What is Callback Phishing (TOAD)?

Callback Phishing Explained

Callback phishing is a phishing technique where the initial email contains no malicious links or attachments, only a phone number and a pretext designed to make the recipient call. MITRE ATT&CK classifies this approach under T1566.004: Spearphishing Voice, which explicitly describes "callback phishing" as a variant where victims receive messages directing them to call a phone number controlled by the adversary. Unlike vishing, where the attacker initiates the call, callback phishing is email-initiated: the victim makes the call, which lowers their guard because they believe they are contacting a legitimate organization.

How Callback Phishing Works

Callback phishing attacks follow three phases that span email and voice channels:

• Phase 1: The email lure. The victim receives an email claiming to be a subscription renewal notice, billing alert, or account charge notification. Common pretexts include antivirus license renewals, Geek Squad service plans, PayPal transaction confirmations, or Microsoft 365 billing disputes. The email contains no clickable links and no file attachments. The only call to action is a phone number, often formatted prominently and accompanied by urgent language about impending charges (typically $299 to $499).

• Phase 2: The voice engagement. When the victim calls, a live operator answers using a scripted identity matching the impersonated brand. The operator uses social engineering techniques to guide the victim through specific actions: visiting a URL, downloading a remote access tool (such as AnyDesk or TeamViewer), or opening a file that installs malware. Because the victim initiated the call, they are psychologically invested in the interaction and more compliant with instructions.

• Phase 3: The payload. Once remote access is established or malware is installed, the attacker moves to credential theft, lateral movement, or ransomware deployment. The entire exploit chain depends on human interaction, not automated code execution.

Callback Phishing in the Wild: From BazarCall to Ransomware

The BazarCall campaign, first observed in 2020, pioneered callback phishing at scale. Operators sent subscription renewal emails for fake antivirus products and directed victims to call a support number to cancel. The phone operator then walked victims through downloading BazarLoader (later BazarBackdoor), which provided initial access for ransomware deployment.

BazarCall's success created a template that multiple ransomware operations adopted. The Ryuk group used callback phishing for initial access before Conti inherited the playbook. After Conti dissolved in 2022, splinter groups including Luna Moth (also tracked as Silent Ransom), Quantum, and Royal continued to refine the technique. Royal ransomware operators were specifically noted for using callback phishing emails containing phone numbers instead of traditional payloads.

Brand impersonation patterns have expanded beyond antivirus renewals. Trustwave researchers documented a 140% surge in callback phishing volume between July and September 2024, with the most impersonated brands including Microsoft, Norton LifeLock, PayPal, DocuSign, and Best Buy's Geek Squad. Attackers increasingly use VoIP numbers rather than mobile or landline numbers because VoIP is harder to trace to a physical location.

The technique is particularly effective for invoice fraud and business email compromise scenarios, where a fake billing notice paired with a phone number can bypass both automated scanning and casual human review. The email looks clean because it is clean. The threat lives entirely in the phone call.

Callback Phishing Protection from IRONSCALES

IRONSCALES behavioral AI analyzes message patterns, including phone number prominence, urgency language, and the absence of links or attachments, to detect callback phishing emails that content-based scanners miss.

Related Terms

• Vishing
• Social Engineering
• Business Email Compromise
• Phishing
• Invoice Fraud