ELEVATE YOUR HIPAA COMPLIANCE: Explore Our Enhanced Toolkit Today
Access Toolkit
Purchase Toolkit
Back to Blog

Callback Phishing Attacks Surge

Callback Phishing

Don’t Be the Next Victim of Callback Phishing

The next time you get an urgent message to call a number that’s not in your contact list, picture a toad. Would you pick up this notoriously ugly amphibian, kiss it, or carry it home? With the same disdain you might have for the toad, don’t call the number.

Between July and September 2024, Trustwave researchers detected a 140% surge in callback phishing attacks, also known as Telephone-Oriented Attack Delivery (TOAD). This method involves sending phishing emails to entice recipients to call a specific phone number for what seems like a legitimate purpose. It is not.

Why You Should Take Callback Phishing Attacks Seriously

The rising trend indicates that cybercriminals increasingly use this approach to deceive victims into disclosing sensitive information through seemingly legitimate emails. Callback phishing attacks can lead to financial losses, reputational damage, and the installation of ransomware.

According to the Proofpoint 2024 State of the Phish report, 67%  of the 7,500 end users and 1,050 security professionals surveyed across 15 countries said they had fallen victim to a callback phishing attempt in 2023. With 10 million monthly TOAD messages going out, it’s not hard to see how this happens.

Recognize Tactics Used in Callback Phishing Attacks:

Initial Contact:

  • The attacker contacts the victim through various communication channels, such as phone calls, emails, or text messages.
  • The message conveys urgency or importance, baiting the victim into responding quickly without much thought. Examples include responding to gain access to an expired account, avoiding paying a late fee or updating critical personal information with HR.

 

Impersonation:

  • The attacker poses as a legitimate organization, using logos, email addresses, or phone numbers that closely resemble those of trusted organizations.
  • Learn about fraudulent calls targeting IT help desks in healthcare organizations, a recurring concern highlighted by the HHS through ongoing warnings. Read more here.

 

Pretext:

  • The attacker establishes a pretext for the callback, citing reasons such as security concerns, account issues, or the need for immediate action to resolve a problem.

 

Request for Information or Action:

  • The phishing attempt typically aims to obtain usernames, passwords, credit card details, or personal identification information (PII).
  • Another ploy is to get the victim to click on a link, download an attachment, or perform some other action needed before calling back to resolve the matter that compromises their security.

 

Creating Urgency:

  • Callback phishing attacks leverage a sense of urgency or fear, suggesting that failure to comply with the request will result in negative consequences such as account suspension, legal action, or financial loss.

 

Manipulation Techniques:

  • Social engineering techniques may be employed to manipulate the victim emotionally, making them more likely to overlook red flags and comply with the attacker’s demands.
  • Sophisticated callback phishing schemes will leverage Artificial Intelligence (AI) and put victims in a waiting queue to mimic a real experience with a customer service team.
  • Learn how AI is upping the game for hackers and how to thwart their attacks in this article: AI Makes Phishing Scams Seem Legitimate.

3 Steps to Protect Yourself From Callback Phishing Attacks

  1. Go directly to the source through known, trusted means.
  2. Avoid using numbers or links provided in emails or texts.
  3. Report the phishing attempt.
  4. Don’t pick up the toad.

 

Learn How to Recognize Phishing Attempts

Your workforce must be well-prepared to recognize and respond to phishing attempts. PrivaPlan can help your organization identify gaps in phishing knowledge with simulated phishing testing and targeted training.

Learn More!

Related Posts

Recent Posts

Categories
Tags
AI Articles artificial intelligence Blog Breach business associate Business Associates Agreement cyber risk cybersecurity cybersecurity awareness training electronic medical records email breach Federal HIPAA Changes Final Rule health care health privacy HIPAA hipaa compliance HIPAA Training Meaningful Use Medicare multi-factor authentication OCR ONC passwords PHI phishing Policies & Procedures policies and procedures Privacy Quotes Ransomware Security Security Risk Analysis security training Service Technology Testimonials toolkit TrackerReveal Training Materials two-step authentication website analytics website compliance website trackers

Get Started Today

Email us at info@privaplan.com or submit the form below:

Sign Up for Updates

Contact PrivaPlan

Telephone Sales & Support
505-466-1432  or
Toll Free: 1-877-218-7707
Fax: 505-466-3942

E-Mail Sales & Support
Customer Support: support@PrivaPlan.com
Sales: orders@PrivaPlan.com

Mailing Address:
PrivaPlan
5 Caliente Rd, Ste 3,
Santa Fe, NM 87508

© 2025 PrivaPlan Associates, Inc, all rights reserved.  |   Privacy Policy

FOLLOW US

Linkedin Vimeo-v Envelope

Access PrivaPlan Toolkit

Click here to access

Access CMA-PrivaPlan Toolkit

Click here to access

Stay Ahead of Privacy & Security Compliance

Sign Up for Our Newsletter!

Don’t miss the latest updates, tips, and best practices in privacy and security compliance! Join our email newsletter for:

  • Exclusive Insights: Gain access to vital news and expert insights from PrivaPlan experts.
  • Practical Tips: Learn actionable strategies to protect data privacy & enforce data security.

Sign up now and elevate your compliance game!

  • Be Proactive In Compliance

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.