In the ongoing cat-and-mouse game between cybercriminals and their targets, a cunningly retro tactic has re-emerged with potent new effectiveness: callback phishing. This hybrid threat, which blends initial email contact with old-school telephone-based deception, is proving adept at sidestepping automated security filters and preying on human psychology to compromise both individuals and major corporations.

At its core, callback phishing—also known as telephone-oriented attack delivery (TOAD) or vishing (voice phishing)—is a multi-stage social engineering scam. Unlike traditional phishing that coaxes users into clicking a malicious link directly in an email, this method’s primary goal is to persuade the victim to initiate a phone call.

The attack begins with a professionally crafted email designed to provoke a sense of urgency or fear. These messages often impersonate trusted brands, such as major cybersecurity firms like CrowdStrike or antivirus providers, financial institutions, or prominent subscription services. The email will typically contain a fake security alert or a fraudulent invoice, claiming the recipient’s account has been compromised or that they have been charged for a high-value, unwanted subscription.

Crucially, the email itself contains no malicious links or attachments. Instead, it prominently displays a “customer service” phone number and urges the recipient to call immediately to resolve the issue. This lack of a clickable threat is the key to its initial success, as it often bypasses the technical email gateways designed to detect and block malicious URLs and infected files.

Once the concerned victim dials the number, the trap is sprung. They are connected directly to a live scammer posing as a helpful support agent. This human interaction is where the real manipulation begins. The fraudster, often speaking from a sophisticated call centre, will feign professional concern while guiding the victim through a series of steps to “cancel the subscription” or “remove the threat.”

Under this guise, the scammer’s ultimate goal is to convince the user to grant them remote access to their computer, typically by directing them to download and install legitimate remote management tools like AnyDesk or TeamViewer. Once they have control, the attackers can deploy ransomware, steal sensitive financial data and credentials, or establish a persistent foothold in the victim’s network.

The effectiveness of callback phishing lies in its clever exploitation of psychological trust. By shifting the interaction from an impersonal email to a direct conversation, attackers can build rapport and more effectively manipulate their targets. The initial email creates the problem, and the scammer on the phone presents themselves as the immediate, reassuring solution.

Security experts advise heightened vigilance to combat this growing threat. Key recommendations include:

• Verify Independently: Never use the contact information provided in an unsolicited or suspicious email. If you receive an alert from a company you do business with, look up their official phone number from their website or a legitimate account statement and contact them directly.
• Be Wary of Urgency: Tactics designed to make you panic and act quickly are a hallmark of phishing scams. Take a moment to think before reacting.
• Never Grant Unsolicited Remote Access: A legitimate company will not call you out of the blue and demand remote access to your device to fix a problem you were unaware of.
• Employee Training: For businesses, ongoing training is critical. Employees should be educated on the specific tactics of callback phishing and empowered to question and verify any unusual requests, even if they appear to come from a trusted source.

As technical defences become more advanced, cybercriminals will continue to target the most vulnerable part of any security system: the human being at the keyboard. Callback phishing is a stark reminder that in the digital age, a simple phone call can be the most dangerous link of all.