What Is Callback Phishing?

What Is Callback Phishing Banner
Sebastian Salla author profile photo
Sebastian Salla Published: November 25, 2024
Follow:

Callback phishing is a type of sophisticated phishing attack where scammers embed phone numbers into emails or messages and try to entice victims into calling the number. Once called, the scammer initiates a voice phishing attack and tries to mislead or manipulate the victim into performing an action such as divulging sensitive information.

Due to advancements in Generative AI throughout 2024, cybercriminals can now conduct fully automated callback phishing attacks, whereby AI is used to generate the initial phishing email, create email counter-responses, and even hold real-time voice-to-voice phone call discussions.

What Makes Callback Phishing So Dangerous?

What makes callback phishing so dangerous is a mixture of the way it exploits human behaviour and also abuses the limitations of modern email security tools. Let's delve into this below:

Callback Phishing exploits human behavior

Exploits Human Behavior

Security awareness training programs focus on three things when it comes to phishing: Don't click malicious links, don't download malicious attachments, and don't reply to suspicious emails. Each of these payload types has a distinct tell-tale sign that helps the victim determine if the request is suspicious (e.g. an unusual domain in the link). Callback requests get around this through the use of phone numbers, which are rarely memorized, making validation difficult for humans.

Callback Phishing evades email security tools

Evades Email Security Tools

Email security tools use various capabilities to determine if an email is spam, phishing, or legitimate. Depending on the type of payload, the capability used will differ. For example, if the payload is a link, then the domain can be analyzed, or the link can be detonated. In contrast, phone numbers have no reputation system to determine if a phone number is legitimate or malicious. Additionally, phone numbers can't be detonated, effectively blinding security technologies.

An Example Callback Phishing Attack

Callback phishing attacks, by their very nature, are multi-staged. Over the course of a back-and-forth conversation, which extends over email and phone, the attacker will build trust with the victim before performing their malicious act. To help provide an idea of how this attack unfolds and how it can be completely automated with AI, we'll go through an example.

  • 📞

    Step 1. Victim Receives Initial Phishing Email

    This email will typically be targeted at the victim and will involve some form of fictitious scenario that requires immediate action. It could be that they're getting provisioned with access to a new system, require a password reset or any number of dozens of different scenarios. The hook in all scenarios is that they need to call a phone number to resolve the issue verbally.

  • 📞

    Step 2. Victim Receives Follow-Up Reminder

    Due to a lack of response by the victim, they receive an automated AI-generated response within 24, prompting an action from the victim and reminding them of the urgent nature of the request. This subconsciously puts the victim on the back foot, as it makes them feel that they now owe the attacker a response due to their lack of taking the initial request seriously.

  • 📞

    Step 3. Victim Calls The Attackers Phone Number

    Shortly after dialling, the victim is greeted by a human-sounding voice that introduces themselves before asking whose calling. The victim is then engaged in a back-and-forth conversation. Like with the follow-up reminder, the victim is on the back foot in this conversation. They were the ones who dialled the attacker, so it gives the attacker justification to ask questions for sensitive information so the attacker can validate that the victim is who they say they are.

  • 📞

    Step 4. Attacker Compromises The Victim

    As the call progresses, the attacker will finally unveil what their end goal is and insist that the victim follow their instruction. This won't seem out of normal, as the attacker will slowly progress to this final request. Depending on the attacker's goal, it could be a request for information or action, such as purchasing gift cards. In this case, the attacker asks the victim for a 6-digit code that just got sent to their mobile phone through a push notification. The victim doesn't know it yet, but by giving this code to the attacker, it's granted them access to one of their accounts.

Common Callback Phishing Techniques

Due to the nature of callback phishing spanning multiple communication channels, cybercriminals will employ a variety of techniques to help entice victims to interact with them. The most common techniques are outlined below:

Email Address Spoofing

Cybercriminals attempt to spoof legitimate and trustworthy email addresses to add a layer of authenticity to their phishing emails. When spoofed email addresses are in use, the attacker will then include an email address they control in the "Reply-To" email header.

Psychological Manipulation

Cybercriminals employ psychological manipulation techniques such as inducing fear, creating urgency, and exploiting trust to prompt immediate action from the victim before critical thinking can be applied. Pretexting will often be used to assist with this.

Caller ID Name (CNAM) Spoofing

When a caller dials the attacker's number, the victim's telecommunication provider will automatically populate the call screen with the Caller ID Name, which will be spoofed to look like a trusted entity.

Interactive Voice Response (IVR)

IVR systems help to add authenticity as large organizations commonly use IVR systems. Using an IVR lets the attacker know who is calling and gives them precious time to assume the most suitable identity.

Deepfake Voice Cloning

Deepfake voice cloning can be seen as a way of spoofing the voice of an individual the victim trusts and recognizes. Cybercriminals can use publicly available videos or voice recordings to clone the voice. The more recordings available, the more accurate the voice clone.

Conversational AI Agents

Conversational AI agents are capable of holding voice-to-voice communication over a phone call in real-time. Typically, these AI agents are used to help automate and scale cyber attacks that would otherwise be limited by the number of human operators.

Practical Tips To Avoid Callback Phishing Attacks

Callback phishing may seem like a difficult type of phishing attack to protect against, but there are actually a lot of ways you can detect them:

  • Always check email sender addresses: Check to see if the domain used to send the email is one that you recognize and trust.
  • Thoroughly read emails that are asking for immediate action: If you feel a sense of fear or urgency when reading an email, make sure to re-read it in detail. Attackers will try to catch you off guard, hoping it prompts you to take immediate action. In doing this, they override your ability to critically analyze the email for inaccuracies or inconsistencies.
  • Don't trust unrecognized phone numbers: Just because a number has a local country or area code doesn't make it trustworthy. There are a range of publicly available Voice over IP (VoIP) services that attackers can use to temporarily rent phone numbers in countries or regions across the world.
  • Don't trust the voice you hear on a phone call: This has historically been one of the primary means of identifying who is on the other side of a call. If you hear a trusted and known voice, then it means you know whose calling. With advancements in AI voice cloning over the course of 2024, this no longer holds true.

Practical steps that can be taken to avoid callback phishing attacks

Frequently Asked Questions

What's The Difference Between Callback Phishing And Voice Phishing?

Callback phishing relies on using a communication method such as email or SMS to present the victim with a phone number they need to call. Once called, the attacker then progresses with the phishing attack over a voice call. In contrast, voice phishing relies on directly calling the victim from a number the attacker controls.

Is Callback Phishing More Dangerous Than Voice Phishing?

Each type of phishing attack has its own strengths and weaknesses, with no single attack being more or less dangerous than the other. Callback and voice phishing are commonly used in conjunction with one another, providing an attacker with multiple means of making verbal contact with their intended target.