Stop unwanted interruptions before they stop your workflow. Learn how.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
HomeThreat Library
Callback Scam

What Is a Callback Scam?

Written by: Brenda Buckman

Published: 4/24/2026

Red caution sign overlaid on a picture of a laptop with a hand on the trackpad
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page

A callback scam tricks you into calling a phone number controlled by an attacker. Once you call, the scammer poses as tech support, your bank, or a government agency to steal money, install remote access software, or harvest credentials. The call is always the trap—and attackers engineer every reason for you to make it.

Key Takeaways

  • You are the one making the call and that's the trap. Unlike traditional phishing or vishing, callback scams manipulate victims into initiating contact with the attacker, which makes the interaction feel voluntary and trustworthy, bypassing natural suspicion.

  • These attacks are nearly invisible to security tools. Callback phishing emails (known as Telephone-Oriented Attack Delivery attacks) contain no malicious links or attachments, just a phone number, meaning they sail past email filters undetected, making human awareness the only line of defense at the point of delivery.

  • The playbook always escalates to money or access. Whether through fake refunds, gift card requests, or remote access tool installations, the end goal is the same: drain accounts, steal credentials, or establish a persistent foothold that can lead to ransomware deployment.

  • Speed is everything if you've been targeted. If you called a scam number and followed any instructions, immediately disconnect remote sessions, notify your IT team, change your passwords, and contact your bank — the faster you act, the more damage can be contained.

What is a callback scam?

A callback scam is a social engineering attack where the victim is manipulated into initiating a phone call to an attacker-controlled number. Unlike a cold call from a scammer, the callback scam makes the victim feel like they're the one taking action—responding to a missed call, a voicemail, an alarming email, or an urgent text. That reversal of initiative is the whole point. You trust what you chose to do more than what was done to you.

Attackers don't break down the door; they convince you to open it and dial them up.

How does a callback scam work, step by step?

The mechanics vary by type, but most callback scams follow the same arc:

1. The hook arrives. A missed call, a voicemail, a PDF attachment, or an email lands. The message creates urgency: there's been a charge on your account, a suspicious transaction, a package that couldn't be delivered, or a problem only you can resolve by calling a specific number.

2. The victim calls. That's the goal. The attacker doesn't need to find you. You come to them.

3. Trust is established. The person who answers sounds professional, knowledgeable, sometimes even apologetic. They have your name. They have "your account details." They're "on your side."

4. The ask escalates. First it's small: confirm your identity, verify your card. Then it grows: let us access your computer remotely so we can "fix it," purchase gift cards to "secure your refund," log into your bank account so they can "process the reversal."

5. The damage is done. Money is transferred. Remote access tools are installed and left running. Credentials are harvested. The scammer hangs up.

The whole operation takes minutes. The victim often doesn't realize what happened until the account is drained.

What are the main types of callback scams?

  1. One-ring and wangiri scams

The simplest form: your phone rings once and stops. The missed call shows an unfamiliar number sometimes local, sometimes international. Curiosity or concern prompts you to call back. If it's a premium-rate number, the return call generates revenue for the attacker with every second you stay on the line. If it's a more sophisticated operation, you reach a live scammer who escalates from there.

The name "wangiri" comes from the Japanese for "one cut"—a single ring, then nothing.

  1. Tech support and refund scams

You receive a pop-up alert, a voicemail, or an email warning of a virus, a suspicious charge, or an expiring subscription. The message looks like it's from Microsoft, Norton, Amazon, PayPal, or a well-known brand. A phone number is provided.

When you call, a "support agent" walks you through granting remote access to your device typically via legitimate remote monitoring tools. They then stage a fake refund, "accidentally" overpaying you in a way only visible to them. They pressure you to repay the difference with gift cards. No refund was ever coming. The remote access tool stays installed long after the call ends.

Huntress SOC analysts have investigated real incidents where attackers gained initial access to business environments through exactly this technique—using legitimate remote management tools as their foothold.

  1. Callback phishing — the business threat

This is the variant that keeps security teams up at night, and it's growing fast.

The attack starts with an email that contains no links and no attachments just a PDF or a plain-text message claiming you've been charged for a service. There's nothing for an email filter to catch. The only "payload" is a phone number.

