Callback Phishing Attack: What You Need to Know to Avoid Being Scammed

Author

Reads 1.3K

Scam Lettering Text on Black Background
Credit: pexels.com, Scam Lettering Text on Black Background

Callback phishing attacks are a sneaky way scammers try to get your personal info. They often start with a phone call that seems legit.

The caller may claim to be from a government agency, a bank, or a tech company, and ask you to verify some information. This is usually a ruse to get you to give away sensitive data.

Be cautious if you receive a call asking you to confirm your account info or Social Security number. It's likely a phishing attempt.

What is a Callback Phishing Attack?

A callback phishing attack is a type of phishing scam that's particularly sneaky and convincing. Attackers send an email or document claiming there's an urgent issue, such as an unauthorized transaction or subscription charge, and instruct the recipient to call a "customer service" number for assistance.

These messages often impersonate well-known brands, like PayPal, and can be quite convincing. They might even include a PDF or other document to make the scam look more legitimate.

Credit: youtube.com, Callback Phishing Attacks Explained: How Scammers Steal Your Data

The goal of the scammer is to get the victim to call them, which makes the scam more convincing since the victim initiated the contact themselves. This is different from traditional phishing attacks that use malicious links or attachments.

Attackers use social engineering techniques to trick the victim into revealing sensitive information, like login credentials or financial details, once they've made the call. It's a clever tactic that takes advantage of the natural human tendency to trust real-time voice interactions.

Cisco Talos researchers have reported a significant increase in these telephone-oriented attack delivery (TOAD) campaigns, with most originating in the US and Europe.

Types of Callback Phishing Attacks

Callback phishing attacks are a type of social engineering attack where attackers trick victims into revealing sensitive information or paying exorbitant international calling rates.

One common tactic is voice phishing, also known as "vishing", where the attacker leaves a voicemail pretending to be from a legitimate company and urgently requests a callback to a provided number.

Credit: youtube.com, Callback Phishing: Live Demonstration

Callback spam takes a slightly different approach, bombarding victims with unsolicited texts or emails containing a callback number, often using social engineering tactics to lure them in.

In all cases, the attackers are hoping to either extract sensitive data from their victims or trick them into paying exorbitant international calling rates.

Consider reading: Web Callback

Text-Based Spam

Text-based spam is a type of callback phishing that's surprisingly straightforward. It doesn't rely on complex techniques like malicious links or attachments, but rather on a simple, yet effective, approach.

The goal of text-based spam is to trick victims into calling a hotline or a number provided in the email. This is exactly what happened in the example of a phishing email impersonating Binance, a cryptocurrency trading platform. The email mimics a withdrawal notification message, listing a sizeable amount of money and the date of transfer, and then provides a customer service hotline for the victim to call.

Email Blocks on Gray Surface
Credit: pexels.com, Email Blocks on Gray Surface

Binance does not use a hotline for customer support, instead it uses an AI chatbot that's accessible via its website or mobile application. This should have been a red flag for the victim, but it's easy to overlook these details, especially if the email looks legitimate.

One of the giveaways of text-based spam is a sender domain that's not owned by the company being impersonated. In the Binance example, the sender domain was a relatively new one, indicating that it might be a phishing attempt.

Abuse of Appointment Scheduling

Callback phishing is a sneaky tactic that can be disguised as a legitimate notification. Scammers may send an email that appears to be from a well-known company, like QuickBooks, warning you that your database will be wiped out if you don't upgrade.

This email might prompt you to call a specified phone number or schedule a meeting with a fake customer support representative. Victims are often urged to act quickly, which is a red flag.

Credit: youtube.com, Phishing - A game of deception - Cyber security awareness video - Security Quotient

The fake email may provide an option to schedule a meeting with "QB Support" for a 30-minute session. Once you've chosen a date, you'll be asked to enter your name, email address, and phone number to confirm the event.

Scammers can use this information to gain even more insight into your personal details. They might create a fake Calendly account, like the one associated with the user "John", to schedule multiple fake events relating to QuickBooks.

The brand name in these event titles is often abbreviated to "QB" to avoid raising suspicion on the platform.

