- Cisco Talos warns of callback phishing scams on the rise
- Phishing emails come with PDF attachments, in which are phone numbers
- Threat actors are exploiting people’s trust in phone calls
Security researchers from Cisco Talos have warned of an ongoing phishing campaign in which victims are tricked into calling the attackers on the phone.
In a new report, the researchers said that between early May and early June 2025, they observed threat actors spoofing major tech companies, such as Microsoft, Adobe, or Docusign.
Cisco Talos calls this type of scam “callback phishing” – in the phishing emails, they would notify the victims of a problem, or an incoming/pending transaction, then share a phone number they control, and invite the victim to dial in and address these issues. During the call, the attackers would masquerade as a legitimate customer representative and explain to the victim that in order to sort out their problem, they need to either disclose sensitive information, or install a piece of malware on their device.
Callback phishing
“Attackers use direct voice communication to exploit the victim’s trust in phone calls and the perception that phone communication is a secure way to interact with an organization,” the researchers explained.
“Additionally, the live interaction during a phone call enables attackers to manipulate the victim’s emotions and responses by employing social engineering tactics. Callback phishing is, therefore, a social engineering technique rather than a traditional email threat.”
Most phone numbers used in these campaigns are VoIP ones, Cisco Talos further explained, stating that these are more difficult to trace.
The key information, including the attacker-controlled phone number, is shared via a .PDF file sent as an attachment. This is usually done to bypass traditional email security mechanisms and ensure the email lands in the inbox.
As an added layer of obfuscation, the attackers would sometimes add a QR code into the body of the PDF file, since most AV and email protection tools cannot scan that deep. Furthermore, QR codes are usually scanned via smartphone cameras, and mobile devices rarely have the same level of security as laptops or desktop computers do.
Via The Hacker News