Why It's So Easy to Fall for Callback Phishing Scams (and How to Protect Yourself)

It's easy to believe that you'd never fall for a scam—after all, spam texts about unpaid tolls, package deliveries, and job offers aren't particularly sophisticated and seem like obvious frauds. But bad actors are always looking for ways to fool you, such as with callback phishing scams that impersonate brands you trust.

According to a recent report from Cisco Talos covered by Malwarebytes Labs, consumers are being targeted with malicious emails appearing to be from well-known companies, directing them to call tech support to fix a problem. Here's how and why these scams work—and what to watch out for.

How callback phishing scams work

Callback phishing, or telephone-oriented attack delivery, actually begins with an email. Scammers send messages to potential targets impersonating a well-known company. These fraudulent emails typically contain information about an upcoming purchase or transaction, an account issue, or a technical concern and direct recipients to call the listed phone number to resolve the problem.

Once they have you on the phone, threat actors posing as customer service representatives or tech support will ask for personal information and/or direct you to malicious links or downloads that harvest data or install malware on your device.

This attack works for the same reason as many other phishing scams: It uses social engineering to prey on emotions (like fear) and promotes a sense of urgency to fix a problem, so you're less likely to stop and think critically about what's happening. But the campaign identified by Cisco Talos has a few other elements that make it even easier for threat actors to avoid detection.

First, the initial emails impersonate well-known brands whose products and services are widely used, including Microsoft, Adobe, Norton LifeLock, PayPal, DocuSign, and Geek Squad. Interacting with any of these companies may involve signing into an account, making purchases, viewing and downloading documents, receiving payments, or contacting tech support, so you may not be suspicious if you are asked to resolve a problem with these functions.

The other tactic scammers employ is attaching a PDF to the email that loads automatically when you open the message. The actual email body is blank, but you see a legitimate company logo and text about the supposed issue with a phone number to call. This allows the messages to avoid email security features, which typically scan for text and links. Plus, it doesn't require you to actually open an attachment, which you (hopefully) know is a telltale sign of a phishing scam.

(In some cases, when the PDF loads, it'll include a QR code to scan or a link to click, which directs you to a phishing website, rather than a number to call.)

Callback phishing red flags

As with any scam, communication that seems urgent or provokes fear, confusion, or another strong emotion should give you pause. You should also be skeptical of emails that come with attachments, which you can see even if they load automatically and don't require you to click to download—legitimate companies rarely, if ever, send email attachments.

And, of course, you should never click links or scan QR codes in emails, texts, or social media messages until you have verified the sender and the request by going directly to the company's website and contacting support. Email addresses can be spoofed in pretty sophisticated ways, so seeing is not always believing.