What Is a Callback Scam?
A callback scam tricks you into calling a phone number controlled by an attacker. Once you call, the scammer poses as tech support, your bank, or a government agency to steal money, install remote access software, or harvest credentials. The call is always the trap—and attackers engineer every reason for you to make it.
Key Takeaways
You are the one making the call and that's the trap. Unlike traditional phishing or vishing, callback scams manipulate victims into initiating contact with the attacker, which makes the interaction feel voluntary and trustworthy, bypassing natural suspicion.
These attacks are nearly invisible to security tools. Callback phishing emails (known as Telephone-Oriented Attack Delivery attacks) contain no malicious links or attachments, just a phone number, meaning they sail past email filters undetected, making human awareness the only line of defense at the point of delivery.
The playbook always escalates to money or access. Whether through fake refunds, gift card requests, or remote access tool installations, the end goal is the same: drain accounts, steal credentials, or establish a persistent foothold that can lead to ransomware deployment.
Speed is everything if you've been targeted. If you called a scam number and followed any instructions, immediately disconnect remote sessions, notify your IT team, change your passwords, and contact your bank — the faster you act, the more damage can be contained.
What is a callback scam?
A callback scam is a social engineering attack where the victim is manipulated into initiating a phone call to an attacker-controlled number. Unlike a cold call from a scammer, the callback scam makes the victim feel like they're the one taking action—responding to a missed call, a voicemail, an alarming email, or an urgent text. That reversal of initiative is the whole point. You trust what you chose to do more than what was done to you.
Attackers don't break down the door; they convince you to open it and dial them up.
How does a callback scam work, step by step?
The mechanics vary by type, but most callback scams follow the same arc:
1. The hook arrives. A missed call, a voicemail, a PDF attachment, or an email lands. The message creates urgency: there's been a charge on your account, a suspicious transaction, a package that couldn't be delivered, or a problem only you can resolve by calling a specific number.
2. The victim calls. That's the goal. The attacker doesn't need to find you. You come to them.
3. Trust is established. The person who answers sounds professional, knowledgeable, sometimes even apologetic. They have your name. They have "your account details." They're "on your side."
4. The ask escalates. First it's small: confirm your identity, verify your card. Then it grows: let us access your computer remotely so we can "fix it," purchase gift cards to "secure your refund," log into your bank account so they can "process the reversal."
5. The damage is done. Money is transferred. Remote access tools are installed and left running. Credentials are harvested. The scammer hangs up.
The whole operation takes minutes. The victim often doesn't realize what happened until the account is drained.
What are the main types of callback scams?
One-ring and wangiri scams
The simplest form: your phone rings once and stops. The missed call shows an unfamiliar number sometimes local, sometimes international. Curiosity or concern prompts you to call back. If it's a premium-rate number, the return call generates revenue for the attacker with every second you stay on the line. If it's a more sophisticated operation, you reach a live scammer who escalates from there.
The name "wangiri" comes from the Japanese for "one cut"—a single ring, then nothing.
Tech support and refund scams
You receive a pop-up alert, a voicemail, or an email warning of a virus, a suspicious charge, or an expiring subscription. The message looks like it's from Microsoft, Norton, Amazon, PayPal, or a well-known brand. A phone number is provided.
When you call, a "support agent" walks you through granting remote access to your device typically via legitimate remote monitoring tools. They then stage a fake refund, "accidentally" overpaying you in a way only visible to them. They pressure you to repay the difference with gift cards. No refund was ever coming. The remote access tool stays installed long after the call ends.
Huntress SOC analysts have investigated real incidents where attackers gained initial access to business environments through exactly this technique—using legitimate remote management tools as their foothold.
Callback phishing — the business threat
This is the variant that keeps security teams up at night, and it's growing fast.
The attack starts with an email that contains no links and no attachments just a PDF or a plain-text message claiming you've been charged for a service. There's nothing for an email filter to catch. The only "payload" is a phone number.
When you call, the scammer walks you through steps that end with malware installed, credentials stolen, or a ransomware deployment in progress. Security researchers call this technique TOAD—Telephone Oriented Attack Delivery. The BazaCall campaign, linked to the Conti ransomware group, used this method to deliver BazaLoader and set the stage for ransomware across hundreds of organizations.
The reason it works: there's no suspicious link to hover over, no malicious file for your endpoint to flag. The entire attack runs through a phone call and the trust that comes with it.
How is a callback scam different from phishing, vishing, and smishing?
| Phishing | Vishing | Smishing | Callback Scam |
Delivery | Email with link or attachment | Attacker calls you | SMS with link | You call the attacker |
Direction of contact | Attacker initiates | Attacker initiates | Attacker initiates | Victim initiates |
Main lure | Click a malicious link | Respond to caller | Click a link in text | Call a number |
Why it's trusted | Branded email looks legit | Caller ID spoofing | Urgent SMS from known brand | Victim chose to call |
Filter evasion | Depends on link/attachment | N/A | Depends on URL | Bypasses email security entirely |
Business risk | High | High | Medium | Very high — evades most automated defenses |
The critical distinction: in a callback scam, the victim makes the call. That single shift in initiative dramatically increases trust—and dramatically reduces the chance that security tools will catch it. There's no link to block, no attachment to sandbox, no suspicious domain to flag.
