What Is Callback Phishing?

How Callback Phishing Works

Callback phishing usually uses a message that gets the target to place the call.

1. The attacker sends a reason to call. The message may mention a charge, renewal, account problem, legal issue, support case, or suspicious activity.
2. The message avoids obvious payloads. Some callback lures contain no attachment or link, which can help them look less dangerous to users and filters.
3. The target calls the supplied number. The call may be answered by a person, menu, recorded prompt, or call center-style setup.
4. The attacker steers the conversation. They may ask for identity details, remote access, payment information, one-time codes, or a login.
5. The scam expands from the call. The target may be sent to a fake site, asked to install software, or moved into a second channel for follow-up.

Common Callback Phishing Examples

Callback phishing lures often look like billing or support issues.

• Fake subscription renewal: An email says a costly renewal is about to process and provides a phone number to cancel.
• Bank or fraud alert: A message claims suspicious activity was detected and tells the user to call a fraud department number.
• Tech support warning: The target is told their device, account, or software license has a problem that requires immediate support.
• Invoice dispute: A fake vendor message asks finance or operations to call about an invoice, payment issue, or contract problem.
• Legal or compliance notice: A message warns of a missed deadline, policy violation, or case number and directs the recipient to call for details.

Why Callback Phishing Matters

Callback phishing matters because it changes the user's mental model. A suspicious link feels risky, but a phone call can feel like verification. This overlap with vishing gives attackers a live voice channel they can use to move the target into a controlled conversation.

Calls also give attackers flexibility. If the target sounds unsure, the scammer can explain. If the target asks a question, the scammer can adapt. If the target wants proof, the scammer can point back to the original message or send a follow-up link while the conversation is active.

For businesses, the risk includes account takeover, remote access compromise, payment fraud, credential theft, and disclosure of internal information. A callback scam can also bypass email-focused awareness habits because the most persuasive part of the attack happens over the phone.

How to Reduce Callback Phishing Risk

Callback phishing prevention depends on teaching people not to trust contact information supplied by the suspicious message.

• Use official contact details. If an issue might be real, call the number on the company website, contract, app, card, or internal directory.
• Do not share codes or passwords. A caller should not ask for passwords, MFA codes, recovery keys, or full payment details.
• Block remote access pressure. Employees should not install remote access tools or screen-sharing software from an unexpected support call.
• Report the original lure. Security teams need the email, number, voicemail, attachment, or screenshot that started the call.
• Practice voice scenarios. Awareness programs should include phone-based lures so employees learn how pressure sounds in a live conversation.

Related Glossary Terms

Callback phishing is closely related to voice impersonation and broader business scams.

• Voice Cloning Attacks explains how synthetic audio can make voice-based scams more convincing.
• Business Email Compromise covers scams that abuse trusted business relationships and approval workflows.

Final Takeaway

Callback phishing works by making the victim take the next step. The original message creates concern, and the phone call turns that concern into a conversation the attacker controls.

The safest response is to break the path the attacker provides. Do not use the number in the message, do not share sensitive information on the call, and verify the issue through a channel you already trust.