing is called callback phishing. In this type of phishing, hackers combine the "classic" phishing email with vishing (voice phishing). However, the big difference is that instead of malicious links or files, hackers want you to dial and call phone numbers.
Why would you call?
You might ask yourself why you would call a number that is listed in an email you receive. Normally you might not call it, but if the email is an invitation to a meeting, an invoice you have a problem with, or a subscription that is ending but you want to extend, it suddenly doesn't seem so unlikely to call it.
And hackers know this. That's why they're ready at the other end. They start by sending out a phishing email to a select group of people, which is not as large as normal phishing - they need to know what role to play when the phone rings.
For example, they might send out an email reminding you that your free trial of a subscription will end unless you sign up with your credit card. Because it's at short notice, it should be done over the phone so that your subscription can continue immediately. That way, more people will be inclined to call the number they've been told to call, which will put them through to a customer service agent.
Here, you will typically be asked to provide your credit details to be linked to the subscription. Once you have done this, the hacker has the information they need to steal personal data and money.
The hacker bypasses the security mechanisms
Another method hackers use in callback phishing is to get people to agree to a remote desktop session, which means allowing a remote user to view and control their computer. This can be in relation to technical problems that the hacker claims you have. They will typically mention the problems in the email, but will not give detailed explanations of what the problems are - you have to call the number to get an explanation and a solution to the problem. And they will suggest that this is done with a remote desktop session.
If you agree to a remote desktop session, the hacker can install malware on your computer, and thus access personal data and account information.
When hackers use callback phishing, they bypass the security mechanisms in email programs that would otherwise detect malicious links and files. Therefore, only you as an employee can be the filter in your inbox. Keep an eye out for social engineering tricks that hackers will still use in callback phishing. It is thus always encouraged to question the request that comes in an email - before responding to it.
What to do to avoid callback phishing
One piece of advice we would give is to be critical of emails that contain requests - even if it comes from a "leader" or senders that seem legitimate. It's a good idea to double-check phone numbers before calling them. If it's a "manager" writing, ask your real manager or colleagues if it's them or their number. And if it's a service provider you "need to contact", you can usually find their phone number online before contacting them.
You can also check if your email program can detect malicious email addresses and domains. That way, you can create a filter that sorts your inbox from possible callback attacks. However, this is not a prerequisite for the callback phishing not to get through at all.
Awareness training and multi-factor authentication are also always good initiatives for better cyber hygiene. Multi-factor authentication should add an extra layer of security to your inbox, making sure that only you can access your email information.
Caroline Preisler
Caroline is a copywriter here at Moxso beside her education. She is doing her Master's in English and specializes in translation and the psychology of language. Both fields deal with communication between people and how to create a common understanding - these elements are incorporated into the copywriting work she does here at Moxso.
View all posts by Caroline Preisler