How to Protect Yourself From Callback Phishing

Callback phishing — also known as telephone-oriented attack delivery (TOAD) — has become one of the most effective phishing techniques in 2026. Unlike traditional phishing that tricks you into clicking a link, callback phishing sends you an email with a phone number and waits for you to call. When you do, a live scammer impersonates a support agent and walks you through compromising your own device. Here is how these attacks work and how to defend yourself.

What Is Callback Phishing?

Callback phishing is a hybrid attack that combines email and voice social engineering. The typical attack follows this pattern:

1. The bait email: You receive an email that appears to be from a legitimate company — a subscription renewal notice, an invoice for a purchase you did not make, a security alert, or a payment confirmation. The email does not contain a malicious link or attachment.
2. The phone number: Instead of a link, the email provides a customer support phone number and urges you to call immediately to dispute the charge, cancel the subscription, or resolve the security issue.
3. The live scammer: When you call, you reach a real person operating from a call center. They sound professional, follow a script, and use hold music and transfer procedures that mimic legitimate customer support.
4. The compromise: The scammer asks you to install remote access software, visit a malicious website, provide login credentials, or share personal information. Because you initiated the call, your guard is down — it feels like you are in control.

How Callback Phishing Has Evolved in 2026

The threat has grown dramatically. Callback phishing was identified as the most common phishing pattern in early 2025, and the technique has continued to evolve:

AI-Powered Voice Scams

Scammers now use AI voice synthesis to impersonate specific people — your bank's customer service voice, a tech company representative, or even a colleague. Real-time AI inference allows them to respond naturally to your questions, improvise answers, and maintain the persona throughout the call. The latency is low enough that the conversation feels completely normal.

Multi-Channel Attacks

Modern attacks combine email, voice, and text in rapid sequence. You might receive an email about a suspicious charge, followed by an SMS confirmation, and then a phone call from "fraud prevention" — all within 30 minutes. The coordinated barrage makes the threat seem real and urgent.

Targeted Attacks Using Leaked Data

Scammers use information from data breaches and data broker sites to personalize their attacks. They may reference your real address, the last four digits of a card number, your employer, or family members — making the scam far more convincing than a generic phishing attempt.

Common Callback Phishing Scenarios

Watch for these common pretexts:

• Subscription renewals: "Your Norton/McAfee/Amazon Prime subscription has been renewed for $399.99. Call to cancel."
• Fake invoices: "Payment of $599 has been processed for your Geek Squad service plan. Call this number if you did not authorize this."
• Security alerts: "Unusual activity detected on your account. Contact our fraud team immediately."
• Tax and government notices: "The IRS has flagged an issue with your filing. Call to resolve before penalties are assessed."
• Shipping and delivery: "A package requiring your signature has been returned. Call to reschedule delivery."

How to Protect Yourself

1. Verify Independently

If you receive an email about a charge, subscription, or security issue, do not use the phone number in the email. Go directly to the company's official website or app to check your account status. If you need to call, use the number listed on the official website.

2. Check Your Actual Accounts

Before reacting to any alert, log in to the relevant account directly. Check your bank statements, subscription dashboards, and order histories. If there is no matching charge or alert, the email is a scam.

3. Recognize Urgency as a Red Flag

Legitimate companies rarely demand that you call immediately or face dire consequences. Urgency, fear, and pressure are hallmarks of social engineering. If an email makes you feel panicked, slow down and verify before acting.

4. Never Install Software at Someone's Request

No legitimate support agent will ask you to install remote access tools like AnyDesk, TeamViewer, or a "support utility" during an inbound call you initiated from an email. This is always a scam.

5. Use Strong Authentication

Enable multi-factor authentication on all important accounts, ideally using FIDO2 hardware keys or authenticator apps rather than SMS codes. Even if a scammer obtains your password through a callback phishing attack, MFA provides a critical second barrier.

6. Report the Attempt

Forward phishing emails to the company being impersonated and to reportphishing@apwg.org. If you shared financial information, contact your bank immediately. If you installed software, disconnect from the internet and run a full malware scan.

Reduce Your Exposure

Callback phishing is far more effective when scammers know your personal details. Data brokers and people search sites publish your name, address, phone number, email, and even family members' names — providing attackers with the ammunition they need to craft convincing, personalized scams.

PrivacyOn removes your personal information from 100+ data broker and people search sites, making it significantly harder for scammers to target you with personalized callback phishing attacks. We also monitor the dark web for leaked credentials and alert you if your information appears in new breaches. Plans start at $8.33 per month with family coverage for up to 5 people.