Callback Phishing Explained: The Multi-Channel Threat Hiding in Plain Sight

Cybercriminals are getting smarter and sneakier. As traditional defenses catch up to email-based attacks, threat actors are shifting tactics.

One of the most dangerous evolutions? Callback phishing.

Let’s dive into what callback phishing is, what it means for your organization, and how you can detect and safeguard against it.

Callback phishing is a multi-channel social engineering attack that uses trust and urgency to bypass traditional security defenses without relying on links or attachments.

As phishing tactics evolve, attackers are moving beyond the inbox. Callback phishing blends convincing emails with real-time phone calls to create a deceptive experience that feels legitimate and dangerously effective.

Here’s how it works:

1. A user receives a malicious email claiming urgent action is needed because of a suspended account, suspicious activity, an expiring subscription, or a potential security breach.

2. Instead of asking the user to click a link, the email provides a phone number to call.

3. When the user calls, they speak with someone impersonating support staff who walks them through a process designed to steal credentials or gain access to internal systems.

This tactic works well because it:

• Slips Past Email Filters: Without a malicious link or attachment, traditional tools have nothing to flag.

• Builds Credibility: A live conversation creates trust that static messages cannot match.

• Prompts Quick Action: Messages are crafted to trigger urgency, making users more likely to respond without pausing to evaluate.

As these hybrid attacks become more common, security strategies need to expand beyond email content alone. Understanding how callback phishing works is a critical step toward building resilience against modern threats.

Callback phishing evades conventional defenses by exploiting gaps between communication channels and leveraging human behavior.

Most email security tools are designed to catch digital threats like malicious links, suspicious attachments, or spoofed domains. Callback phishing bypasses all of these by shifting the attack from email to voice, where visibility drops and user trust increases.

Emotional Triggers Make Attacks Feel Legitimate

Callback phishing preys on factors like urgency, fear, and authority that influence fast decision-making. When a user is told their account is suspended or a charge is pending, the instinct is to act quickly. Calling a number doesn’t feel risky, which makes the deception harder to detect.

Switching Channels Breaks Traditional Detection

Traditional security solutions focus on a single communication channel. Callback phishing exploits this by starting in email and moving to phone, which creates a blind spot that many organizations are not equipped to monitor or secure.

Phone Calls Build Trust Faster Than Emails

A live voice on the other end of the line can establish credibility in seconds. Attackers use this to their advantage, impersonating support staff and guiding users through convincing, high-stakes scenarios. Once trust is established, it's easier to collect credentials or gain access without raising suspicion.

Advanced threat groups have adopted callback phishing as a reliable way to gain access and deliver malware or ransomware. These campaigns follow recognizable patterns and have been tied to well-known actors.

BazarCall Introduced the Callback Phishing Playbook

The BazarCall campaign helped shape how callback phishing works today. Attackers sent emails claiming a subscription would auto-renew and instructed users to call a number to cancel. On the call, the attacker posed as support and guided the victim to install what appeared to be a cancellation tool but was actually BazarLoader, a remote access trojan.

This was one of the first widespread examples of email-to-voice channel switching being used to deliver malware.

Ryuk and Conti Used Voice-Based Access for Ransomware Deployment

Groups linked to Ryuk and Conti have incorporated callback phishing into ransomware operations. After establishing trust over the phone, attackers gained initial access and quickly moved to execute ransomware payloads.

These campaigns often target industries with high-stakes environments, where speed matters and a support call feels routine.

Callback Phishing Campaigns Target High-Trust Industries

Callback phishing campaigns most frequently target the following sectors:

• Financial services

• Healthcare

• Technology

These industries rely heavily on email and phone-based workflows, making them ideal for social engineering. When a call feels expected and professional, users are more likely to follow instructions, especially when the request feels urgent.

Stopping callback phishing requires more than email filtering. It demands a multi-layered approach that spans technology, training, and cross-channel visibility.

Because these attacks start in one place and finish in another, they exploit the boundaries between tools, teams, and workflows. Here’s how to close the gaps.

Strengthen Email Defenses

The email might look legitimate, but small signals often give it away. Traditional phishing protections like DMARC, SPF, and DKIM are important but not enough on their own.

Advanced email security solutions can help detect callback phishing by analyzing:

• Unusual email content that prompts action without links or attachments.

• Metadata anomalies like sender reputation, timing, or language use.

• Embedded phone numbers paired with urgent language or vague references to billing or account access.

Adding external banners and filtering messages that contain callback-style language provides another layer of defense.

Verify Voice-Based Interactions

Because callback phishing moves from email to voice, preventing the second stage is just as important.

Organizations should implement formal processes for validating phone-based requests, including:

• Multi-factor authentication for system access and financial approvals.

• Designated verification numbers employees can use to confirm support calls.

• Clear internal protocols that require identity checks before acting on urgent phone-based instructions.

The goal is to make phone verification just as secure as email.

Use Behavioral AI to Catch Cross-Channel Attacks

Most email security tools stop at the inbox. Callback phishing succeeds because it doesn’t.

Behavioral AI helps bridge that gap by detecting unusual activity across channels. Instead of scanning for keywords or signatures, it looks for:

• Emails that prompt uncommon user actions, like calling support

• Inconsistencies in communication timing, tone, or sender behavior

• Anomalies in user behavior following email receipt, such as unusual login attempts or software downloads

This context-aware detection helps surface threats that would otherwise go unnoticed.

Train Employees on What to Look For

Employees are a critical part of the detection process. Callback phishing works because it feels like any other quick call to clear up an account issue. Training can change that instinct.

• Include callback phishing in security awareness programs.

• Run simulations that involve voice-based interactions, not just email lures.

• Establish clear escalation paths when something doesn’t feel right.

Remote and distributed teams may be even more vulnerable, which makes proactive education essential.

Callback phishing thrives in the gaps between systems and silos. By expanding detection across channels and building habits that prioritize verification, organizations can shut down the pathway before it leads to compromise.

Callback phishing shows how easily attackers can bypass traditional security by shifting from one communication channel to another. These threats rely on urgency, trust, and behavior—not just malware or links.

Abnormal stops callback phishing by understanding the context behind every message. Our behavioral AI analyzes identity, content, and user behavior to detect subtle anomalies and flag threats that legacy tools miss.

Want to see how Abnormal can help your team detect and stop multi-channel threats like callback phishing? Schedule a demo today!