Callback Phishing
What is Callback Phishing?
Callback PhishingA two-stage phishing attack in which a benign-looking email persuades the victim to call a phone number, where a human operator then walks them into installing malware.
Callback phishing — also known as TOAD (Telephone-Oriented Attack Delivery) — sends emails that contain no malicious links or attachments, only a fake invoice, subscription renewal, or fraud alert with a callback number. Because the email itself is clean, it bypasses URL filters and SEGs. When the victim calls, a social engineer impersonates support and persuades them to install a remote-management tool (AnyDesk, ScreenConnect), grant access, or run a payload. BazarCall pioneered the technique to deliver Bazar/Trickbot and Conti ransomware, and Silent Ransom Group (Luna Moth) continues to exfiltrate data this way. Defences include awareness training, blocking unsanctioned RMM, and verifying any unexpected invoice through known channels.
● Examples
- 01
BazarCall sent fake Norton/McAfee subscription emails leading to live phone agents who deployed Conti ransomware.
- 02
Silent Ransom Group (Luna Moth) used callback emails for data-theft extortion in 2022-2024.
● Frequently asked questions
What is Callback Phishing?
A two-stage phishing attack in which a benign-looking email persuades the victim to call a phone number, where a human operator then walks them into installing malware. It belongs to the Attacks & Threats category of cybersecurity.
What does Callback Phishing mean?
A two-stage phishing attack in which a benign-looking email persuades the victim to call a phone number, where a human operator then walks them into installing malware.
How does Callback Phishing work?
Callback phishing — also known as TOAD (Telephone-Oriented Attack Delivery) — sends emails that contain no malicious links or attachments, only a fake invoice, subscription renewal, or fraud alert with a callback number. Because the email itself is clean, it bypasses URL filters and SEGs. When the victim calls, a social engineer impersonates support and persuades them to install a remote-management tool (AnyDesk, ScreenConnect), grant access, or run a payload. BazarCall pioneered the technique to deliver Bazar/Trickbot and Conti ransomware, and Silent Ransom Group (Luna Moth) continues to exfiltrate data this way. Defences include awareness training, blocking unsanctioned RMM, and verifying any unexpected invoice through known channels.
How do you defend against Callback Phishing?
Defences for Callback Phishing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Callback Phishing?
Common alternative names include: TOAD, BazarCall-style phishing.
● Related terms
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- attacks№ 1205
Vishing
Phishing conducted over voice channels — phone calls or VoIP — to manipulate victims into revealing credentials, payments, or remote access.
- attacks№ 894
Quishing (QR Code Phishing)
A phishing technique that uses a QR code instead of a clickable link to send victims to a credential-harvesting or malware page.
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- attacks№ 1065
Social Engineering
The psychological manipulation of people into performing actions or disclosing confidential information that benefits an attacker.
- attacks№ 135
Business Email Compromise
A targeted fraud in which an attacker impersonates or takes over a corporate mailbox to trick an employee into wiring money, changing payment details, or sending sensitive data.