Keepnet Labs Logo
Keepnet Labs > whitepapers > what-is-toad

Decoding Callback Phishing Attack: A Comprehensive Guide to Telephone-Oriented Attack Delivery (TOAD)

What is a Telephone Oriented Attack Delivery (TOAD)? What are the tactics of callback phishing? What are the defense strategies against callback phishing?

Callback Simulator Whitepaper

What is a Callback Phishing Attack?

Callback phishing attacks, or Telephone-Oriented Attack Delivery (TOAD), are sophisticated cyberattacks that blend traditional Phishing methods with telephone-based social engineering. Unlike conventional phishing, which often relies on malicious links or attachments, callback phishing exploits human psychology, urging victims to initiate contact through a provided phone number. This devious tactic effectively bypasses many standard email security measures, making it a formidable challenge in cybersecurity.

The relevance of these attacks in the cybersecurity landscape has escalated remarkably in recent years. This rise can be attributed to their high success rate and the increasing sophistication of cybercriminals who continuously evolve their strategies to outmaneuver traditional defense mechanisms. This whitepaper delves into the intricacies of callback phishing, offering a comprehensive exploration of its mechanics, impact, historical context, and effective countermeasures to safeguard businesses in an increasingly connected world.

How do Callback Phishing Attacks Work?

Callback phishing attacks are executed systematically, exploiting human vulnerabilities and technological loopholes. Here is the lifecycle of callback phishing attacks:

1. Initial Contact: The attack commences with a phishing email, seemingly innocuous at first glance. This email typically alerts the recipient about an urgent matter, such as a subscription renewal or an unpaid bill for a service they never purchased. Uniquely, these emails include a contact number for the recipient to call, seemingly to resolve the issue.

Sample voice callback phishing email
Picture 1: Sample voice callback phishing email

2. The Call: When the victim, driven by concern or curiosity, dials the provided number, they are connected, not to a legitimate service representative, but to the attacker. This is where the attacker employs social engineering tactics. During the conversation, they may solicit personal information credentials or even direct the victim to perform specific actions that compromise their security. This could include installing remote access software to resolve the issue and granting the attacker access to the victim's network or device.

3. Exploitation: The final step involves the attacker utilizing the information or access obtained to steal sensitive data, install malware or ransomware, or carry out financial fraud. This step can have varying consequences depending on the attacker's intent and the nature of the data or access obtained.

A sample callback phishing (TOAD) attack life-cycle
Picture 2: A sample callback phishing (TOAD) attack life-cycle

Throughout this process, the attacker's skill in manipulating the victim through persuasive communication and creating a sense of urgency or fear plays a crucial role in the attack's success. The combination of technical subterfuge and psychological manipulation makes callback phishing a particularly insidious and effective form of cybercrime.

History & Evolution of Callback Phishing Attacks

The history of callback phishing attacks reflects a concerning evolution in cybercrime, marked by increased sophistication and adaptability

Origin - BazarCall (March 2021)

The callback phishing phenomenon first surfaced under the name "BazarCall." Attackers used emails mimicking subscription services for streaming, software, or medical services, providing a phone number for cancellation. Victims who called were led through steps culminating in downloading BazarLoader malware, providing attackers with remote access to devices and networks, often resulting in ransomware attacks like Ryuk or Conti.

Bazarcall Campaign Attack Life-Cycle
Picture 3: Bazarcall Campaign Attack Life-Cycle
Heatmap of latest BazarCall campaign targets (Source: Trellix)
Picture 4: Heatmap of latest BazarCall campaign targets (Source: Trellix)

Evolving Social Engineering Tactics

After the BazarCall campaign, attackers found new ways and other social engineering methods to become more intricate. Attackers stuck to the initial bait of invoices from services like Geek Squad, Norton, or Microsoft but changed their approach once contact was established. They started using tactics like claiming a spam email caused malware infection, leading victims to download malicious software disguised as antivirus programs. These methods preyed on the victim’s trust and urgency to resolve perceived issues. See the example in picture 5 below.

Example of a Geek Squad callback phishing email. (Source: BleepingComputer)
Picture 5: Example of a Geek Squad callback phishing email. (Source: BleepingComputer)

Remote Control and Financial Fraud

More recent campaigns have shown a shift towards financial fraud. Attackers trick victims into logging into their bank accounts under the guise of issuing refunds, only to lock screens and manipulate transactions. This approach leads to direct financial loss and allows attackers to install additional malware for long-term spying and data theft.