Financial Platform Spam Abuse

Financial Platform Spam Abuse is a sneaky technique used by attackers to deliver spam emails. These emails are sent using legitimate fintech platforms, making them almost indistinguishable from genuine messages.

The "From" addresses and other headers in these emails are actually legitimate, not newly created or fake. This is because the attackers are using known fintech platforms to send their emails.

The embedded links in these emails redirect to the platform's website, which is non-malicious. This can make it difficult to identify the email as spam.

These platforms are getting abused, allowing attackers to send spam emails that appear legitimate.

Notable Examples

Credit: youtube.com, Callback Phishing

Callback phishing attacks have been used to trick victims into revealing sensitive information. In one notable example, a callback phishing attack was used to steal a company's financial information, resulting in significant financial losses.

The attackers posed as technical support representatives, claiming that the company's system was infected with malware. They convinced the victim to provide remote access to their system, allowing the attackers to steal sensitive data.

This type of attack highlights the importance of verifying the identity of individuals claiming to be from technical support.

For more insights, see: Reactflow Node Html Callback

PayPal

PayPal is often targeted by cybercriminals who abuse its features to send phishing emails. They may include fake customer hotlines and suspicious To addresses to trick users into divulging sensitive information.

A money request notification sent using PayPal may seem normal at first glance, but look out for payment notes and listed To addresses that don't add up. The request may claim there's an anomalous transaction on the account and instruct you to call a phone number that doesn't belong to PayPal customer service.

Cybercriminals also exploit PayPal's invoice feature to send bogus invoices for settled transactions. These invoices may contain fake customer hotlines and suspicious To addresses, just like the example in Figure 16, which shows a processed payment from a suspicious "T & G Store" for an iPhone 15 Pro unit.

For more insights, see: Paypal Phishing Email Scams

When IT Support Fails to Deliver

Scam Alert Letting Text on Black Background
Credit: pexels.com, Scam Alert Letting Text on Black Background

Cybercriminals are getting craftier, and one of the latest tricks is designed to make you think help is just a call away. Unfortunately, it's not.

Fake IT support is a growing concern, making it difficult to know who to trust.

Cybercriminals are using fake IT support to scam people out of their money.

These scammers can make you think they're legitimate by claiming to be from a well-known company.

They'll often ask for remote access to your computer or ask you to download software that looks legitimate but actually contains malware.

Security and Protection

To stay safe from callback phishing attacks, it's essential to be aware of the tactics used by scammers. Callback phishing relies on voice communication to deceive victims.

Security awareness training is key to teaching employees to recognize the signs of callback phishing. This type of training should be provided to all employees to help them understand the risks.

Avoid responding to unsolicited requests, especially if they ask you to call a phone number. Instead, do a Google search for the real customer service number.

Credit: youtube.com, Protecting Yourself from Callback Phishing Attacks

Integrated Email Security (IES) solutions can detect signatureless threats, including callback phishing ploys. This type of solution is a must-have for organizations.

Here are some steps organizations can take to protect themselves:

  • Encourage employees to question unexpected communication and pause before engaging.
  • Establish clear verification steps for phone-based requests, such as cross-checking with internal contact points.
  • Strengthen access control procedures by enforcing Multi-Factor Authentication (MFA) and restricting remote-access tools.
  • Foster a culture of secondary confirmation, where voice requests for sensitive actions require a second layer of validation.

By following these steps, organizations can significantly reduce their risk of falling victim to callback phishing attacks.

Identifying and Preventing Callback Phishing

Callback phishing scams can be sneaky, but being aware of the tactics scammers use is key to spotting them. These scams often claim there's an urgent issue with your bank account, credit card, taxes, or online accounts that requires immediate action.

Legitimate companies will never contact you out of the blue demanding personal data or payments over the phone. If you're concerned there may really be an issue, contact the company directly using a verified phone number from their official website or your account statements.

Email security tools can fall short in catching callback phishing scams because they don't leave any obvious signs of malware. This is because attackers are adapting and targeting uninformed users with convincing social engineering scams instead of trying to evade sophisticated threat detection software.

