Key Insight
Cyber criminals are impersonating trusted brands like Microsoft, PayPal, DocuSign, and others to launch a sophisticated phishing attack known as callback phishing. Instead of relying on malicious links or fake websites, attackers trick victims into calling fraudulent phone numbers controlled by the attackers themselves. This approach exploits people’s trust in direct voice communication, making it harder for individuals and organizations to recognize and
Who should read this?
Individuals - Anyone receiving emails, PDFs, or notifications about transactions or account issues.
Organizations - Businesses and teams responsible for safeguarding customer data, financial assets, and critical operations—including IT, security, and executive leadership.
Callback phishing is an emerging tactic where attackers send emails or documents impersonating well-known brands. These messages often claim there is an urgent issue, such as an unauthorized transaction or subscription charge, and instruct the recipient to call a “customer service” number for assistance.
Unlike traditional phishing attacks that use malicious links or attachments, callback phishing shifts the interaction to a live phone call. Attackers lure victims into calling them, which makes the scam more convincing. This differs from vishing, where attackers directly call the victim. By having the victim initiate the call, attackers exploit the trust the victim has in legitimate organizations, making them more likely to share sensitive information or unknowingly allow malware installation.
For example:
- Fake PayPal charge notification – Victims receive a PDF claiming a large transaction has been processed. A phone number is provided to dispute the charge. When called, the attacker pretends to be a PayPal representative and convinces the victim to share login credentials or install remote access software.
Cisco Talos researchers have reported a significant increase in these telephone-oriented attack delivery (TOAD) campaigns, with most originating in the US and Europe. Threat actors favor using internet-based phone numbers (VoIP) for these scams because they are harder to trace than traditional landline or mobile numbers. These numbers can also be reused for several days, helping attackers maintain a sense of credibility with victims and run multistage scams.
- Exploitation of phone trust – Many users believe phone calls are more secure than emails, making them less cautious when speaking directly with attackers.
- Slower detection of scam numbers – Unlike suspicious links or files that are quickly flagged by security tools, scam phone numbers are not as easily tracked or reported. As a result, attackers can reuse the same fake number for several days without being blocked.
- Emotional manipulation – Live calls let attackers pressure victims into quick decisions, bypassing their natural suspicion.
- Credential theft – Victims may share account logins, passwords, or other sensitive data, enabling unauthorized access.
- Financial fraud – Attackers can initiate fraudulent transactions or drain accounts once they gain access to financial information.
- Malware delivery – Victims persuaded to install remote access tools unwittingly allow malware installation on their systems.
- Be cautious when contacting phone numbers from emails – Scammers often include fake customer service numbers in emails that appear to come from trusted brands. Instead of calling the number provided, verify contact details directly through the company’s official website or app.
- Don’t let urgency pressure into action – Callback phishing messages are designed to create panic—mentioning unauthorized charges or account closures to make recipient act quickly. Take a moment to assess the situation calmly before responding.
- Trust instincts and verify independently – If something feels off during a phone call—such as unexpected questions or requests for remote access—hang up immediately. Use a verified source, like the company’s website or support channel, to confirm if the issue is real.
- Encourage employees to question unexpected communication – Callback phishing often starts with a message urging someone to call a number urgently. Remind staff to pause and verify before engaging, especially when messages reference financial transactions, account updates, or service renewals.
- Establish clear verification steps for phone-based requests – Attackers rely on trust in voice communication to bypass digital safeguards. Implement a policy that requires employees to cross-check all phone-based requests—especially those involving credentials or payments—using known, internal contact points.
- Strengthen access control procedures – Attackers may use live calls to gain remote access. Enforce Multi-Factor Authentication (MFA) and restrict the use of remote-access tools to prevent unauthorized entry, even if credentials are compromised.
- Foster a culture of secondary confirmation – Just as with emails, voice requests for sensitive actions should never be acted on without a second layer of validation. Use internal channels—like a direct manager call, or IT ticket—to confirm before proceeding.
Attackers Impersonate Top Brands in Callback Phishing