Don’t let overlooked obligations become incidents. Learn how.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Close search
Huntress Logo in Teal
  • Platform Overview
    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed ITDR: Identity Threat Detection and Response

    Protect your Microsoft 365 and Google Workspace identities and email environments.

    Managed ITDR: Identity Threat Detection and Response

    Protect your Microsoft 365 and Google Workspace identities and email environments.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed Security Awareness Training Software

    Empower your teams with science-backed security awareness training.

    Managed Security Awareness Training Software

    Empower your teams with science-backed security awareness training.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Integrations
    Integrations
    Support Documentation
    Support Documentation
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
  • Threats We Stop
    Phishing
    Phishing
    Business Email Compromise
    Business Email Compromise
    Ransomware
    Ransomware
    Infostealers
    Infostealers
    View Allright arrowView Allright arrow
    Industries We Serve
    Education
    Education
    Financial Services
    Financial Services
    State and Local Government
    State and Local Government
    Healthcare
    Healthcare
    Law Firms
    Law Firms
    Manufacturing
    Manufacturing
    Utilities
    Utilities
    View Allright arrowView Allright arrow
    Tailored Solutions
    MSPs
    MSPs
    Resellers
    Resellers
    SMBs
    SMBs
    Compliance
    Compliance
    What Gets Overlooked Gets Exploited

    Most days, nothing happens. But one day, something will.

    Huntress Cybersecurity
    Cybercriminals Have Evolved

    Get the intel on today’s cybercriminal groups and learn how to protect yourself.

    Huntress Cybersecurity
  • Pricing
  • Community Series
    The Product Lab

    Shape the next big thing in cybersecurity together.

    The Product Lab

    Shape the next big thing in cybersecurity together.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    Resources
    Upcoming Events
    Upcoming Events
    Ebooks
    Ebooks
    On-Demand Webinars
    On-Demand Webinars
    Videos
    Videos
    Whitepapers
    Whitepapers
    Datasheets
    Datasheets
    Cybersecurity Education
    Cybersecurity 101
    Cybersecurity 101
    Cybersecurity Guides
    Cybersecurity Guides
    Threat Library
    Threat Library
    Real Tradecraft, Real Results
    Real Tradecraft, Real Results
    2026 Cyber Threat Report
    2026 Cyber Threat Report
    The Huntress Blog
    When Cybersecurity and Cyber Insurance Don’t Quite Connect—And What We’re Doing Differently with Acrisure
    Huntress Cybersecurity
    When Cybersecurity and Cyber Insurance Don’t Quite Connect—And What We’re Doing Differently with Acrisure
    Huntress Cybersecurity
    How EvilTokens Turbocharges Old School Phishing with AI
    Huntress Cybersecurity
    How EvilTokens Turbocharges Old School Phishing with AI
    Huntress Cybersecurity
    “Service Agreement” Email Kickstarts Rogue RMM Tiflux Triple Threat
    Huntress Cybersecurity
    “Service Agreement” Email Kickstarts Rogue RMM Tiflux Triple Threat
    Huntress Cybersecurity
  • Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    The Huntress SOC

    24/7 Security Operations Center

    The Huntress SOC

    24/7 Security Operations Center

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Community

    Get in touch with the Huntress Community team

    Community

    Get in touch with the Huntress Community team

    Compare Huntress
    Bitdefender
    Bitdefender
    Blackpoint
    Blackpoint
    Breach Secure Now!
    Breach Secure Now!
    Crowdstrike
    Crowdstrike
    Datto
    Datto
    SentinelOne
    SentinelOne
    Sophos
    Sophos
    Compare Allright arrowCompare Allright arrow
  • HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    Partners
    MSPs

    Join our partner community to deliver expert-led managed security.

    MSPs

    Join our partner community to deliver expert-led managed security.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Tech Alliances

    Driving innovation through global technology Partnerships

    Tech Alliances

    Driving innovation through global technology Partnerships

    Microsoft Partnership

    A Level-Up for Your Business Security

    Microsoft Partnership

    A Level-Up for Your Business Security

  • Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Awards
    Awards
    Contact Us
    Contact Us
  • Portal Login
  • Support
  • Blog
  • Contact
  • Search
  • Get a Demo
  • Start for Free
Portal LoginSupportBlogContact
Search
Close search
Get a Demo
Start for Free
HomeThreat Library
Callback Scam

What Is a Callback Scam?


Written by: Brenda Buckman

Published: 4/24/2026

Red caution sign overlaid on a picture of a laptop with a hand on the trackpad
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page
Key Takeaways
What is a callback scam?
How does a callback scam work, step by step?
What are the main types of callback scams?
How is a callback scam different from phishing, vishing, and smishing?
What are real-world examples of callback scams?
Who is at risk from callback scams?
How can you spot a callback scam?
How can you protect your organization?
How does Huntress help protect against callback scams?

