Is callback phishing on your radar screen? Hackers launch callback phishing campaigns to breach corporate networks. Once in the network, hackers tend to deploy ransomware.

What is callback phishing?

Callback phishing typically involves an email, a phone call and a fake subscription/invoice notice. In recent months, hackers have impersonated businesses in order to dupe victims into making phone calls that lead to the download of malware.

Step 1: The email. Callback campaigns employ phishing emails, which often sound urgent in tone. The text of the email often implies that the recipient’s individual or corporate security has been compromised. To resolve the issue, the recipient should call the phone number included in the message.

Step 2: The call. If the recipient calls the phone number listed in the message, they reach a deceptively friendly person who directs them to a malicious website.

Step 3: The attack. Victims typically install a commercial Remote Access Trojan (RAT) software that helps attackers gain an initial foothold within a given network.

10 key callback phishing facts to remain aware of:

1. In 2022, in the space of three months, callback phishing attacks increased by 625%.
2. Callback phishing attacks have impersonated countless companies.
3. Callback phishing emails may appear to come from an external data security services provider.
4. Emails may claim that a victim’s IT department is aware of a security issue and that it has approved an employee’s participation in an audit of their workstation.
5. In other cases, attackers attempt to dupe victims into confirming a fictitious transaction.
6. Callback phishing operators request for victims to hand over credit card numbers or bank account information.
7. Callback phishing operators also use ransomware to make phishing profitable.
8. Callback phishing can lead to a network-wide ransomware infection.
9. Educating users about callback phishing attempts can prevent ransomware incidents.
10. Callback phishing campaigns can bypass email filters.

Callback phishing & email filters

Callback phishing attempts can bypass email filters. Because they do not include malicious links or attachments laced with malware, email filters often fail to catch them. Thus, cyber security teams need to be aware of these types of attacks and need to provide relevant education to employees.

Encourage employees to:

Review the email sender’s information. Employees need to ensure that emails are from purported senders. In other words, if receiving an email from a major bank, employees should ensure that the email is really from the bank, not a hacker.

Ask themselves about action items. Employees should consider what an email is requesting for them to do. Does the email urgently request a call? Does it request for the recipient to click on a link?

Request input if needed. After an initial assessment, employees who are uncertain about the authenticity of an email should request assistance from a peer, an IT team, or another appropriate person within your organization. Let employees know about the best ways to discretely ask for help.

Technical information

Earlier this year, security researchers uncovered a callback phishing campaign used to install AteraRMM, followed by Cobalt Strike, which assisted hackers with lateral network movement and with the deployment of additional ransomware.

Further information

Callback phishing is considered a “hybrid” form of phishing, as it combines email and voice social engineering forms. Again, it starts with an email, which prompts a phone call that may lead to personal information theft and commonly results in a malware download. In turn, the malware can result in a ransomware extortion attempt.

Callback phishing serves as a reminder of how cyber criminals are evolving techniques and increasing their sophistication. Encourage employees to report suspicious emails to your organization’s IT department.

Not convinced of the danger? See how MailChimp was affected by callback phishing. Here. Lastly, to receive more timely cyber security news, top-tier reports and cutting-edge analyses, please sign up for the cybertalk.org newsletter.