What is Callback Phishing?

Callback voice phishing, or telephone-oriented attack delivery (TOAD), is a clever trick cybercriminals use. It starts with an email but differs from the phishing emails you might be familiar with. Instead of asking you to click on a link or download an attachment, this email prompts you to make a phone call.

In 2023, text message scams, which often involve callback phishing techniques, led to $372 million in losses, as the Federal Trade Commission reported.

A 2023 survey revealed that 56% of organizations identified operational disruption as the most concerning impact of cyber incidents, underscoring the significant effect on business continuity.

So, how do callback phishing attacks work, and how can your organization avoid falling victim to these increasingly cunning tactics? In this blog, we'll cover:

• The anatomy of a callback phishing attack
• Recent examples and trends in 2024
• Proven strategies and tools to mitigate these callback threats.

Here's how it typically works: You receive an email alerting you to a problem, such as a payment due for a service you don't recall signing up for. Curiously, the email gives little detail but urges you to call a provided phone number for more information. When you call this number, a person on the other end – the attacker – uses persuasive tactics to extract sensitive information from you or to convince you to take actions that could harm your computer, like installing malware.

Understanding Callback Voice Phishing: Anatomy of an Attack

Callback phishing typically begins with a spoofed email or text message urging the recipient to call a designated phone number. The email often contains alarming language, such as:

“Your account has been compromised. Call our support team immediately at 1234567890 to secure your information.”

When the victim calls the number, they are connected to a social engineering expert—the cybercriminal. This person pretends to be an IT support professional, payment processor, or even law enforcement. Using psychological manipulation, they pressure the victim into revealing sensitive details like:

• Login credentials
• Bank account numbers
• Multi-factor authentication (MFA) codes

Once the attacker gains access to internal systems, they might install malware, steal data, or escalate their attack to ransomware deployment.

Why is Callback Phishing Rising?

Callback phishing is becoming more common for several reasons. First, people are becoming more aware of traditional phishing emails, so scammers use more sophisticated methods.

Callback phishing is also harder to detect and block because these emails often don't contain the usual malicious links or attachments that email security systems look for.

Callback Phishing Statistics in 2025

Understanding the callback phishing statistics behind these attacks is significant for businesses and individuals alike to grasp the severity of the threat and take appropriate measures. Let's delve into some key statistics highlighting the growing concern around callback phishing as of 2025.

• Significant Increase in Callback Phishing Incidents: Cybersecurity experts reported a staggering 625% increase in callback phishing attacks from the first quarter of 2021 to the second quarter of 2022. This trend underscores a worrying escalation in the frequency and sophistication of these attacks.
• Financial Impact on Businesses: According to the Federal Trade Commission (FTC) in the United States, businesses faced substantial financial losses due to imposter scams, including vishing (voice phishing), amounting to $1.8 billion in 2020. This figure highlights the significant financial risk posed by such scams.
• Average Losses from Vishing Scams: The Better Business Bureau (BBB) reported that the average loss for businesses due to vishing scams in 2020 was around $7,640, with some incidents leading to losses as high as $500,000. These numbers reflect the severe impact that a single successful attack can have on a business.
• Prevalence of Vishing Attacks: A survey by Pindrop Security in 2019 revealed that nearly 60% of businesses experienced a vishing attack within a year, with the average financial loss per incident being $43,000. In some extreme cases, losses exceeded $1 million, demonstrating the potentially devastating consequences of these attacks.
• Fraud Costs in the UK: In the UK, the cost of fraud to businesses reached a staggering £1.2 billion in 2020, as reported by UK Finance. Vishing was identified as one of the most common fraud types, with losses totaling £37.8 million. This data indicates that the threat is not confined to one region but is a global concern.

These statistics from 2025 paint a clear picture: callback phishing is not just a fleeting cyber threat but a significant and growing challenge.

Identifying Callback Phishing Emails

Recognizing a callback phishing email is key to avoiding its trap. Here are some signs to watch for:

Unfamiliar Sender: If the email claims to be from a company you don't recognize or have no dealings with, be cautious.

Generic Email Addresses: Legitimate companies usually send emails from their domain, not from generic email services.

Urgency and Lack of Detail: These emails often create a sense of urgency but provide little to no specific information, pushing you to call for more details.

Spelling and Grammar Mistakes: Professional companies typically ensure error-free communication.

Techniques Used in Callback Phishing

Scammers use various social engineering techniques in callback phishing:

• Creating a Sense of Urgency: They might insist that immediate action is needed, preying on the victim's fear or anxiety.
• Feigning Authority: To gain the victim's trust, the scammer may pretend to be a figure of authority, such as a bank official or a law enforcement agent.
• Offering Help or Rewards: Sometimes, they offer assistance or promise rewards to lure the victim into complying with their requests.

2025 Trends in Callback Voice Phishing

In this section, we’ll explore the key trends shaping callback phishing in 2025, including advanced spoofing tactics, the use of AI for real-time manipulation, and strategies businesses can adopt to stay ahead of this evolving cyber threat. Let’s dive in!