A callback scam tricks you into calling a phone number controlled by an attacker. Once you call, the scammer poses as tech support, your bank, or a government agency to steal money, install remote access software, or harvest credentials. The call is always the trap—and attackers engineer every reason for you to make it.

Key Takeaways

  • You are the one making the call and that's the trap. Unlike traditional phishing or vishing, callback scams manipulate victims into initiating contact with the attacker, which makes the interaction feel voluntary and trustworthy, bypassing natural suspicion.

  • These attacks are nearly invisible to security tools. Callback phishing emails (known as Telephone-Oriented Attack Delivery attacks) contain no malicious links or attachments, just a phone number, meaning they sail past email filters undetected, making human awareness the only line of defense at the point of delivery.

  • The playbook always escalates to money or access. Whether through fake refunds, gift card requests, or remote access tool installations, the end goal is the same: drain accounts, steal credentials, or establish a persistent foothold that can lead to ransomware deployment.

  • Speed is everything if you've been targeted. If you called a scam number and followed any instructions, immediately disconnect remote sessions, notify your IT team, change your passwords, and contact your bank — the faster you act, the more damage can be contained.

What is a callback scam?

A callback scam is a social engineering attack where the victim is manipulated into initiating a phone call to an attacker-controlled number. Unlike a cold call from a scammer, the callback scam makes the victim feel like they're the one taking action—responding to a missed call, a voicemail, an alarming email, or an urgent text. That reversal of initiative is the whole point. You trust what you chose to do more than what was done to you.

Attackers don't break down the door; they convince you to open it and dial them up.

How does a callback scam work, step by step?

The mechanics vary by type, but most callback scams follow the same arc:

1. The hook arrives. A missed call, a voicemail, a PDF attachment, or an email lands. The message creates urgency: there's been a charge on your account, a suspicious transaction, a package that couldn't be delivered, or a problem only you can resolve by calling a specific number.

2. The victim calls. That's the goal. The attacker doesn't need to find you. You come to them.

3. Trust is established. The person who answers sounds professional, knowledgeable, sometimes even apologetic. They have your name. They have "your account details." They're "on your side."

4. The ask escalates. First it's small: confirm your identity, verify your card. Then it grows: let us access your computer remotely so we can "fix it," purchase gift cards to "secure your refund," log into your bank account so they can "process the reversal."

5. The damage is done. Money is transferred. Remote access tools are installed and left running. Credentials are harvested. The scammer hangs up.

The whole operation takes minutes. The victim often doesn't realize what happened until the account is drained.

What are the main types of callback scams?

  1. One-ring and wangiri scams

The simplest form: your phone rings once and stops. The missed call shows an unfamiliar number sometimes local, sometimes international. Curiosity or concern prompts you to call back. If it's a premium-rate number, the return call generates revenue for the attacker with every second you stay on the line. If it's a more sophisticated operation, you reach a live scammer who escalates from there.

The name "wangiri" comes from the Japanese for "one cut"—a single ring, then nothing.

  1. Tech support and refund scams

You receive a pop-up alert, a voicemail, or an email warning of a virus, a suspicious charge, or an expiring subscription. The message looks like it's from Microsoft, Norton, Amazon, PayPal, or a well-known brand. A phone number is provided.

When you call, a "support agent" walks you through granting remote access to your device typically via legitimate remote monitoring tools. They then stage a fake refund, "accidentally" overpaying you in a way only visible to them. They pressure you to repay the difference with gift cards. No refund was ever coming. The remote access tool stays installed long after the call ends.

Huntress SOC analysts have investigated real incidents where attackers gained initial access to business environments through exactly this technique—using legitimate remote management tools as their foothold.

  1. Callback phishing — the business threat

This is the variant that keeps security teams up at night, and it's growing fast.

The attack starts with an email that contains no links and no attachments just a PDF or a plain-text message claiming you've been charged for a service. There's nothing for an email filter to catch. The only "payload" is a phone number.

When you call, the scammer walks you through steps that end with malware installed, credentials stolen, or a ransomware deployment in progress. Security researchers call this technique TOAD—Telephone Oriented Attack Delivery. The BazaCall campaign, linked to the Conti ransomware group, used this method to deliver BazaLoader and set the stage for ransomware across hundreds of organizations.

The reason it works: there's no suspicious link to hover over, no malicious file for your endpoint to flag. The entire attack runs through a phone call and the trust that comes with it.

How is a callback scam different from phishing, vishing, and smishing?

