- Callback Phishing
Attack Type: Callback Phishing
Callback phishing is a straightforward but dangerous scam that usually begins with a fake invoice or receipt. These attacks often appear to be a charge from a well-known company, such as Norton, McAfee, Geek Squad, or Apple. The email includes a phone number to call if the charge wasn't authorized. The goal is to get you to call that number, not to click a link.
Once you're on the phone, the attacker often poses as a customer service representative. They might ask for personal information, offer to help you “cancel the charge,” or convince you to install remote support software. From there, they can access your device, steal sensitive data, or walk you through a fake refund process that results in real financial loss.
Because there’s often no link or attachment in the email, these messages can bypass traditional security filters. Once the conversation moves to a phone call, it’s out of sight from most security tools. That’s what makes this type of attack so effective and why it’s important to verify unexpected emails or charges through official channels, not the contact info provided in the message.
Blog Posts
Tactics & Techniques (10):
Detection Methods (12):
Rule Name & Severity | Last Updated | Author | Types, Tactics & Capabilities | |
|---|---|---|---|---|
Attachment: Callback Phishing solicitation via pdf file | 9h ago Jun 18th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097 | |
Callback Phishing solicitation in message body | 2d ago Jun 16th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/callback-phishing-solicitation-in-message-body-10a3a446 | |
Link: Webflow Link from Unsolicited Sender | 5d ago Jun 13th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/link-webflow-link-from-unsolicited-sender-d4f3b8cf | |
Suspicious mailer received from Gmail servers | 6d ago Jun 12th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/suspicious-mailer-received-from-gmail-servers-f05f04ee | |
Link: /index.php Enclosed in Three Asterisks | 8d ago Jun 10th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/link-indexphp-enclosed-in-three-asterisks-aa4bbafc | |
Encrypted Microsoft Office Files From Untrusted Senders | 14d ago Jun 4th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-senders-eb7b26e7 | |
Callback Phishing: AOL Senders with Suspicious HTML Template or PDF Attachment | 15d ago Jun 3rd, 2025 UTC | Sublime Security | /feeds/core/detection-rules/callback-phishing-aol-senders-with-suspicious-html-template-or-pdf-attachment-f6044eed | |
PayPal Invoice Abuse | 26d ago May 23rd, 2025 UTC | Sublime Security | /feeds/core/detection-rules/paypal-invoice-abuse-0ff7a0d4 | |
Service Abuse: HelloSign Share with Suspicious Sender or Document Name | 26d ago May 23rd, 2025 UTC | Sublime Security | /feeds/core/detection-rules/service-abuse-hellosign-share-with-suspicious-sender-or-document-name-464d98f3 | |
Callback phishing via Intuit service abuse | 28d ago May 21st, 2025 UTC | Sublime Security | /feeds/core/detection-rules/callback-phishing-via-intuit-service-abuse-f2fe1294 | |
Link: Direct POWR.io Form Builder with Suspicious Patterns | 1mo ago May 5th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/link-direct-powrio-form-builder-with-suspicious-patterns-fd37cc93 | |
Service Abuse: Adobe Sign Notification From an Unsolicited Reply-To Address | 1mo ago Apr 30th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/service-abuse-adobe-sign-notification-from-an-unsolicited-reply-to-address-d00893ba | |
Brand Impersonation: AliExpress | 1mo ago Apr 28th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/brand-impersonation-aliexpress-b14703d8 | |
Callback Phishing via Xodo Sign comment | 1mo ago Apr 28th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/callback-phishing-via-xodo-sign-comment-6f722c5d | |
Callback Phishing via Adobe Sign comment | 1mo ago Apr 25th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/callback-phishing-via-adobe-sign-comment-7eb4516d | |
Callback Phishing: SumUp Infrastructure Abuse | 2mo ago Apr 18th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/callback-phishing-sumup-infrastructure-abuse-1c41649e | |
Generic Service Abuse From Newly Registered Domain | 2mo ago Apr 15th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/generic-service-abuse-from-newly-registered-domain-0937b4c5 | |
Callback Phishing via Calendar Invite | 2mo ago Apr 14th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/callback-phishing-via-calendar-invite-95c84360 | |
Brand Impersonation: Vanguard | 2mo ago Apr 11th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/brand-impersonation-vanguard-3bd048fe | |
Service Abuse: Dropbox Share From an Unsolicited Reply-To Address | 2mo ago Apr 11th, 2025 UTC | Sublime Security | /feeds/core/detection-rules/service-abuse-dropbox-share-from-an-unsolicited-reply-to-address-50a1499f |