What is Callback Phishing?

What is Callback Phishing?

Callback voice phishing, sometimes known as telephone-oriented attack delivery (TOAD), is a clever trick cybercriminals use. It starts with an email but differs from the phishing emails you might be familiar with. Instead of asking you to click on a link or download an attachment, this email prompts you to make a phone call.

Here's how it typically works: You receive an email alerting you to a problem, such as a payment due for a service you don't recall signing up for. Curiously, the email gives little detail but urges you to call a provided phone number for more information. When you call this number, a person on the other end – the attacker – uses persuasive tactics to extract sensitive information from you or to convince you to take actions that could harm your computer, like installing malware.

Why is Callback Phishing Rising?

Callback phishing is becoming more common for several reasons. First, people are becoming more aware of traditional phishing emails, so scammers use more sophisticated methods.

Callback phishing is also harder to detect and block because these emails often don't contain the usual malicious links or attachments that email security systems look for.

Callback Phishing Statistics in 2024

Understanding the callback phishing statistics behind these attacks is significant for businesses and individuals alike to grasp the severity of the threat and take appropriate measures. Let's delve into some key statistics highlighting the growing concern around callback phishing as of 2024.

• Significant Increase in Callback Phishing Incidents: Cybersecurity experts reported a staggering 625% increase in callback phishing attacks from the first quarter of 2021 to the second quarter of 2022. This trend underscores a worrying escalation in the frequency and sophistication of these attacks.
• Financial Impact on Businesses: According to the Federal Trade Commission (FTC) in the United States, businesses faced substantial financial losses due to imposter scams, including vishing (voice phishing), amounting to $1.8 billion in 2020. This figure highlights the significant financial risk posed by such scams.
• Average Losses from Vishing Scams: The Better Business Bureau (BBB) reported that the average loss for businesses due to vishing scams in 2020 was around $7,640, with some incidents leading to losses as high as $500,000. These numbers reflect the severe impact that a single successful attack can have on a business.
• Prevalence of Vishing Attacks: A survey by Pindrop Security in 2019 revealed that nearly 60% of businesses experienced a vishing attack within a year, with the average financial loss per incident being $43,000. In some extreme cases, losses exceeded $1 million, demonstrating the potentially devastating consequences of these attacks.
• Fraud Costs in the UK: In the UK, the cost of fraud to businesses reached a staggering £1.2 billion in 2020, as reported by UK Finance. Vishing was identified as one of the most common fraud types, with losses totaling £37.8 million. This data indicates that the threat is not confined to one region but is a global concern.

These statistics from 2024 paint a clear picture: callback phishing is not just a fleeting cyber threat but a significant and growing challenge.

Identifying Callback Phishing Emails

Recognizing a callback phishing email is key to avoiding its trap. Here are some signs to watch for:

Unfamiliar Sender: If the email claims to be from a company you don't recognize or have no dealings with, be cautious.

Generic Email Addresses: Legitimate companies usually send emails from their domain, not from generic email services.

Urgency and Lack of Detail: These emails often create a sense of urgency but provide little to no specific information, pushing you to call for more details.

Spelling and Grammar Mistakes: Professional companies typically ensure error-free communication.

Techniques Used in Callback Phishing

Scammers use various social engineering techniques in callback phishing:

• Creating a Sense of Urgency: They might insist that immediate action is needed, preying on the victim's fear or anxiety.
• Feigning Authority: To gain the victim's trust, the scammer may pretend to be a figure of authority, such as a bank official or a law enforcement agent.
• Offering Help or Rewards: Sometimes, they offer assistance or promise rewards to lure the victim into complying with their requests.

How to Protect Your Business Against Callback Phishing

Safeguarding your business from callback phishing involves several key strategies that blend technological tools with proactive awareness and response measures. Here's a detailed breakdown:

1. Implement Email Security Solutions

Utilize advanced email security systems capable of identifying and flagging suspicious emails. These systems act as the first line of defense, filtering out potential phishing emails before they reach your employees, thereby reducing the risk of human error.

2. Verify Independently

Always verify the legitimacy of an email request by checking the phone number or contact details through official websites or trusted sources rather than relying solely on the information provided in the email. Independent verification helps avoid deceptive tactics phishers use and ensures that any action taken is based on reliable and accurate information.

3. Educate Yourself and Others: Security Awareness Training

Regularly conduct security awareness training for all employees. This training should cover identifying phishing emails, safe online practices, and reporting suspicious activities. Well-informed employees are less likely to fall for phishing scams. Continuous security awareness training creates a knowledgeable workforce that recognizes and responds appropriately to cybersecurity threats.

4. Use a Callback Phishing Simulator

Implement a callback phishing simulator as part of your security training program. This tool simulates realistic phishing scenarios to test employees' responses in a controlled environment. Callback phishing simulations provide practical, hands-on experience. They help employees understand the subtleties of phishing attacks and learn how to react without the risk of real-world consequences.

5. Reporting Incidents

Establish a clear protocol for reporting suspected phishing incidents. Encourage employees to report any suspicious emails or calls immediately. Prompt reporting of incidents allows for quicker response and mitigation, reducing potential damage. It also helps in updating and refining security measures based on real-life scenarios.

6. Fixing Email Misconfigurations

Regularly review and correct misconfigurations in your email systems. Ensure that your email settings are optimized for security. Correcting misconfigurations prevents exploitation by cybercriminals. Secure email configurations are important in preventing unauthorized access and reducing the likelihood of successful phishing attacks.

By implementing these strategies, your business can significantly enhance its defenses against the sophisticated and evolving threat of callback phishing. Remember, the key to effective cybersecurity is robust technology and continuous awareness.

Explore Our Security Awareness Training Products on YouTube.

See our security awareness training products in the video below, including demonstrations of vishing simulation, phishing simulation, and smishing simulations or callback phishing simulation.