Why It’s so Easy to Fall for Callback Phishing (and How to Protect Yourself)
It’s easy to believe that you’ll never fall for a scam—after all, spam messages about unpaid tolls , package deliveries , and job offers are not particularly sophisticated and seem like obvious scams. But scammers are always looking for ways to trick you, such as using callback phishing scams to impersonate brands you trust.
According to a recent Cisco Talos report published by Malwarebytes Labs , users are being targeted by malicious emails that appear to be from reputable companies, asking them to contact tech support to resolve the issue. Here’s how and why these scams work, and what to look out for.
How Callback Phishing Scams Work
Callback phishing, or phone scams , actually start with an email. Scammers send messages to potential victims on behalf of a reputable company. These scam emails typically contain information about an upcoming purchase or transaction, an account issue, or a technical problem, and ask recipients to call a listed phone number to resolve the issue.
Once you receive the call, the scammers will pose as customer service or technical support representatives, asking for personal information and/or redirecting you to malicious links or downloads that collect data or install malware on your device.
This attack works for the same reason that many other phishing schemes do: it uses social engineering to appeal to emotions (like fear) and create a sense of urgency to solve a problem, so you’re less likely to stop and take stock of what’s happening. However, the campaign uncovered by Cisco Talos has several other elements that make it even easier for the attackers to evade detection.
First, the initial emails are impersonated by well-known brands whose products and services are widely used, including Microsoft, Adobe, Norton LifeLock, PayPal, DocuSign, and Geek Squad. Interactions with any of these companies may involve signing into an account, making purchases, viewing and downloading documents, receiving payments, or contacting tech support, so you shouldn’t be suspicious if you’re asked to troubleshoot an issue with these features.
Another tactic used by scammers is to attach a PDF file to an email that automatically downloads when you open the message. The body of the email is blank, but you see a legitimate company logo and text about the supposed problem, including a phone number to call. This allows the message to bypass email security features that typically scan messages for text and links. Plus, you don’t have to open the attachment, which you (hopefully) know is a telltale sign of phishing.
(In some cases, downloading a PDF will display a QR code to scan or a link to a phishing site, rather than a phone number to call.)
Red Flags of Callback Phishing
As with any scam, messages that seem urgent or that evoke fear, confusion, or other strong emotions should give you pause. You should also be skeptical of emails you see with attachments, even if they download automatically and don’t require you to click a button to download—legitimate companies rarely, if ever, send emails with attachments.
And, of course, never click on links or scan QR codes in emails, text messages, or social media posts until you’ve verified the sender and the request itself by going directly to the company’s website and contacting customer support. Email addresses can be spoofed in some pretty sophisticated ways , so seeing is believing.