As you can see, the callback attack started with the Bazarcall campaign by sending emails to the victims with a phone number to be called by the victim. After that, cybercriminals started using tactics like claiming a spam email caused malware infection, leading victims to download malicious software. Recent callback phishing campaigns have evolved to involve financial fraud, where attackers deceive victims into logging into their bank accounts to issue refunds, then lock screens and manipulate transactions.

With the rise of generative AI and deep fake voice calls, it is apparent that attacks will increasingly leverage this new technology.

Callback Phishing Attack Statistics

The following statistics on callback phishing attacks highlight a concerning trend in cybercrime. These attacks have resulted in significant financial losses for individuals and businesses, underscoring the need for increased awareness and stronger security measures.

Here are the latest statistics on callback phishing attacks:

  • The recent Quarterly Threats Trends & Intelligence Report from Agari reveals a significant rise in callback phishing attacks, also known as hybrid vishing attacks, with an increase of 625% since Q1 2022.
  • The Federal Trade Commission (FTC) in the United States reported that in 2020, businesses suffered losses totaling $1.8 billion due to imposter scams, which include vishing attacks.
  • The Better Business Bureau (BBB) in the US found that in the same year, businesses lost an average of $7,640 per vishing scam, with some incidents leading to losses as high as $500,000.
  • A 2019 survey by Pindrop Security revealed that nearly 60% of businesses experienced a vishing attack in the preceding year. The average financial impact of these incidents was around $43,000, with some cases involving losses exceeding $1 million.
  • In the United Kingdom, UK Finance reported that the total cost of fraud to businesses reached £1.2 billion in 2020. Vishing was identified as one of the most prevalent types of fraud, contributing to losses of £37.8 million.
  • Proofpoint revealed that TOAD attacks , which accounted for 8% of phishing incidents, involve emails that prompt recipients to initiate phone calls with attackers, often leading to sophisticated scams.
  • In 2023, Proofpoint observed a significant increase in TOAD attacks , with over 600,000 incidents recorded daily. These attacks first emerged in late 2021 and have been steadily rising. This trend indicates a shift in tactics by threat actors, now employing newer techniques like TOAD and adversary-in-the-middle (AitM) phishing proxies. These methods are designed to bypass multi factor authentication and are less familiar to employees, increasing the likelihood of a successful cyberattack.
  • Individual victims face substantial financial losses due to callback phishing attacks, with the average loss per attack nearing $50,000 .

Impact of Callback Phishing Attacks

Understanding the multifaceted impact of callback phishing attacks is important to protect your business effectively since these attacks have a unique method that significantly challenges traditional cybersecurity measures. While there are many consequences of Callback phishing, the following are among the most significant:

  • Bypassing Security Measures: Callback phishing scams stand out for their ability to circumvent standard email filters. These emails, devoid of malicious links or attachments, rely heavily on social engineering, making them less detectable by conventional security systems.
  • Elevated Success Rates: The rising prevalence of callback phishing can be attributed to their high effectiveness. By incorporating telephone interaction, these attacks sidestep typical phishing defenses, displaying a 53.2% average click rate, significantly higher than standard phishing campaigns.
  • Financial Ramifications: Direct financial losses are one of the most immediate impacts of these attacks. The FBI’s Internet Crime Complaint Center reported that phishing attacks led to $1.7 billion in losses for organizations in 2019.
  • Reputational Damage: Phishing attacks can severely tarnish an organization's reputation. The public disclosure of a data breach can lead to long-term damage to customer trust and business relationships. This impact can spread rapidly and is often difficult to repair.
  • Loss of Customers: The aftermath of a successful phishing attack often includes a significant loss of customers. For instance, a substantial percentage of consumers may discontinue their association with the affected brand after a data breach.
  • Operational Disruption: Phishing attacks can lead to serious operational disruptions. They can paralyze an organization's activities, leading to lost productivity, data theft, and compromised customer services. Recovery from such attacks can take significant time and resources.
  • Decline in Organization Value: A successful attack can considerably decrease an organization's market value. Historical data breaches have shown plummeting stock prices and overall valuation following such incidents.
  • Regulatory Fines: Non-compliance and failure to protect data can result in hefty fines under regulations like GDPR. These fines can be substantial, further exacerbating the financial impact on the organization.

Callback Phishing Attack Analysis: Examining Luna Moth/Silent Ransom Attack

This section will analyze callback phishing attacks from a real campaign. Let’s delve into the Luna Moth/Silent Ransom Group's callback phishing campaign to shed light on tactics, impact, and implications from a real scenario.

