Callback vishing: when phishing leads to vishing

Callback vishing is an interesting flavour of vishing where the attacker tricks their targets into calling a phone number.

It is an interesting attack vector, with a blend of phishing (or smishing) and voice phishing interactions and relies on different mechanisms.

As we are working with different scenarios in our vishing simulation platform, I thought I’d deep dive into this kind of vishing attack.

What is callback vishing?

Callback vishing is fairly simple.

The target receives an email or text message using the evergreen social engineering techniques like fear and urgency.

A fake subscription renewal, Paypal receipt or bank notification for a future wire transfer coming out of your account, with an obvious phone number to call if anything is wrong — which is the case obviously.

As soon as the victim calls the phone number, the hacker follows a script that will allow them to extract sensitive information, guide their victim into opening an initial access — installing a remote desktop software for instance — or wire money.

Of course the vishing script will follow the initial pretext used in the messages with the phone number.

For instance, for a bank notification pretext, the attacker will play the role of the bank’s customer service. He will then guide them to cancel the upcoming withdrawal. In fact, they will guide their victims into transferring money to them.

Callback vishing attacks

There are a lot of vishing examples available out there but here are now notable callback vishing examples.

The Luna Moth Campaign

The process is very simple and straightforward.

1. Victims received emails impersonating services like Zoho, Duolingo, or DocuSign, warning of charges or account issues.
2. These emails included a phone number to call for help or cancellation.
3. When the victim called, they spoke to an attacker posing as a customer service rep.
4. The attacker convinced the victim to:
   • Download remote access tools (e.g., Zoho Assist, AnyDesk)
   • Grant access to their system
5. From there, attackers navigated the system, exfiltrated data, and initiated extortion demands.

BazarCall

BazarCall operated a callback vishing campaign as well. Their process was very similar and follow these steps:

1. Phishing email: victims receive legitimate-looking emails claiming they've subscribed to a service (e.g., movie streaming, software trial, antivirus) with a fake invoice or charge. There is no link or malware in the email – just a phone number to "cancel" or "dispute the charge."
2. The Callback: when the victim calls, a live operator (the attacker) answers. The attacker poses as customer support, giving instructions to cancel the subscription. They instruct the victim to visit a website and download a file (often disguised as a "cancellation form").
3. Malware Installation: the downloaded file installs BazarLoader, a backdoor Trojan. BazarLoader connects to a command and control server, giving the attacker access to the system.
4. Post-Infection Operations: The attackers move laterally across the network. Eventually, they deploy Conti ransomware, exfiltrate data, and initiate a double extortion scheme.

Analysis of deception mechanisms

Callback vishing is very interesting in terms of deception mechanisms it uses.

First of all, it lets the victim initiate contact. This has two main effects that increases the likelihood of success for this attack:

1. It preselects which victims are the most receptive. Only someone susceptible to the pretext (or a security researcher) will take the time to call the number.
2. It lets the victim initiate the synchronous contacts and therefore maximizes the chances of connection and the illusion of control by the victim.

Once the connection is made, there are numerous opportunities to build up realism for the attacker. They can add corporate waiting music, fake phone desk assistant, etc. They can add depth to the pretext and improve the quality of their scam this way.

Finally, callback vishing, like all vishing, is a synchronous interaction. This means that, contrary to an email that can be analyzed and reviewed in depth or with additional help, the attack happens live. The criminals can adapt their pitch, overcome objections to maximise success rate during the exchange.

They can build pressure, confidence and authority during the call, reinforcing the emotional response of their target and leaving little place for rational thinking while this is happening.

How to protect against callback vishing?

Because callback vishing needs an initial vector that isn’t a phone call, it can be mitigated by some filters your email gateways can use.

Given the nature of the threat, it’s likely to bypass a lot of protection systems. Indeed, the email won’t have a suspicious attachment or a suspicious link that can indicate an attack attempt.

However, specific wording and patterns — mentions of the word “bank” coming from unknown domains for instance might help advanced email filters detect and block the threat.

For whatever initial messages that bypasses these protection (be it an email or an SMS), you’ll have to rely on two things:

• Strong process
• A comprehensive awareness training program to make people apply the process, even when they are subjected to stress and emotional reactions

Conclusion

Callback vishing isn’t new and it’s not even particularly technical. But because it uses a combination of vectors and relies on surefire deception techniques, it is a dangerous

Want to protect your people against callback vishing and vishing attack? Arsen’s vishing module will help you build comprehensive vishing awareness training with advanced AI vishing simulations to train employees and build safer reflexes.

If you want to know more about it, have a look at our vishing solutions page or request a demo, we will be happy to talk about it live.