Callback phishing

Callback phishing is common. It usually takes the form of an emailed invoice or receipt. The email says that you’ve either paid or need to pay for a subscription for antivirus software, Geek Squad or some other common product. Most of us know what we’ve paid for and what needs to be paid, so the email comes as a surprise. Phishing emails are designed to make you take action, which is why this particular tactic works. 

Often sent via legitimate invoicing services like or, these messages are less likely to be intercepted by spam filters. Since they claim you owe money or paid for something you don’t use (or already paid for), the recipient takes action.

While the email wording and call to action varies, there’s usually a phone number to call if you want to dispute the invoice. Again the beats may vary, but often the customer service representative who picks up tells you to download remote-access software for tech support. Sometimes the software is a legitimate tech support interface, but it may be a malware-based backdoor into your computer.

The software is used to get into your computer, find sensitive information and steal it–called exfiltration in cybersecurity circles. The stolen information may be held for ransom by the threat actor. It may be used to leverage attacks against larger networks or targets. But most often whoever is in your computer is looking for a way to make a quick buck via any number of identity theft exploits. 

Callback phishing uses several familiar tactics from other forms of cybercrime, including tech-support scams, vishing and ransomware. The goal is to steal information from you for resale on the dark web, or to be used in the commission of identity theft.

A recent study found that callback phishing and other voice-related scams (where the target is on the phone with an actual human being) increased by more than 600% during a twelve month period following the first quarter of 2021. 

For a personal account of a callback phishing scam, check out this episode of What the Hack with Adam Levin. 


  • Don’t click on links or attachments that you are not expecting, even if they were sent from a legitimate domain name.
  • Remember how hard it is to get a human being on the phone even at small to medium sized companies. How likely is that you got someone at Norton on one ring?
  • Be very careful if you receive an urgent email. Scammers make a living off our flinch reflex.
  • Never install software you are directed to on the phone unless you initiated the call, and you’re certain the contact information is correct.