When you call, the scammer walks you through steps that end with malware installed, credentials stolen, or a ransomware deployment in progress. Security researchers call this technique TOAD—Telephone Oriented Attack Delivery. The BazaCall campaign, linked to the Conti ransomware group, used this method to deliver BazaLoader and set the stage for ransomware across hundreds of organizations.

The reason it works: there's no suspicious link to hover over, no malicious file for your endpoint to flag. The entire attack runs through a phone call and the trust that comes with it.

How is a callback scam different from phishing, vishing, and smishing?

Phishing

Vishing

Smishing

Callback Scam

Delivery

Email with link or attachment

Attacker calls you

SMS with link

You call the attacker

Direction of contact

Attacker initiates

Attacker initiates

Attacker initiates

Victim initiates

Main lure

Click a malicious link

Respond to caller

Click a link in text

Call a number

Why it's trusted

Branded email looks legit

Caller ID spoofing

Urgent SMS from known brand

Victim chose to call

Filter evasion

Depends on link/attachment

N/A

Depends on URL

Bypasses email security entirely

Business risk

High

High

Medium

Very high — evades most automated defenses

The critical distinction: in a callback scam, the victim makes the call. That single shift in initiative dramatically increases trust—and dramatically reduces the chance that security tools will catch it. There's no link to block, no attachment to sandbox, no suspicious domain to flag.

See also: What is Vishing?

See also: What is a Scam Likely Call?

What are real-world examples of callback scams?

The Refund Scams SAT episode (sourced from a real Huntress SOC incident): A Huntress SOC analyst documented an attack in which a scammer convinced an employee to install a remote monitoring and management (RMM) tool to "fix" a fake billing issue. With the RMM running, the attacker staged a fake refund transaction in the browser using DevTools, making it appear that an overpayment had occurred. The victim was then pressured to purchase gift cards to "return" the money. The entry point: a callback to a scam phone number.

BazaCall / BazarCall: The Conti ransomware group used callback phishing to deliver BazaLoader across hundreds of targets between 2021 and 2022. Victims received emails claiming their free trial for a software subscription was about to auto-renew at a high price. Calling the number led to instructions that installed malware. BazaLoader then served as the launchpad for ransomware deployment. No link. No attachment. Just a phone call.

The UK storm scam: A Huntress team member received a voicemail during a major UK flooding event from someone posing as an elderly woman with a plumbing emergency, asking for a callback. The timing was deliberately chosen to match the real storm conditions making the scenario plausible. When called back from a different number, the scammer's voice broke almost immediately. The detail that gave it away wasn't the script—it was the background noise of what sounded like a call center floor.

Scam call centers — an industry, not an incident: The scam operations behind callback fraud aren't lone actors. They're organized businesses with org charts, onboarding processes, CRM systems, and performance metrics. Scam baiters like YouTube creator Jim Browning have documented these operations inside out. This isn't amateur hour. Your people are being targeted by professionals with scripted responses for every objection.

Who is at risk from callback scams?

  • Everyone with a phone number is a potential target, but some scenarios carry higher business risk:

  • Employees who receive billing or IT-related emails: the most common lure for TOAD-style attacks

  • Finance and accounting teams are prime targets for fake refund and overpayment schemes

  • IT helpdesk staff are targeted with fake user reports that end in remote access grants

  • Small and mid-size businesses that often lack dedicated security staff who would recognize TOAD attack patterns

  • Organizations using RMM tools. Attackers know these tools exist and use the same software legitimately to hide malicious access

  • Anyone who uses AI tools to look up contact information fake phone numbers seeded into AI search results can route unsuspecting users directly to scam call centers

How can you spot a callback scam?

Red flags in the initial message:

  • Urgency without specifics: "Your account has been flagged" with no account number, no transaction details, no verifiable reference

  • Instruction to call a number rather than visit an official website

  • Emails with only a PDF or plain text and no active links (this is actually a TOAD evasion technique)

  • The "brand" is familiar (Microsoft, Amazon, PayPal), but the email address or phone number doesn't match their official domains

Red flags on the call:

  • The agent asks you to download or install anything legitimate support does not require remote access as a first step

  • You're asked to purchase gift cards for any reason

  • You're told not to tell anyone about the call, including your IT team

  • The "refund" or "transaction" is only visible on your screen after following their instructions

  • You're transferred multiple times with escalating urgency

How can you protect your organization?

