What is Callback Phishing?
Callback phishing (also called TOAD—Telephone-Oriented Attack Delivery) evolved as attackers sought ways to bypass email security controls that effectively detect malicious links and attachments. Typical callback phishing emails impersonate subscription services (claiming unauthorized charges), tech support (warning of security issues), delivery services (regarding failed shipments), or financial institutions (alerting to suspicious activity). The emails contain no links or attachments—just a phone number and urgent call to action. When victims call, trained operators use social engineering scripts to guide them through installing remote access software, visiting credential harvesting sites, purchasing gift cards, or making wire transfers. The human interaction allows attackers to adapt tactics in real-time and overcome victim hesitation.
Business Impact
Callback phishing bypasses technical email security controls by containing no obviously malicious content—just text and a phone number. Organizations cannot easily filter these messages without blocking legitimate customer service communications. The phone-based social engineering is highly effective because real-time conversation builds trust and urgency that static phishing pages cannot match. Victims who would never click suspicious links willingly follow phone instructions from convincing operators. For brands being impersonated, callback phishing creates customer service burdens, reputational damage, and potential liability when customers lose money to scammers claiming to represent the organization.
Allure Security's Approach
Detecting callback phishing requires monitoring for phone numbers being used in impersonation campaigns and tracking the infrastructure attackers use to operate call centers. By identifying phone numbers associated with brand abuse and coordinating takedown with telecommunications providers, organizations can disrupt callback phishing operations that evade traditional email security.