Phishing

Vishing

Smishing

Callback Scam

Delivery

Email with link or attachment

Attacker calls you

SMS with link

You call the attacker

Direction of contact

Attacker initiates

Attacker initiates

Attacker initiates

Victim initiates

Main lure

Click a malicious link

Respond to caller

Click a link in text

Call a number

Why it's trusted

Branded email looks legit

Caller ID spoofing

Urgent SMS from known brand

Victim chose to call

Filter evasion

Depends on link/attachment

N/A

Depends on URL

Bypasses email security entirely

Business risk

High

High

Medium

Very high — evades most automated defenses

The critical distinction: in a callback scam, the victim makes the call. That single shift in initiative dramatically increases trust—and dramatically reduces the chance that security tools will catch it. There's no link to block, no attachment to sandbox, no suspicious domain to flag.

See also: What is Vishing?

See also: What is a Scam Likely Call?

What are real-world examples of callback scams?

The Refund Scams SAT episode (sourced from a real Huntress SOC incident): A Huntress SOC analyst documented an attack in which a scammer convinced an employee to install a remote monitoring and management (RMM) tool to "fix" a fake billing issue. With the RMM running, the attacker staged a fake refund transaction in the browser using DevTools, making it appear that an overpayment had occurred. The victim was then pressured to purchase gift cards to "return" the money. The entry point: a callback to a scam phone number.

BazaCall / BazarCall: The Conti ransomware group used callback phishing to deliver BazaLoader across hundreds of targets between 2021 and 2022. Victims received emails claiming their free trial for a software subscription was about to auto-renew at a high price. Calling the number led to instructions that installed malware. BazaLoader then served as the launchpad for ransomware deployment. No link. No attachment. Just a phone call.

The UK storm scam: A Huntress team member received a voicemail during a major UK flooding event from someone posing as an elderly woman with a plumbing emergency, asking for a callback. The timing was deliberately chosen to match the real storm conditions making the scenario plausible. When called back from a different number, the scammer's voice broke almost immediately. The detail that gave it away wasn't the script—it was the background noise of what sounded like a call center floor.

Scam call centers — an industry, not an incident: The scam operations behind callback fraud aren't lone actors. They're organized businesses with org charts, onboarding processes, CRM systems, and performance metrics. Scam baiters like YouTube creator Jim Browning have documented these operations inside out. This isn't amateur hour. Your people are being targeted by professionals with scripted responses for every objection.

Who is at risk from callback scams?

  • Everyone with a phone number is a potential target, but some scenarios carry higher business risk:

  • Employees who receive billing or IT-related emails: the most common lure for TOAD-style attacks

  • Finance and accounting teams are prime targets for fake refund and overpayment schemes

  • IT helpdesk staff are targeted with fake user reports that end in remote access grants

  • Small and mid-size businesses that often lack dedicated security staff who would recognize TOAD attack patterns

  • Organizations using RMM tools. Attackers know these tools exist and use the same software legitimately to hide malicious access

  • Anyone who uses AI tools to look up contact information fake phone numbers seeded into AI search results can route unsuspecting users directly to scam call centers

How can you spot a callback scam?

Red flags in the initial message:

  • Urgency without specifics: "Your account has been flagged" with no account number, no transaction details, no verifiable reference

  • Instruction to call a number rather than visit an official website

  • Emails with only a PDF or plain text and no active links (this is actually a TOAD evasion technique)

  • The "brand" is familiar (Microsoft, Amazon, PayPal), but the email address or phone number doesn't match their official domains

Red flags on the call:

  • The agent asks you to download or install anything legitimate support does not require remote access as a first step

  • You're asked to purchase gift cards for any reason

  • You're told not to tell anyone about the call, including your IT team

  • The "refund" or "transaction" is only visible on your screen after following their instructions

  • You're transferred multiple times with escalating urgency

How can you protect your organization?

For individuals and employees:

  1. Never call a number from an unexpected email or voicemail. If a charge or issue is legitimate, find the contact number directly on the company's official website—not from the message you received.

  2. Treat remote access requests as a hard stop. No legitimate billing or refund process requires you to share your screen or install software.

  3. Don't purchase gift cards as payment for anything. Gift cards are the currency of scams, not businesses.

  4. Call back on a known number. If you're unsure whether a missed call is legitimate, look up the number independently and call the organization directly.

  5. Tell your IT team immediately if you've followed any instructions from an unexpected caller—even if you're embarrassed. The faster a remote access tool is removed, the less damage it can do.

For organizations:

  1. Train employees to recognize TOAD attacks. The no-link, no-attachment structure of callback phishing emails makes them invisible to most filters. Human recognition is the only defense at the point of delivery.

  2. Establish a clear policy on remote access. Employees should know that IT will never ask them to install a tool via a phone call initiated by the employee.

