Callback phishing, also known as telephone-oriented attack delivery (TOAD), is a hybrid social engineering technique that combines email and voice. The attacker sends an email that doesn't contain a malicious link.
What is Callback Phishing?
Callback phishing, also known as telephone-oriented attack delivery (TOAD), is a hybrid social engineering technique that combines email and voice. The attacker sends an email that doesn't contain a malicious link. Instead, it includes a phone number and asks the target to call. When the target calls, a live attacker impersonating tech support, a vendor, or a billing department manipulates them into granting remote access, revealing credentials, or making payments.
How Callback Phishing Works
The initial email typically impersonates a subscription service (antivirus software, streaming service, cloud tool) and claims the target is about to be charged for a renewal. The email provides a phone number to call to cancel. When the target calls, the attacker walks them through steps that install remote access software, reveal login credentials, or authorize payments. Because the target initiated the call, they're more trusting than if they received an unsolicited call.
Why Callback Phishing Matters
Callback phishing has grown 625% since 2021 according to Agari. It's effective because the email itself contains no malicious payload (no links, no attachments), so it bypasses email security tools. The real attack happens over the phone, where there are no technical controls and the attacker can adapt in real time.
How to Protect Against Callback Phishing
- Include callback phishing scenarios in your simulation program
- Train employees to independently verify phone numbers. Never call numbers from unsolicited emails.
- Deploy email security that flags subscription-themed lures even without malicious links
- Test employees with hybrid scenarios that combine email and voice
Frequently Asked Questions
Why is callback phishing harder to detect than traditional phishing?
The initial email contains no malicious payload, links, or attachments, so it bypasses email security tools designed to scan for malware or spoofed URLs. The actual attack happens over the phone where there are no technical controls.
How has callback phishing grown since 2021?
According to Agari, callback phishing has grown 625% since 2021. This growth reflects attackers adapting to email security improvements by moving the attack vector to voice, where technical controls are less effective.
Why do people trust callback phishing attackers more than unsolicited callers?
Because the victim initiated the call, they are more trusting than if an attacker had called them unsolicited. The victim believes they are calling a legitimate number in response to a real subscription issue, lowering their guard against manipulation.
What should employees do if they receive an email asking them to call about a subscription?
Do not call the number provided in the email. Instead, independently look up the vendor's phone number from their official website or statement, and call that number to verify whether the subscription issue is real.