Callback Attack Phishing Scams Are Increasing

The phishing technique helps coax victims into downloading malicious files onto their devices, including ransomware.

Cybersecurity researchers tracking the evolution of a type of phishing campaign, “Callback attacks”, have commented on their increasing sophistication and ability to dupe victims.

Callback attacks start with a fake email and end with, in some cases, victims being coaxed into downloading files purporting to be antivirus software and other legitimate apps but are in fact malware.

In some cases, Conti ransomware was downloaded onto devices within 32 hours of a backdoor being delivered to the victim.

What Are Callback Attacks?

According to Trellix, authors of a new report detailing the ins and outs of Callback attacks (often called “BazarCall” attacks), the scam typically start with a victim being emailed by someone purporting to work for a company or organization they have taken out an expensive subscription with.

Enclosed in the email is a telephone number, which the victims are coerced into ringing to cancel their subscription.

The victim is then walked through a process that culminates in malware being downloaded onto their device, usually through some sort of remote takeover of their machine. Below is a diagram (courtesy of Trellix) illustrating the attack cycle:

Evolution of callback Attacks

A Brief History of Callback Attacks

This isn’t the first time we’ve seen a callback attack rear its ugly head, but it’s still a relatively novel form of phishing and certainly departs from the standard click-the-link-here style used by many cybercriminals.

Indeed, comparatively, this is a slightly longer game. BazarCall phishing campaigns “forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling” Microsoft explains in a blog post from last year.

“It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold-called by the attacker.”

Trellix says that BazarCall campaigns first came to light in 2020, and since then, the company has charted a “constant increase” in attacks originating with such tactics.

In early 2022, it was relaunched as an attack vector by Conti, but the actors behind the operation reportedly broke from the group in April, forming the “Silent Ransom” group. Since then, the BazarCall method of phishing has been adopted by other groups.

Protecting Your Business Against Phishing

The rise of a new phishing technique is always a concern because it shows the scam is profitable, and that it could potentially even dupe tech savvy victims.

There are, however, some golden rules you can follow to seriously reduce your chance of being phished. These include:

  • Not opening files received from unrecognized email addresses (even if they claim to be antivirus software).
  • Treating every email with spelling mistakes with extreme caution.
  • Reporting potentially suspicious emails to your IT or tech team.
  • Not clicking on emails picked up by your company email’s spam filter or phishing protection function.

Remember: you can always initiate a separate and distinct channel of communication with whatever company an email you’ve received purports to be from via their contact forms online.

Although this might take a bit longer, this will ensure a) you get any legitimate issue sorted and b) you don’t engage with malicious actors. A small price to pay, all things considered.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Aaron Drapkin is a Lead Writer at He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol five years ago. As a writer, Aaron takes a special interest in VPNs, cybersecurity, and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, Cybernews, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, ProPrivacy, The Week, and covering a wide range of topics.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals