Phishing & Social Engineering
What is Callback Phishing?
Callback phishing, also known as telephone-oriented attack delivery (TOAD), is a hybrid social engineering attack that combines email and voice (telephone) channels to compromise organizations.
Callback phishing, also known as telephone-oriented attack delivery (TOAD), is a hybrid social engineering attack that combines email and voice (telephone) channels to compromise organizations. The victim receives an email—typically a fake invoice, subscription renewal, or charge notification—that contains no malicious links or attachments, only a phone number. When the victim calls the number, they reach an attacker-controlled call center where a live operator uses social engineering to extract credentials, install remote access tools, or deploy malware. This attack method bypasses traditional email security controls by removing the technical payload entirely, replacing it with human-to-human manipulation.
How does callback phishing work?
Callback phishing follows a five-stage progression. First, the attacker sends a legitimate-looking email, often via a real email service to bypass filters, containing a fake invoice or subscription notice, typically for an amount under $1,000. The email contains no malicious links or attachments—only a phone number and persuasive text. Second, the victim calls the provided number and reaches a live operator in an attacker-controlled call center. Third, the operator poses as a customer service representative and guides the victim through steps, such as visiting a website, downloading a "cancellation tool," or granting remote access to their computer. Fourth, the victim installs a remote access tool (such as AnyDesk, Atera, Splashtop, Syncro, or ScreenConnect) or executes malware (such as BazarLoader), potentially in the form of ClickOnce executables disguised as support clients. Fifth, after gaining remote access, the attacker uses the compromised system for data exfiltration, lateral movement, ransomware deployment, or extortion.
The attack's success depends entirely on the victim's trust in the live operator. Because the victim initiated the call in response to a seemingly legitimate notice, they feel more in control than they would with an inbound cold call. The live operator can adapt social engineering tactics in real time, responding to objections and building urgency far more effectively than a static phishing page.
How does callback phishing differ from other phishing techniques?
Dimension | Callback Phishing | Traditional Phishing | Vishing (Voice Phishing) |
|---|---|---|---|
Initial Vector | Email with phone number (no links/attachments) | Email with malicious link or attachment | Unsolicited phone call |
Email Filter Evasion | High—no malicious payload in email | Low-Moderate—links/attachments scanned | N/A (phone-only) |
Human Interaction Required | Yes—victim must call | No—not required | Yes—attacker calls victim |
Who Initiates Call | Victim | N/A | Attacker |
Scalability | Lower (requires staffed call center) | Very high (fully automated) | Lower (requires callers) |
Trust Exploitation | High—victim initiated the call, feels in control | Moderate | Moderate-High |
Detection Difficulty | High—hybrid channel, no technical indicators in email | Moderate | Moderate |
Vishing (voice phishing) differs fundamentally because the attacker initiates the unsolicited call to the victim. Callback phishing inverts this dynamic—the victim calls the attacker, creating false confidence. Traditional phishing relies on the victim clicking a malicious link or downloading an attachment, which email security tools can scan. Callback phishing eliminates these technical attack surfaces entirely, making it invisible to conventional email security.
Why does callback phishing matter?
The prevalence and scale of callback phishing represent a critical gap in organizational defenses. According to Proofpoint's "2024 State of the Phish Report," organizations detect an average of 10 million TOAD/callback phishing attacks per month, peaking at 13 million in August 2023. At its height in 2022, Proofpoint tracked more than 600,000 TOAD attacks per day. Proofpoint data from 2024 indicates that 67% of businesses globally were affected by a TOAD attack in 2023. Only 23% of organizations educate their users on how to recognize and prevent TOAD attacks, leaving most workforces vulnerable.
Callback phishing serves as an initial access vector for ransomware and extortion groups. The Luna Moth campaign, analyzed by Unit 42/Palo Alto Networks in 2022, initially targeted small and medium businesses in the legal industry before expanding to larger retail targets. Luna Moth and related groups (including Silent Ransom Group, Quantum, and Royal ransomware operations) use callback phishing to establish initial access for subsequent ransomware deployment. The BazarCall campaign, which first appeared in late 2020/early 2021, impersonated Netflix, Hulu, Disney+, Masterclass, McAfee, Norton, and GeekSquad. BazarCall originally distributed BazarLoader malware linked to the Conti ransomware syndicate.
The threat is amplifying. According to Keepnet Labs data cited in the "2025 Phishing Statistics and Trends" report, voice phishing incidents rose over 16% in Q4 2023 from the previous quarter, and 260% compared to Q4 2022. Trustwave observed a 140% increase in callback phishing attacks between July and September 2024, signaling continued attacker investment in this vector.
What are the limitations of callback phishing attacks?
