Callback phishing: learn what it is and how this new trend works
New types of social engineering strategies show up every day. A new tactic, for example, called callback phishing, features everything required to become a favorite among cybercriminals. Also referred to as “hybrid phishing”, the scam was thus baptized since it combines two well-known types of cyberattacks: phishing, employing fake emails, and vishing, using trickery over the phone.
First, the target gets a message in their work email account that personifies a company, institution or person. Generally, the personified entity is a supplier of some solution that the company already uses or is interested in acquiring — like cybersecurity tools, for example.
The messages usually carry a very professional tone and can often convince employees that some problem has occurred with the security system used by the company and that the supervising technicians urgently need to verify the problem remotely.
Next comes the phone call. To generate more credibility and avoid being blocked by anti-spam filters, scammers don’t include attachments or links: they ask the employee to immediately call a supposed technical service center to obtain further instructions.
Should the employee make the call, they will be answered by an exceptionally cordial attendant, who will advise them to visit a malicious page that, in addition to stealing personal data (including internal system credentials), can also be used to spread malware.
Possible damages
Most times, callback phishing is used to install Remote Access Trojans, or RATs, on a victim’s computer, which are, basically, viruses designed to spy on the infected computer. They can often replicate laterally throughout the corporate network, which means that if the computer of a single employee becomes infected, the entire office can be compromised within a short period, should the infrastructure lack proper segmentation.
Of course, while RATs are common, there is nothing to stop hybrid phishing from being used for other purposes. Researchers have also identified the use of these tactics to spread the dreaded ransomware. In this case, the cybercriminals' only goal is to make a quick buck by encrypting important data and demanding an immediate ransom, usually via cryptocurrencies.
What has most impressed the security community is how convincing phishing callback messages are, unlike conventional malicious emails. Scammers craft a very well-written and targeted statement, in a highly formal tone, using the visual identity of famous companies, going as far as to convince the victim that the company IT staff is aware of the contact.
Avoidance techniques
Like any other social engineering scam, awareness is the key to avoiding phishing callbacks. When you receive a suspicious email, think twice before taking any action: immediately call the security or IT team to verify that the message is real — and that the supposed vendor is, in fact, the one your corporation works with, for example.