The Rising Threat of Callback Phishing

The cybersecurity landscape is constantly evolving, with new threats emerging at an alarming rate. As technology advances, so do the methods used by cybercriminals as they employ more complex and sophisticated tactics. One popular tactic, known as callback phishing, blends the familiar vectors of phishing emails with vishing calls to elicit information from unsuspecting individuals.

What is Callback Phishing?

Callback phishing is a method of social engineering that combines the distribution of phishing or smishing messages with a live phone conversation to elicit sensitive information from individuals. Cyber criminals send emails pretending to be from a trusted source. The message includes a sense of urgency to encourage the target to respond promptly to a phone number to resolve the issue. Because the target is initiating the call themselves, the interaction begins with an increased level of trust that helps facilitate the process. As a result, when the target calls, they’re more likely to provide information or follow actions the criminal requests.

Who Is Vulnerable?

Attacks like this can impact government entities, businesses, and individuals, alike. A compromise to any of these parties may lead to a compromise of login credentials, personal identifying information, financial loss, data theft, and network.

Real-Life Examples of Callback Phishing

• • According to BleepingComputer, callback phishing began to appear in March 2021 under the name “BazarCall.” Malicious actors sent emails posing as software companies, medical service companies, and subscription services, reaching out to “subscribers” about a service renewal that could be canceled by contacting an included phone number. Individuals who responded to the phone number were then led through a process of downloading a file that installed malware.
  • BleepingComputer also reported on some Federal Agencies that had fallen prey to a reverse phishing campaign in 2022. Malicious actors sent help desk themed emails to personal and government email addresses with a phone number to reach out to. Individuals that called in were directed to visit a malicious domain for further compromise.
  • According to the FBI, a criminal organization known as the Silent Ransom Group (SRG) or Luna Moth conducted data theft and extortion attacks in 2023 using the callback phishing method. When targets responded to the phone number presented in the initial phishing email, the attackers were able to gain the cooperation of the callers to install system management tools that allowed them to compromise networks and files.

How Can You Protect Your Business from Callback Phishing?

Education and awareness are key to defending your business from multi-vectored attacks! To meet this need, Social-Engineer, LLC offers an innovative Callback Phishing offensive security service that is available through a 90-day pilot program. Tailored scenarios mimic the latest social engineering tactics, allowing your team to practice recognizing and responding to these multi vectored attacks in a realistic but controlled environment.

By giving employees an opportunity to experience and respond to callback phishing in a realistic but low threat environment, problematic behaviors can be detected and remediated before a compromise can occur. Additionally, statistical insights gained from these training opportunities can give your security team an ongoing view of where gaps in education may exist, and what the trending response of your team is over the span of the program.

Stay Safe from Callback Phishing

Callback phishing is a dangerous and growing threat to businesses of all sizes. By staying informed and taking proactive security measures, companies can reduce their risk and protect their data and assets from cybercriminals.

Please contact us today for a consultation.

Written by:
Faith Kent
Human Risk Analyst at Social-Engineer, LLC