Callback phishing has several structural constraints that limit its effectiveness. First, unlike automated phishing, callback phishing requires staffed call centers with convincing, language-fluent operators. This significantly increases the cost per attack and limits scalability. Threat groups like Luna Moth have had to invest substantially in call center infrastructure, making the operation more expensive and easier to dismantle than fully automated campaigns. Second, the attack requires the victim to take additional action—calling the provided number—introducing friction compared to click-based phishing. A victim who ignores the email or is skeptical of the premise will never reach the call center. Third, voice interaction leaves traces that can be discovered by law enforcement. Phone numbers can be reported or blacklisted, and call center infrastructure can be located and dismantled. Fourth, awareness training is highly effective because the attack relies entirely on real-time social engineering over the phone. Employees who verify billing claims through official company contact channels can reliably defeat the attack. Fifth, there is a critical defense gap: only 23% of organizations train staff specifically on TOAD/callback phishing tactics, meaning the majority of workforces remain vulnerable despite the technique being well-documented and predictable.
How can organizations defend against callback phishing?
The most important defense is security awareness training tailored specifically to callback phishing and TOAD tactics—not generic link-based phishing. Organizations should include simulated callback phishing scenarios in training programs, teaching employees to recognize the pattern of unsolicited billing notices with phone numbers and no legitimate URLs. According to Proofpoint's "2024 State of the Phish Report," this is the foundational control.
All employees should be instructed to verify any billing or subscription claims independently by contacting the company through official channels (the company website, known phone numbers from company communications, or corporate directory listings). Employees must never call numbers provided in suspicious emails. According to CISA's "Counter-Phishing Recommendations for Federal Agencies" (2023), this independent verification step is essential.
Organizations should deploy advanced email filtering using AI-based security tools that can detect social engineering patterns even in emails without malicious payloads. Solutions such as Abnormal AI and Proofpoint's behavioral AI can analyze email text, sender behavior, and context to flag suspicious messages that traditional tools miss.
Endpoint controls are critical for limiting post-compromise damage. Organizations should restrict installation of remote access tools (AnyDesk, Splashtop, Atera, Syncro, ScreenConnect) on endpoints via application whitelisting or endpoint detection and response (EDR) tools, according to Unit 42's "Luna Moth Threat Assessment" (2022). Even if an employee grants remote access during a callback phishing call, endpoint controls can prevent the attacker from executing malware or accessing sensitive systems.
Multi-factor authentication (MFA) limits the damage if credentials are compromised during a callback phishing call. While MFA does not prevent the attacker from gaining remote access to the employee's computer, it does prevent unauthorized access to cloud accounts and centralized resources. Organizations should ensure that all critical systems and cloud services require MFA.
Establish clear, easy channels for employees to report suspicious emails or phone interactions immediately. According to Keepnet Labs (2024), rapid incident reporting enables faster containment and investigation. Organizations should also consider implementing phone number reputation services that flag known scam phone numbers, though these are not a primary defense against sophisticated attackers who can rotate numbers frequently.
FAQs
How does callback phishing bypass email security filters?
Callback phishing emails contain no malicious links, attachments, or malware—only a phone number and social engineering text. Traditional email security solutions that scan for known indicators of compromise (IOCs) such as malicious URLs or malware signatures have nothing technical to flag. The email itself is clean from a technical perspective; the attack happens entirely during the phone call. Advanced AI-based email security that analyzes text patterns and social engineering tactics is required.
What is the relationship between callback phishing and ransomware?
Multiple ransomware and extortion groups use callback phishing as an initial access vector. According to Unit 42/Palo Alto Networks' "Threat Assessment: Luna Moth Callback Phishing Campaign" (2022), the Luna Moth group (suspected of being the Silent Ransom Group) used callback phishing to gain initial access, which they then leveraged for lateral movement and ransomware deployment. The BazarCall campaign distributed BazarLoader malware linked to the Conti ransomware syndicate. Callback phishing is attractive to ransomware operators because it provides a live, interactive entry point into organizations while evading technical security controls.
Why is callback phishing more dangerous than traditional phishing?
Three factors make callback phishing more dangerous. First, human-to-human interaction creates higher trust and urgency than a static phishing page. The victim initiated the call and feels in control, making them more likely to comply with the operator's requests. Second, the live operator can adapt social engineering tactics in real time, responding to objections, building rapport, and using psychological manipulation techniques that a phishing page cannot. Third, it bypasses most technical email defenses entirely because there is no malicious payload in the email to scan.
Which industries are most targeted by callback phishing?
The Luna Moth campaign initially targeted small and medium businesses in the legal industry before expanding to larger retail targets, according to Unit 42. Broader callback phishing campaigns target organizations across all sectors. Frequent impersonation targets include tech support teams, financial services, and subscription-based service providers (Netflix, Microsoft, Apple). These industries are attractive because they handle payment information and users are accustomed to legitimate calls about account issues.
What should I do if I believe I received a callback phishing email?
Report it immediately to your organization's security team or IT department. Do not call the number provided in the email. If you suspect you may have already called the number or provided remote access, disconnect your computer from the network immediately and contact your IT security team. They can check for unauthorized remote access sessions, install malware, and suspicious account activity. If credentials were compromised, change your password and review account activity for signs of unauthorized access.