For individuals and employees:

  1. Never call a number from an unexpected email or voicemail. If a charge or issue is legitimate, find the contact number directly on the company's official website—not from the message you received.

  2. Treat remote access requests as a hard stop. No legitimate billing or refund process requires you to share your screen or install software.

  3. Don't purchase gift cards as payment for anything. Gift cards are the currency of scams, not businesses.

  4. Call back on a known number. If you're unsure whether a missed call is legitimate, look up the number independently and call the organization directly.

  5. Tell your IT team immediately if you've followed any instructions from an unexpected caller—even if you're embarrassed. The faster a remote access tool is removed, the less damage it can do.

For organizations:

  1. Train employees to recognize TOAD attacks. The no-link, no-attachment structure of callback phishing emails makes them invisible to most filters. Human recognition is the only defense at the point of delivery.

  2. Establish a clear policy on remote access. Employees should know that IT will never ask them to install a tool via a phone call initiated by the employee.

  3. Monitor for unexpected RMM tool installations. Legitimate tools—GoTo, AnyDesk, SimpleHelp—are commonly abused in callback scams. Their presence in unexpected contexts is an indicator worth flagging.

  4. Add callback scam scenarios to your security awareness training. Generic phishing training doesn't cover TOAD. Your people need to know this attack vector specifically.

  5. Verify AI-sourced phone numbers before calling. AI search tools can surface scam numbers from poisoned web content. Confirm any number through an official source first.

How does Huntress help protect against callback scams?

Callback scams that succeed often leave a trail: unexpected RMM tool installations, remote access sessions from unfamiliar IPs, credential changes after a call. Huntress Managed EDR detects the behavior after the callback—the remote access foothold, the persistence mechanism, the lateral movement—even when the initial social engineering flew under the radar.

On the human side, Huntress Managed Security Awareness Training includes a dedicated episode on refund scams—the most common callback scam targeting business employees. It's sourced directly from real incidents our SOC has investigated, covering how scammers use remote tools to fake transactions and why gift cards are always a red flag.

See the Refund Scams SAT episode →

See how Huntress detects the foothold attackers leave behind →

ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page

FAQs about callback scams

A callback scam is an attack where a victim is manipulated into calling a phone number controlled by a scammer. The attacker then impersonates tech support, a financial institution, or a government agency to steal money, install remote access software, or harvest credentials. The defining feature is that the victim makes the call—making it feel voluntary and therefore more trustworthy.

TOAD stands for Telephone Oriented Attack Delivery. It's a specific callback phishing technique where attackers send an email with no malicious links or attachments—just a phone number and a fake billing alert. Because there's nothing for email filters to flag, the message lands in the inbox. When the victim calls, the scammer delivers the actual attack: malware installation, credential theft, or the setup for a ransomware deployment. TOAD is how callback scams became a serious enterprise threat.

Vishing is any voice-based social engineering attack. In most vishing attacks, the attacker calls the victim. In a callback scam, the victim is manipulated into making the call themselves—through a missed call, a fake billing email, or an alarming voicemail. That reversal increases the victim's trust in whoever answers and reduces their suspicion that they're being targeted.

Act immediately. Disconnect any remote access sessions you granted. Contact your IT team or MSP and tell them exactly what happened and what instructions you followed. Change passwords for any accounts you mentioned or accessed during the call. If you provided payment information or purchased gift cards, contact your bank and the gift card issuer right away. The faster you report it, the more can be recovered.

Callback phishing emails typically contain no links and no attachments—just a PDF or plain text with a phone number. Email security tools scan for malicious URLs and file-based payloads. When there's nothing to scan, the email passes through. The entire attack runs through the phone call, which happens outside any automated security control.

A refund scam is a type of callback scam where the attacker convinces the victim that they're owed a refund. The victim is walked through installing a remote access tool so the scammer can "process" the refund. The scammer then stages a fake overpayment that only the victim can see—using browser tools to manipulate numbers on screen—and pressures them to return the difference via gift cards. No refund was ever coming. The goal was the remote access and the gift card payment.

Yes. Huntress Managed Security Awareness Training includes a Refund Scams episode that covers the callback scam playbook in detail—including how attackers use remote access tools to stage fake refunds and why gift cards are a universal scam red flag. The episode was developed from a real incident investigated by the Huntress SOC.

Glitch effectBlurry glitch effect
Glitch effectGlitch effect

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free