Email Body Evasion Techniques

Credit: youtube.com, How to recognize a fake phishing email and avoid falling victim to cybercrime @cyberduckysg

Cybercriminals have updated their tactics to lure users into calling malicious phone numbers, making it harder for email security tools to detect.

The BazarCall scheme in 2020 used a novel approach of delivering the BazarLoader malware through text-based email, but later updated to a phone call-based attack.

Callback phishing scams are designed to evade detection by leaving nothing for traditional security tools to catch.

These scams rely on convincing ruses, deceptive wording, and "clean" emails that make it past traditional defenses without getting flagged.

By targeting uninformed users with convincing social engineering scams, attackers choose the "safer" route, avoiding sophisticated threat detection software.

Traditional email security tools that come standard with Microsoft 365 are falling short in catching these ploys because they don't leave anything to catch.

Identify a Scam

Be cautious of unsolicited emails, texts, or calls claiming there's an urgent issue with your bank account, credit card, taxes, or online accounts that requires immediate action.

Credit: youtube.com, Spot Phishing Emails | Here is how

These types of emails can bypass email spam filters, making them harder to detect.

Legitimate companies will never contact you out of the blue demanding personal data or payments over the phone.

If you receive such a call, don't fall for it. Hang up immediately and contact the company directly using a verified phone number from their official website or your account statements.

Scammers often include fake customer service numbers in emails that appear to come from trusted brands.

Instead of calling the number provided, verify contact details directly through the company’s official website or app.

Urgency is a tactic scammers use to pressure you into action. Take a moment to assess the situation calmly before responding.

If something feels off during a phone call, such as unexpected questions or requests for remote access, hang up immediately.

Here are some red flags to watch out for:

  • Unsolicited emails, texts, or calls claiming an urgent issue with your account.
  • Requests for personal data or payments over the phone.
  • Pressure to act quickly.
  • Unexpected questions or requests for remote access during a phone call.

Trust your instincts and verify independently. If you're unsure about the legitimacy of a call, use a verified source to confirm if the issue is real.

Malware and Consequences

Credit: youtube.com, Call Me Maybe? The Rise of Callback Phishing Emails | SLEUTHCON 2023

Malware can be a major consequence of a callback phishing attack, as seen in the example where a malicious actor used a callback phishing attack to gain access to a company's network.

The malware used in this attack was able to evade detection by traditional security measures, highlighting the importance of having robust security protocols in place.

A callback phishing attack can also lead to data breaches, as was the case when the malicious actor gained access to sensitive company data.

The attacker was able to steal sensitive information, including employee login credentials and financial data, which could have severe consequences for the company.

In the worst-case scenario, a callback phishing attack can result in the complete compromise of a company's network, leading to significant financial losses and reputational damage.

The Rise of Callback Phishing

Callback phishing is a growing threat, with instances spiking by 140% in summer 2024.

The first callback phishing scam appeared in 2021, but it's only recently gained traction as a top phishing vector contender.

Credit: youtube.com, Vishing Attacks On the Extreme Rise

Callback phishing is a low-tech, human-centric attack that's designed to get around sophisticated email scan technology.

In many cases, these scams involve a long, drawn-out phone call that can be psychologically harrowing for the victim.

A financial reporter was even duped into taping $50,000 in a shoebox and handing it to a stranger after a four-hour phone call.

Until now, there haven't been many guardrails in place to prevent these TOAD attacks, leaving employees to rely on their own judgment to vet suspicious-looking emails.

Email security solutions have largely fallen short in preventing callback phishing scams.

Frequently Asked Questions

What are 5 key signs of phishing?

Phishing attempts can be identified by 5 key signs: suspicious emails with unsolicited attachments, poor grammar and spelling, and attempts to panic or deceive the recipient. Be cautious of emails that don't match the sender's domain or contain links to unfamiliar websites.

Rosemary Boyer

Writer

Rosemary Boyer is a skilled writer with a passion for crafting engaging and informative content. With a focus on technical and educational topics, she has established herself as a reliable voice in the industry. Her writing has been featured in a variety of publications, covering subjects such as CSS Precedence, where she breaks down complex concepts into clear and concise language.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.