Callback Phishing Explained: The Multi-Channel Threat Hiding in Plain Sight
Cybercriminals are getting smarter and sneakier. As traditional defenses catch up to email-based attacks, threat actors are shifting tactics.
One of the most dangerous evolutions? Callback phishing.
Let’s dive into what callback phishing is, what it means for your organization, and how you can detect and safeguard against it.
What Is Callback Phishing?
Callback phishing is a multi-channel social engineering attack that uses trust and urgency to bypass traditional security defenses without relying on links or attachments.
As phishing tactics evolve, attackers are moving beyond the inbox. Callback phishing blends convincing emails with real-time phone calls to create a deceptive experience that feels legitimate and dangerously effective.
Here’s how it works:
A user receives a malicious email claiming urgent action is needed because of a suspended account, suspicious activity, an expiring subscription, or a potential security breach.
Instead of asking the user to click a link, the email provides a phone number to call.
When the user calls, they speak with someone impersonating support staff who walks them through a process designed to steal credentials or gain access to internal systems.
This tactic works well because it:
Slips Past Email Filters: Without a malicious link or attachment, traditional tools have nothing to flag.
Builds Credibility: A live conversation creates trust that static messages cannot match.
Prompts Quick Action: Messages are crafted to trigger urgency, making users more likely to respond without pausing to evaluate.
As these hybrid attacks become more common, security strategies need to expand beyond email content alone. Understanding how callback phishing works is a critical step toward building resilience against modern threats.
Why Traditional Security Measures Fail Against Callback Phishing
Callback phishing evades conventional defenses by exploiting gaps between communication channels and leveraging human behavior.
Most email security tools are designed to catch digital threats like malicious links, suspicious attachments, or spoofed domains. Callback phishing bypasses all of these by shifting the attack from email to voice, where visibility drops and user trust increases.
Emotional Triggers Make Attacks Feel Legitimate
Callback phishing preys on factors like urgency, fear, and authority that influence fast decision-making. When a user is told their account is suspended or a charge is pending, the instinct is to act quickly. Calling a number doesn’t feel risky, which makes the deception harder to detect.
Switching Channels Breaks Traditional Detection
Traditional security solutions focus on a single communication channel. Callback phishing exploits this by starting in email and moving to phone, which creates a blind spot that many organizations are not equipped to monitor or secure.
Phone Calls Build Trust Faster Than Emails
A live voice on the other end of the line can establish credibility in seconds. Attackers use this to their advantage, impersonating support staff and guiding users through convincing, high-stakes scenarios. Once trust is established, it's easier to collect credentials or gain access without raising suspicion.
Real-World Campaigns and Threat Actor Techniques
Advanced threat groups have adopted callback phishing as a reliable way to gain access and deliver malware or ransomware. These campaigns follow recognizable patterns and have been tied to well-known actors.
BazarCall Introduced the Callback Phishing Playbook
The BazarCall campaign helped shape how callback phishing works today. Attackers sent emails claiming a subscription would auto-renew and instructed users to call a number to cancel. On the call, the attacker posed as support and guided the victim to install what appeared to be a cancellation tool but was actually BazarLoader, a remote access trojan.
This was one of the first widespread examples of email-to-voice channel switching being used to deliver malware.
Ryuk and Conti Used Voice-Based Access for Ransomware Deployment
Groups linked to Ryuk and Conti have incorporated callback phishing into ransomware operations. After establishing trust over the phone, attackers gained initial access and quickly moved to execute ransomware payloads.
These campaigns often target industries with high-stakes environments, where speed matters and a support call feels routine.
Callback Phishing Campaigns Target High-Trust Industries
Callback phishing campaigns most frequently target the following sectors:
Financial services
Healthcare
Technology
These industries rely heavily on email and phone-based workflows, making them ideal for social engineering. When a call feels expected and professional, users are more likely to follow instructions, especially when the request feels urgent.
How to Detect and Prevent Callback Phishing
Stopping callback phishing requires more than email filtering. It demands a multi-layered approach that spans technology, training, and cross-channel visibility.
Because these attacks start in one place and finish in another, they exploit the boundaries between tools, teams, and workflows. Here’s how to close the gaps.
Strengthen Email Defenses
The email might look legitimate, but small signals often give it away. Traditional phishing protections like DMARC, SPF, and DKIM are important but not enough on their own.
Advanced email security solutions can help detect callback phishing by analyzing:
Unusual email content that prompts action without links or attachments.
Metadata anomalies like sender reputation, timing, or language use.
Embedded phone numbers paired with urgent language or vague references to billing or account access.
Adding external banners and filtering messages that contain callback-style language provides another layer of defense.
Verify Voice-Based Interactions
Because callback phishing moves from email to voice, preventing the second stage is just as important.
Organizations should implement formal processes for validating phone-based requests, including:
Multi-factor authentication for system access and financial approvals.
Designated verification numbers employees can use to confirm support calls.
Clear internal protocols that require identity checks before acting on urgent phone-based instructions.
The goal is to make phone verification just as secure as email.
Use Behavioral AI to Catch Cross-Channel Attacks
Most email security tools stop at the inbox. Callback phishing succeeds because it doesn’t.
Behavioral AI helps bridge that gap by detecting unusual activity across channels. Instead of scanning for keywords or signatures, it looks for:
Emails that prompt uncommon user actions, like calling support
Inconsistencies in communication timing, tone, or sender behavior
Anomalies in user behavior following email receipt, such as unusual login attempts or software downloads
This context-aware detection helps surface threats that would otherwise go unnoticed.
Train Employees on What to Look For
Employees are a critical part of the detection process. Callback phishing works because it feels like any other quick call to clear up an account issue. Training can change that instinct.
Include callback phishing in security awareness programs.
Run simulations that involve voice-based interactions, not just email lures.
Establish clear escalation paths when something doesn’t feel right.
Remote and distributed teams may be even more vulnerable, which makes proactive education essential.
Callback phishing thrives in the gaps between systems and silos. By expanding detection across channels and building habits that prioritize verification, organizations can shut down the pathway before it leads to compromise.
Staying Ahead of Multi-Channel Threats
Callback phishing shows how easily attackers can bypass traditional security by shifting from one communication channel to another. These threats rely on urgency, trust, and behavior—not just malware or links.
Abnormal stops callback phishing by understanding the context behind every message. Our behavioral AI analyzes identity, content, and user behavior to detect subtle anomalies and flag threats that legacy tools miss.
Want to see how Abnormal can help your team detect and stop multi-channel threats like callback phishing? Schedule a demo today!