1. Sophisticated Spoofing Technology

Attackers are now using advanced AI-driven tools to spoof legitimate company phone numbers. This creates an illusion of trust, making it difficult for employees to differentiate real calls from malicious ones.

2. Targeting High-Ranking Employees

Known as whaling, this tactic focuses on executives or senior managers with access to critical systems. A Verizon 2023 Data Breach Investigations Report highlighted that 67% of callback phishing attacks target individuals with elevated access privileges.

3. Integration with Smishing and Vishing

Callback phishing is often part of a broader phishing campaign, including smishing (phishing via SMS) and vishing (voice phishing). Attackers use multiple platforms to increase their success rates.

4. Exploitation of Remote Work Setups

The hybrid work model has increased vulnerabilities, as employees often lack robust IT support at home. Callback phishing exploits this weakness, with attackers posing as remote IT helpdesk agents.

5. Increased Targeting of SMEs

While large enterprises remain prime targets, small and medium-sized enterprises (SMEs) are increasingly under attack. SMEs often lack robust cybersecurity defenses, making them easy targets for callback phishing campaigns. According to the FBI's 2025 IC3 Report, over 40% of callback phishing attacks in 2025 targeted businesses with fewer than 500 employees.

6. Weaponization of Automated Call Centers

Some cybercriminals are now using automated call centers to scale their operations. These systems can handle a high volume of callbacks, providing scripted responses that sound professional and convincing. By automating the process, attackers can increase the success rate of their campaigns while minimizing their own operational workload.

7. Focus on Critical Industries

Healthcare, finance, and education are among the most targeted industries in 2025. For instance, healthcare organizations are being bombarded with fake IT callbacks requesting access to patient data systems, while financial institutions face attacks on employees with access to payment systems. These sectors are lucrative for attackers due to the sensitive and high-value data they handle.

8. Bypassing Multi-Factor Authentication (MFA)

Attackers are finding new ways to bypass MFA systems. One common method involves tricking employees into providing their one-time passwords (OTPs) or MFA codes during fake callback interactions. This trend emphasizes the need for additional layers of security, such as phishing-resistant authentication methods.

How to Protect Your Business Against Callback Phishing

Safeguarding your business from callback phishing involves several key strategies that blend technological tools with proactive awareness and response measures. Here's a detailed breakdown:

1. Implement Email Security Solutions

Utilize advanced email security systems capable of identifying and flagging suspicious emails. These systems act as the first line of defense, filtering out potential phishing emails before they reach your employees, thereby reducing the risk of human error.

2. Verify Independently

Always verify the legitimacy of an email request by checking the phone number or contact details through official websites or trusted sources rather than relying solely on the information provided in the email. Independent verification helps avoid deceptive tactics phishers use and ensures that any action taken is based on reliable and accurate information.

3. Educate Yourself and Others: Security Awareness Training

Regularly conduct security awareness training for all employees. This training should cover identifying phishing emails, safe online practices, and reporting suspicious activities. Well-informed employees are less likely to fall for phishing scams. Continuous security awareness training creates a knowledgeable workforce that recognizes and responds appropriately to cybersecurity threats.

4. Use a Callback Phishing Simulator

Implement a callback phishing simulator as part of your security training program. This tool simulates realistic phishing scenarios to test employees' responses in a controlled environment. Callback phishing simulations provide practical, hands-on experience. They help employees understand the subtleties of phishing attacks and learn how to react without the risk of real-world consequences.

5. Reporting Incidents

Establish a clear protocol for reporting suspected phishing incidents. Encourage employees to report any suspicious emails or calls immediately. Prompt reporting of incidents allows for quicker response and mitigation, reducing potential damage. It also helps in updating and refining security measures based on real-life scenarios.

6. Fixing Email Misconfigurations

Regularly review and correct misconfigurations in your email systems. Ensure that your email settings are optimized for security. Correcting misconfigurations prevents exploitation by cybercriminals. Secure email configurations are important in preventing unauthorized access and reducing the likelihood of successful phishing attacks.

By implementing these strategies, your business can significantly enhance its defenses against the sophisticated and evolving threat of callback phishing. Remember, the key to effective cybersecurity is robust technology and continuous awareness.

How to Use Keepnet Callback Phishing Simulator

To effectively protect your organization from the growing threat of callback phishing attacks, utilizing tools like Keepnet's Callback Phishing Simulator is significant. Callback simulator simulator allows you to replicate real-world attack scenarios, test employee responses, and identify vulnerabilities in handling phishing attempts. By customizing campaigns with realistic fake callbacks, tracking engagement rates, and reviewing detailed analytics, businesses can pinpoint weak links and provide targeted training to employees.

Pairing these simulations with Keepnet's Security Awareness Training ensures your workforce is well-prepared for sophisticated phishing tactics.

For a detailed step-by-step guide on running callback phishing simulations, check out our blog How to Run Callback Phishing Simulations Effectively to ensure your organization remains one step ahead of cybercriminals.

Explore Keepnet Callback Phishing Simulator on YouTube.

See our Keepnet Callback Phishing Simulator product in the video below, including demonstrations of vishing simulation, phishing simulation, and smishing simulations or callback phishing simulation.

Editor's Note: This blog was updated on December 26th, 2024.