Researchers at Trustwave observed a 140% increase in callback phishing attacks between July and September 2024.
Callback phishing is a social engineering tactic that involves emails and phone calls to trick users into handing over login credentials or other sensitive data or installing malware.
The attacks begin with a phishing email that appears to be a notification for something that needs to be addressed urgently, such as an order invoice or an account termination notice.
The emails contain a phone number that the user can call to resolve the issue. If a user calls this number, the scammer will pose as a customer service agent in order to achieve one or more of the following goals:
-
“Vishing: Attackers will interrogate the victim for their personally identifiable information (PII), banking credentials, and other relevant details
-
Malware Download and Infection: In some campaigns including BazarCall, victims are instructed to visit a website that will directly download malware, such as a document with malicious macros. Attackers will guide them through the installation process. The infected machine is used for stealing information, reconnaissance, and installing follow-up malware
-
Remote Access Control: To settle the issue, the attackers will instruct the victim to download a remote administration tool and invite them to a meeting session. Once the victim is connected, attackers will take control of their machine via remote access. In some campaigns, such as Luna Moth, attackers blank out the screen to hide their actions. They will then proceed to steal information or install another malware for further exploitation”
The researchers note that getting the victim on the phone gives the scammer more control over the situation than simply communicating via email.
“A phone call provides real-time and dynamic communication between the victim and fraudsters. In a direct conversation, attackers can continue to manipulate and dispel hesitations,” Trustwave says. “The attacker often emphasizes the urgency of the matter, which might influence the victim into making a rash decision, such as divulging sensitive information.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Trustwave has the story.