• Gabriela Webster

Classic Call Scam Gets A Facelift - Callback Phishing

Updated: 3 days ago


Callback Phishing - Infographic - Cybersecurity Spotlights Blog - CYBR
CYBR - Classic Call Scam Gets a Facelift

Callback Phishing Attacks - Revealing The New Face Of Call Scams

Hey everyone, Gabriela from CYBR here with a quick update before the weekend ! I'm guessing that you've received and hopefully hung up on at least a couple of scam calls before - but have you heard of the latest twist on this classic trick? Callback phishing shows a new level of sophistication in the evolution of the well-known "call centre" phone scams. While phishing email templates have constantly improved over the years, hackers in the past lacked the expertise to continuously defraud victims while evading detection.

What Is Callback Phishing ?

What is callback phishing? Why does it work for threat actors, and how do you avoid falling for this social engineering tactic in the first place? Callback phishing works like this;

Callback Phishing - Illustration - Infographic - The attacker sends an email invoice, typically for goods or services that their victim has not subscribed to.  - Cybersecurity spotlights blog - CYBR
Callback Phishing: The Phish - The attacker sends an email invoice, typically for goods or services that their victim has not subscribed to.

Callback Phishing - The Phish

  1. The unsuspecting victim receives an email invoice, typically for goods or services they haven't subscribed to, and often the bill is unusually steep.

  2. For "convenience", a phone number is included in the invoice "should there be any cause for concern or dispute".


The sender initiates a false sense of urgency because they want you to call the number in the email. Of course, at this point, you are all too eager to give in to the bait with hopes of sorting out the unexpected invoice you've received.




Callback Phishing - Illustration: Infographic: The Callback - The victim calls the phone number included in the email invoice that they've just received. - Cybersecurity Spotlights Blog - CYBR
Callback Phishing: The Callback (pt.1) - The victim calls the phone number included in the email invoice that they've just received.

The Callback (pt.1)

The specifics of the attack may vary from case to case, but it often follows the nature of the outline below;


  1. Now that the victim has called the phone number attached to the email invoice, they are shocked to hear the "customer service representative" explaining that the email they'd received was a SCAM!

  2. As the victim breathes a sigh of relief, the attacker informs them that they've received this email because their computer is infected or compromised.

  3. The "customer service agent" is generous and offers to have one of their technical staff call the victim later in the day. They convince the victim that the technical staff will "restore" the device to perfect health, or the agent may even offer to assist the victim immediately during the initial phone call.



Callback Phishing - Illustration - Infographic: The Callback pt.2 - The attacker manipulates the victim into launching a malicious weblink, prompting the download and execution of malicious executable software, along with enabling remote access to the victim's device. - Cybersecurity Spotlights Blog - CYBR
Callback Phishing: The Callback (pt.2) - The attacker manipulates the victim into launching a malicious weblink, prompting the download and execution of malicious executable software, along with enabling remote access to the victim's device.

The Callback (pt.2)

The cybercriminal has you right where they want you - you've taken the bait and are about to be phished via callback. Regardless of whether the initial email appeared to be from Paypal, Norton Anti Virus, Microsoft or any other organization, the end goal of this attack remains the same. The threat actor would like remote access to the victim's device, where they will be able to download and execute malicious executable software. So how do they carry out this plan?


  1. The victim, having already been manipulated this far, is hopeful that the technical staff will assist them in restoring their funds, cancelling their subscription or returning their device to health.

  2. Under the disguise of restoring the victim's money or device security, the attacker further manipulates and persuades the victim to launch a malicious web link, prompting the download and execution of malicious executable software and enables remote access to their device.



Callback Phishing - Illustration - Infographic: The Finale - After enabling remote access of the victim's device, the attacker is able to steal the victims banking credentials, money, private data or continue installing malware. - Cybersecurity Spotlights Blog - CYBR
Callback Phishing: The Finale - After enabling remote access of the victims' device; the attacker is able to steal the victims banking credentials, money, private data or continue installing malware.

Callback Phishing - The Finale


In reality, the victim is far less secure than when they'd received the first email - they've actually been set up perfectly for subsequent attacks. In many of these threat scenarios -- the attacker continues further towards stealing confidential data, such as banking or login credentials, social security numbers and even the victim's money (all under the guise of a refund or restoring security to the "compromised" device).

To further evade detection, the cybercriminal may even follow up the attack with a confirmation email or text message reassuring the victim that their refund is on the way and that their device is now secure.

A Quick Glance At The Psychology Behind Callback Phishing

If you haven't already noticed, one essential ingredient for a successful social engineering attack is the cybercriminal's ability to manipulate basic human emotions, often by creating a false sense of urgency.

In callback phishing attacks, the attacker counts on the tension created in the initial email communication. They are hopeful that because the invoice arrives unexpectedly, the victim will respond reactively by calling the phone number included in the invoice, instead of independently verifying the contact information of the legitimate business.

The phone scammer then tricks the victim into a false sense of security during the first phone call, promising to help resolve a problem (such as a refund, cancellation, or restoring device security).

The attacker can deliver their final blows and successfully evade detection of the fraudulent activities because they have maintained control over the victim via an emotional rollercoaster.

How To Avoid Falling For Callback Phishing


1. Do not call the number included in the email, do not respond.


Do not respond to the email, don't click on any links, and definitely do not place a call to any telephone numbers associated with the email you have received. It can be very tempting to want to get in contact to clear up any discrepancies straight away, but it is best to first verify the legitimacy of the communication you've received.



2. Independent Verification

You should always check the contact information for a company independently, to make sure it is legitimate. This can be done by searching for the company's official website, to verify the contact information and their official methods of communication.


3. Check you bank accounts and credit cards


Look into your finances to verify whether or not any unexpected charges have gone through. In most situations, the attacker hopes you will blindly believe and react to the email you've received before thinking things through.


4. Keep yourself informed on the latest threats


Stay up-to-date on the most current cyber threats and follow up these tips with regular security awareness training. This will help you learn about new types of phishing threats and how to avoid them.

Good luck, and stay secure.

 

Continue reading to learn just how easy it is for hackers to guess your passwords and discover how you can transform human error into human cyber defence.