Luna Moth: The Threat Actors Behind Recent False Subscription Scams. (Source: Sygnia)
Picture 6: Luna Moth: The Threat Actors Behind Recent False Subscription Scams. (Source: Sygnia)

Step One: Target Selection and Initial Contact

  • The Luna Moth/Silent Ransom Group initiated its callback phishing campaign by carefully selecting targets in specific sectors, starting with small to medium-sized businesses in the legal industry. This choice was strategic, aiming at organizations with less robust cybersecurity measures.
  • The attackers then sent phishing emails, typically crafted to appear as urgent communications regarding subscriptions or services. These emails contained a phone number urging the recipients to call to resolve the purported issue.

Step Two: Engaging the Victim

  • The attackers employed social engineering tactics once a victim called the provided number. The caller, believing they were speaking to a legitimate representative, was guided through a series of steps under the pretense of addressing the issue raised in the email.
  • This interaction was a ruse to build trust and lower the victim's defenses, preparing them for the next phase of the attack.

Step Three: Deployment of Malicious Tools

  • Having gained the victim's trust, the attackers directed them to download the necessary software to resolve the issue. However, this software was malicious – typically remote access such as Atera, Zoho Assist, and Splashtop tools or malware.
  • This step was crucial as it allowed the attackers to gain control over the victim's device, access sensitive information, or install ransomware, leading to significant financial losses for the targeted business.

Step Four: Expansion and Escalation

  • As the campaign progressed, the attackers expanded their target scope to include larger businesses in the retail sector, indicating a strategic shift to increase potential gains.
  • The group's tactics also evolved to ensure minimal use of tools and malware, focusing on techniques that would avoid early detection. This stealth approach made the attack more insidious and challenging to identify and counter.

This detailed analysis of the Luna Moth/Silent Ransom Group's callback phishing campaign showcases the methodical and adaptive nature of such attacks, emphasizing the need for continuous vigilance and sophisticated countermeasures against callback phishing attacks.

How to Protect Your Business Against Callback Phishing Attacks

To enhance any organization’s defense against callback phishing attacks, a comprehensive approach is essential. Here are several methods through which you can proactively protect your business:

  • Distribute Intensive Employee Security Training: Callback phishing scams stand out for their ability to circumvent standard email filters. These emails, devoid of malicious links or attachments, rely heavily on social engineering, making them less detectable by conventional security systems.
  • Deploy Advanced Security Technologies: Utilize AI-based systems and behavioral analysis tools to detect anomalies in network activity. These technologies can proactively identify signs of a phishing attack, allowing for timely intervention.
  • Implement Callback Phishing Simulation Tools: Keepnet Labs' Callback Phishing Simulation tool is invaluable for testing and strengthening employee cybersecurity preparedness. Employees can gain practical experience recognizing and responding to such threats by simulating realistic phishing scenarios. Regular use of this tool can also help identify areas where further security awareness training is needed.
  • Cultivate a Cybersecurity Culture: Foster a culture of cybersecurity awareness within the organization. Encourage open communication about potential threats and ensure all employees understand their role in maintaining security.
  • Incident Response: Develop and regularly update an incident response plan. This plan should outline clear steps to be taken in the event of a successful phishing attack, including containment strategies, communication protocols, and methods for assessing and mitigating damage.
  • Utilize Threat Sharing Platforms: Implement a threat-sharing solution, such as a Threat Sharing product, to avoid emerging phishing threats. These platforms allow businesses to share and receive information about the latest phishing tactics and indicators of compromise. By participating in a threat intelligence community, your business can benefit from a broader knowledge base, helping you to identify and respond to new callback phishing methods more effectively.

By integrating these strategies, businesses can significantly bolster their defenses against callback phishing. This multi-layered approach helps prevent attacks and ensures the organization is well-prepared to respond effectively if an attack occurs.


The fight against callback phishing attacks requires a multi-faceted and dynamic approach. This includes rigorous employee cybersecurity training , deploying advanced security technologies, regular phishing simulation tools like Keepnet Labs', fostering a strong cybersecurity culture, comprehensive incident response planning, and participation in threat-sharing platforms. The key to success lies in continuous vigilance and constantly adapting security measures to counter evolving threats. As cyber threats become more sophisticated, so must our strategies to protect our businesses, underscoring the importance of staying ahead in this ongoing cybersecurity battle.



Schedule your 30-minute demo now

You'll discover how to:
tickCreate a callback phishing template with AI text-to-speech, make it realistic with your voice, and see the advantages of tailored campaigns.
tickQuickly assess your employees' readiness against actual callback phishing scenarios, evaluating their awareness levels.
tickGenerate tailored reports on staff responses and compare your company's performance with other sectors.
iso 27017 certificate
iso 27018 certificate
iso 27001 certificate
ukas 20382 certificate
Cylon certificate
Crown certificate
Gartner certificate
Tech Nation certificate