Beware: Callback Phishing

Callback phishing is a deceptive tactic employed by cybercriminals to exploit human behavior. Also known as telephone-oriented attack delivery (TOAD), callback phishing combines two phishing methods.

You receive an email alerting you about a problem, such as an overdue payment for a service. Instead of providing further details in the email, the hacker includes a contact phone number. They hope you’ll call that number in response to the urgent situation described in the email. When you make the call, the cybercriminal uses social engineering techniques to manipulate you into sharing sensitive information or taking actions that benefit them.

How Callback Phishing Works

Imagine you receive an email claiming you owe payment for a subscription to a service you never purchased. Curious or annoyed, you call the phone number provided in the email. A threat actor answers the call and guides you through specific steps, such as canceling the order. During this process, malware may be silently installed on your computer, or the hacker may extract sensitive information from you.

Why Hackers Attempt Callback Phishing

Callback phishing allows threat actors to:

• Steal sensitive data: This could include login credentials, credit card information, or other confidential data.
• Install ransomware: They encrypt your data and demand ransom.
• Access financial details: They aim to steal money from your accounts.
• Install remote access software: This grants them control over your files.

Unlike traditional phishing emails with malicious attachments or links, callback phishing emails often bypass filters because they lack these elements. Additionally, the per-target cost of callback phishing is low, making it an attractive choice for cybercriminals.

How to Prevent Callback Phishing Attacks

Follow these three steps to stay safe:

1. Verify phone numbers: Before calling any unknown number, visit the organization’s official website to confirm its legitimacy.
2. Question callers: If someone claims to have information on file, ask them to prove their legitimacy. If in doubt, hang up.
3. Beware of urgency: Phishing relies on impulsive actions. Think twice before responding to this type of situation.
4. An email is likely to be a phishing email it has an unexpected sender. The email may claim to come from a legitimate company, but it doesn't use that company's domain. Instead, it may use a generic email address like google.com or yahoo.com.

Callback phishing, a social engineering attack, relies on human error rather than system vulnerabilities. Cybersecurity awareness training programs can minimize the risk of callback phishing and other cyberattacks. Your training program should include mock phishing tests to assess your employees' preparedness to fight callback phishing campaigns.

Contact AM Data Service if you are interested in launching a cybersecurity awareness training program at your organization.

Email: [email protected] or call (734) 744-5300.