Callback phishing moves a phishing attack from the inbox to the phone, which can reduce the signals traditional email defenses evaluate. This article breaks down how callback phishing works, why it can succeed against conventional security tools, and what your organization can do to detect and disrupt it.

Callback phishing is a multi-channel social engineering attack that uses trust and urgency to bypass traditional security defenses without relying on links or attachments. Also referred to as telephone-oriented attack delivery (TOAD) and classified under MITRE ATT&CK (Spearphishing Voice), this tactic blends convincing emails with real-time phone calls to create a deceptive experience that feels legitimate and highly effective.

1. A user receives a malicious email claiming urgent action is needed because of a suspended account, suspicious activity, an expiring subscription, or a potential security breach.
2. Instead of asking the user to click a link, the email provides a phone number to call.
3. When the user calls, they speak with someone impersonating support staff who walks them through a process designed to steal credentials or gain access to internal systems.

This tactic works because it:

• Slips past email filters: Without a malicious link or attachment, traditional tools may have fewer signals to evaluate.
• Builds credibility: A live conversation creates trust that static messages cannot match.
• Prompts quick action: Messages are crafted to trigger urgency, so users respond without pausing to evaluate.

As these hybrid attacks become more common, security strategies need to expand beyond email content alone. Understanding how callback phishing works is a first step toward building resilience against modern threats.

Callback phishing can evade conventional defenses by exploiting gaps between communication channels and taking advantage of human behavior.

Most email security tools are designed to catch digital threats like malicious links, suspicious attachments, or spoofed domains. Callback phishing often avoids those common indicators by shifting the attack from email to voice, where visibility drops and user trust increases. A peer-reviewed bibliometric review published in PMC/NIH identifies social engineering messages that deceive recipients without malicious links or attachments as a detection challenge requiring content and behavioral signals rather than payload analysis.

Emotional pressure is a core reason callback phishing works. Callback phishing preys on urgency, fear, and authority, factors that influence fast decision-making. When a user is told their account is suspended or a charge is pending, the instinct is to act quickly. Calling a number doesn't feel risky, which makes the deception harder to detect.

These campaigns often use fake invoice notifications tied to well-known brands, subscription renewal warnings for services the target may actually use, or account compromise alerts that mimic legitimate security notifications. The professional habit of responding quickly to these scenarios becomes a vulnerability.

Channel switching creates a monitoring gap that many organizations may struggle to cover. Traditional security solutions often focus on a single communication channel. Callback phishing starts in email and moves to phone, creating a blind spot that many organizations are not equipped to monitor or secure.

Live phone conversations can quickly reinforce the deception. Attackers use this to their advantage, impersonating support staff and guiding users through convincing, high-stakes scenarios. Once trust is established, collecting credentials or gaining access without raising suspicion becomes far easier.

Attackers may reinforce the illusion by making the call appear legitimate. When a call feels expected and routine, the target has little reason to question it.

Callback phishing has become a practical intrusion method for threat groups that want initial access, malware delivery, or ransomware deployment. These campaigns follow recognizable patterns and have been tied to well-known actors.

BazarCall established a pattern that many later campaigns followed. The BazarCall campaign helped shape how callback phishing works today. Attackers sent emails claiming a subscription would auto-renew and instructed users to call a number to cancel. On the call, the attacker posed as support and guided the victim to install what was actually BazarLoader, a remote access trojan.

This campaign showed how email-to-voice channel switching could be used to deliver malware. BazarCall primarily targeted enterprise users at mid-size and large organizations, where subscription-based software is common enough that a renewal notice would not immediately seem out of place.

Silent Ransom Group expanded callback phishing beyond the initial email lure. The Silent Ransom Group (SRG), also tracked as Luna Moth, has pushed callback phishing further. An IC3 advisory documents SRG's evolution from callback phishing emails to proactively calling targets while impersonating the victim organization's IT department and using legitimate remote management tools.

In a major escalation, SRG members conducted face-to-face social engineering to physically infiltrate corporate environments. Law firm Jones Day confirmed a phishing incident attributed to SRG involving a multi-million dollar extortion demand.

3AM ransomware used callback phishing as part of a broader access chain. Microsoft Digital Defense Report 2025 documents this pattern, including email bombing, IT impersonation, remote access, and the use of a QEMU-based virtual machine to help evade detection. The QEMU approach is significant because it creates a sandboxed environment that endpoint detection tools cannot inspect, since the malicious activity runs inside a virtualized layer invisible to the host operating system's security controls.

Callback phishing campaigns frequently target industries where phone-based requests can seem routine and credible.