  3. Monitor for unexpected RMM tool installations. Legitimate tools—GoTo, AnyDesk, SimpleHelp—are commonly abused in callback scams. Their presence in unexpected contexts is an indicator worth flagging.

  4. Add callback scam scenarios to your security awareness training. Generic phishing training doesn't cover TOAD. Your people need to know this attack vector specifically.

  5. Verify AI-sourced phone numbers before calling. AI search tools can surface scam numbers from poisoned web content. Confirm any number through an official source first.

How does Huntress help protect against callback scams?

Callback scams that succeed often leave a trail: unexpected RMM tool installations, remote access sessions from unfamiliar IPs, credential changes after a call. Huntress Managed EDR detects the behavior after the callback—the remote access foothold, the persistence mechanism, the lateral movement—even when the initial social engineering flew under the radar.

On the human side, Huntress Managed Security Awareness Training includes a dedicated episode on refund scams—the most common callback scam targeting business employees. It's sourced directly from real incidents our SOC has investigated, covering how scammers use remote tools to fake transactions and why gift cards are always a red flag.

See the Refund Scams SAT episode →

See how Huntress detects the foothold attackers leave behind →

ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page
Key Takeaways
What is a callback scam?
How does a callback scam work, step by step?
What are the main types of callback scams?
How is a callback scam different from phishing, vishing, and smishing?
What are real-world examples of callback scams?
Who is at risk from callback scams?
How can you spot a callback scam?
How can you protect your organization?
How does Huntress help protect against callback scams?

FAQs about callback scams

A callback scam is an attack where a victim is manipulated into calling a phone number controlled by a scammer. The attacker then impersonates tech support, a financial institution, or a government agency to steal money, install remote access software, or harvest credentials. The defining feature is that the victim makes the call—making it feel voluntary and therefore more trustworthy.

TOAD stands for Telephone Oriented Attack Delivery. It's a specific callback phishing technique where attackers send an email with no malicious links or attachments—just a phone number and a fake billing alert. Because there's nothing for email filters to flag, the message lands in the inbox. When the victim calls, the scammer delivers the actual attack: malware installation, credential theft, or the setup for a ransomware deployment. TOAD is how callback scams became a serious enterprise threat.

Vishing is any voice-based social engineering attack. In most vishing attacks, the attacker calls the victim. In a callback scam, the victim is manipulated into making the call themselves—through a missed call, a fake billing email, or an alarming voicemail. That reversal increases the victim's trust in whoever answers and reduces their suspicion that they're being targeted.

Act immediately. Disconnect any remote access sessions you granted. Contact your IT team or MSP and tell them exactly what happened and what instructions you followed. Change passwords for any accounts you mentioned or accessed during the call. If you provided payment information or purchased gift cards, contact your bank and the gift card issuer right away. The faster you report it, the more can be recovered.

Callback phishing emails typically contain no links and no attachments—just a PDF or plain text with a phone number. Email security tools scan for malicious URLs and file-based payloads. When there's nothing to scan, the email passes through. The entire attack runs through the phone call, which happens outside any automated security control.

A refund scam is a type of callback scam where the attacker convinces the victim that they're owed a refund. The victim is walked through installing a remote access tool so the scammer can "process" the refund. The scammer then stages a fake overpayment that only the victim can see—using browser tools to manipulate numbers on screen—and pressures them to return the difference via gift cards. No refund was ever coming. The goal was the remote access and the gift card payment.

Yes. Huntress Managed Security Awareness Training includes a Refund Scams episode that covers the callback scam playbook in detail—including how attackers use remote access tools to stage fake refunds and why gift cards are a universal scam red flag. The episode was developed from a real incident investigated by the Huntress SOC.

Glitch effectBlurry glitch effect
Glitch effectGlitch effect

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free
Huntress Managed Security PlatformManaged EDRManaged EDR for macOSManaged EDR for LinuxManaged ITDRManaged SIEMManaged Security Awareness TrainingManaged ISPMManaged ESPMBook a Demo
PhishingComplianceBusiness Email CompromiseEducationFinanceHealthcareManufacturingState & Local Government
Managed Service ProvidersResellersIT & Security Teams24/7 SOCCase Studies
BlogResource CenterCybersecurity 101Upcoming EventsSupport Documentation
Our CompanyLeadershipNews & PressCareersContact Us
Huntress white logo

Protecting 250k+ customers like you with enterprise-grade protection.

Privacy PolicyCookie PolicyTerms of UseCookie Consent
Linkedin iconTwitter X iconYouTube iconInstagram icon
© 2025 Huntress All Rights Reserved.

Join the Hunt

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.

By submitting this form, you accept our Terms of Service & Privacy Policy