Callback Phishing
A phishing technique where a fraudulent message instructs the recipient to call a phone number, directing them to scammers rather than a legitimate organisation.
Also known as: call-back scam, reverse vishing, phone phishing
Last reviewed: 1 June 2026
Callback phishing combines email or SMS delivery with a phone-based attack. The initial message — which contains no malicious link or file, making it hard for email filters to detect — typically invents an alarming financial scenario: an unexpected charge, a compromised account, or an order the victim did not place. The victim is instructed to call a provided number to 'resolve' the issue.
On the call, a trained fraudster uses social engineering to extract personal or financial information, persuade the victim to make payments, or guide them into installing remote-access software. Because the victim places the call, they feel in control — a psychological dynamic that makes them more compliant than if they were cold-called.
Callback phishing is closely related to TOAD (Telephone-Oriented Attack Delivery) attacks. It is heavily used in tech-support scams, fake subscription-renewal fraud, and bank-impersonation fraud. Businesses defend against it through employee awareness training that emphasises looking up phone numbers independently rather than calling numbers given in unsolicited communications.
Examples
- An email saying 'Your Amazon Prime subscription has auto-renewed for £299 — call us to cancel' leads victims to scammers who install remote-access tools.