• Financial services.
• Healthcare: The FBI and HHS issued a joint advisory specifically addressing social engineering tactics targeting healthcare entities, documenting phishing schemes to steal login credentials and divert funds.
• Technology.
• Insurance, retail, and aviation: CISA Advisory AA23-320A (updated July 2025) documents Scattered Spider's active targeting of these verticals through help desk vishing using stolen PII.

These industries rely heavily on email and phone-based workflows, which makes them well suited to social engineering. When a call feels expected and professional, users are more likely to follow instructions, especially when the request feels urgent.

AI-generated voice cloning makes callback phishing harder to identify by sound alone.

The FBI IC3 issued a Public Service Announcement documenting an ongoing campaign using AI-generated voice cloning to impersonate senior U.S. government officials in targeted vishing attacks, with activity dating back to at least 2023. The FBI recommends verifying identity through independent, out-of-band channels before acting on any financial request, credential sharing, or system access change, regardless of how convincing the caller sounds.

Threat actors can now clone executive voices, generate highly personalized lures using generative AI, and deliver multi-modal campaigns where an initial text is reinforced by a subsequent AI-voiced phone call.

Reducing callback phishing risk depends on layered controls across email, identity, and voice verification processes.

Layered controls can help close the gaps that callback phishing exploits across tools, teams, and workflows.

Here's how to close the gaps.

The email still provides an early opportunity to identify callback phishing before the phone call begins. The email might look legitimate, but small signals often give it away. Traditional phishing protections like email authentication protocols, including DMARC, SPF, and DKIM, are important but not enough on their own. NIST SP 800-177r1 covers the deployment of these protocols as mitigations for email sent using forged sending addresses, providing a standards-based foundation.

Advanced email security solutions can help detect callback phishing by analyzing:

• Unusual email content: Messages that prompt action without containing links or attachments.
• Metadata anomalies: Irregular sender reputation, unexpected timing, or atypical language patterns.
• Embedded phone numbers: Numbers paired with urgent language or vague references to billing or account access.

Adding external banners and filtering messages that contain callback-style language provides another layer of defense. CISA Advisory AA23-320A recommends adding banners to emails received from outside the organization.

Voice verification controls can disrupt the attack after the email is delivered. Organizations should implement formal processes for validating phone-based requests, including:

• Multi-factor authentication: Require phishing-resistant MFA for system access and financial approvals, with number-matching MFA as an interim step.
• Designated Verification Numbers: Provide employees with confirmed numbers they can use to validate support calls independently.
• Identity Check Protocols: Require identity verification before acting on urgent phone-based instructions.
• Pre-Shared Code Words: Use a shared secret for financial authorization calls that cannot be known to an attacker who has only cloned an executive's voice.

The goal is to make phone verification just as secure as email.

Behavioral AI should be scoped to the email and account-based components of callback phishing campaigns.

Most email security tools focus on the inbox, which makes the email stage a primary control point. Behavioral AI can help surface the email and account-based components of these scams by identifying suspicious patterns around the message itself. Instead of scanning only for keywords or signatures, it can help identify:

• Emails that prompt uncommon user actions like calling support.
• Inconsistencies in communication timing, tone, or sender behavior.
• Anomalies in account activity following email receipt, such as unusual login attempts or software downloads.

While callback phishing spans email and voice, organizations need complementary controls for the voice stage. This context helps security teams investigate the suspicious email that initiated the campaign and respond earlier.

Employee training can reduce the chance that a suspicious email turns into a trusted phone conversation. Employees are a critical part of the detection process. Callback phishing works because it feels like any other quick call to clear up an account issue. Training can change that instinct.

• Include callback phishing in security awareness programs: NIST SP 800-172 Control 3.2.2e mandates practical exercises aligned with current threat scenarios, including simulated social engineering attempts with rapid feedback.
• Run simulations that involve voice-based interactions, not just email lures.
• Establish clear escalation paths when something doesn't feel right.

Remote and distributed teams may be even more vulnerable, which makes proactive education essential.

Callback phishing thrives in the gaps between systems and silos. By expanding detection across channels and building habits that prioritize verification, organizations can shut down the pathway before it leads to compromise.

Callback phishing is a reminder that email security works best as part of a broader defense strategy.

Callback phishing relies on urgency, trust, and behavior, not just malware or links. While these campaigns increasingly blend email with voice calls, the primary control point remains the inbox.

Abnormal is designed to help detect the email and account-based components of these campaigns. Our behavioral AI analyzes identity, content, and user behavior to help surface subtle anomalies that legacy tools may miss. Recognized as a Leader in the Gartner® Magic Quadrant™ for Email Security Platforms, Abnormal is designed to strengthen email security against the kinds of socially engineered threats that often initiate callback phishing campaigns.