See also: What is Vishing?
See also: What is a Scam Likely Call?
What are real-world examples of callback scams?
The Refund Scams SAT episode (sourced from a real Huntress SOC incident): A Huntress SOC analyst documented an attack in which a scammer convinced an employee to install a remote monitoring and management (RMM) tool to "fix" a fake billing issue. With the RMM running, the attacker staged a fake refund transaction in the browser using DevTools, making it appear that an overpayment had occurred. The victim was then pressured to purchase gift cards to "return" the money. The entry point: a callback to a scam phone number.
BazaCall / BazarCall: The Conti ransomware group used callback phishing to deliver BazaLoader across hundreds of targets between 2021 and 2022. Victims received emails claiming their free trial for a software subscription was about to auto-renew at a high price. Calling the number led to instructions that installed malware. BazaLoader then served as the launchpad for ransomware deployment. No link. No attachment. Just a phone call.
The UK storm scam: A Huntress team member received a voicemail during a major UK flooding event from someone posing as an elderly woman with a plumbing emergency, asking for a callback. The timing was deliberately chosen to match the real storm conditions making the scenario plausible. When called back from a different number, the scammer's voice broke almost immediately. The detail that gave it away wasn't the script—it was the background noise of what sounded like a call center floor.
Scam call centers — an industry, not an incident: The scam operations behind callback fraud aren't lone actors. They're organized businesses with org charts, onboarding processes, CRM systems, and performance metrics. Scam baiters like YouTube creator Jim Browning have documented these operations inside out. This isn't amateur hour. Your people are being targeted by professionals with scripted responses for every objection.
Who is at risk from callback scams?
Everyone with a phone number is a potential target, but some scenarios carry higher business risk:
Employees who receive billing or IT-related emails: the most common lure for TOAD-style attacks
Finance and accounting teams are prime targets for fake refund and overpayment schemes
IT helpdesk staff are targeted with fake user reports that end in remote access grants
Small and mid-size businesses that often lack dedicated security staff who would recognize TOAD attack patterns
Organizations using RMM tools. Attackers know these tools exist and use the same software legitimately to hide malicious access
Anyone who uses AI tools to look up contact information fake phone numbers seeded into AI search results can route unsuspecting users directly to scam call centers
How can you spot a callback scam?
Red flags in the initial message:
Urgency without specifics: "Your account has been flagged" with no account number, no transaction details, no verifiable reference
Instruction to call a number rather than visit an official website
Emails with only a PDF or plain text and no active links (this is actually a TOAD evasion technique)
The "brand" is familiar (Microsoft, Amazon, PayPal), but the email address or phone number doesn't match their official domains
Red flags on the call:
The agent asks you to download or install anything legitimate support does not require remote access as a first step
You're asked to purchase gift cards for any reason
You're told not to tell anyone about the call, including your IT team
The "refund" or "transaction" is only visible on your screen after following their instructions
You're transferred multiple times with escalating urgency
How can you protect your organization?
For individuals and employees:
Never call a number from an unexpected email or voicemail. If a charge or issue is legitimate, find the contact number directly on the company's official website—not from the message you received.
Treat remote access requests as a hard stop. No legitimate billing or refund process requires you to share your screen or install software.
Don't purchase gift cards as payment for anything. Gift cards are the currency of scams, not businesses.
Call back on a known number. If you're unsure whether a missed call is legitimate, look up the number independently and call the organization directly.
Tell your IT team immediately if you've followed any instructions from an unexpected caller—even if you're embarrassed. The faster a remote access tool is removed, the less damage it can do.
For organizations:
Train employees to recognize TOAD attacks. The no-link, no-attachment structure of callback phishing emails makes them invisible to most filters. Human recognition is the only defense at the point of delivery.
Establish a clear policy on remote access. Employees should know that IT will never ask them to install a tool via a phone call initiated by the employee.
Monitor for unexpected RMM tool installations. Legitimate tools—GoTo, AnyDesk, SimpleHelp—are commonly abused in callback scams. Their presence in unexpected contexts is an indicator worth flagging.
Add callback scam scenarios to your security awareness training. Generic phishing training doesn't cover TOAD. Your people need to know this attack vector specifically.
Verify AI-sourced phone numbers before calling. AI search tools can surface scam numbers from poisoned web content. Confirm any number through an official source first.
How does Huntress help protect against callback scams?
Callback scams that succeed often leave a trail: unexpected RMM tool installations, remote access sessions from unfamiliar IPs, credential changes after a call. Huntress Managed EDR detects the behavior after the callback—the remote access foothold, the persistence mechanism, the lateral movement—even when the initial social engineering flew under the radar.
On the human side, Huntress Managed Security Awareness Training includes a dedicated episode on refund scams—the most common callback scam targeting business employees. It's sourced directly from real incidents our SOC has investigated, covering how scammers use remote tools to fake transactions and why gift cards are always a red flag.
See the Refund Scams SAT episode →
See how Huntress detects the foothold attackers leave behind →
FAQs about callback scams
