Phishing via Phone Calls

The “Call Me” Pivot: Training Employees to Spot Callback Phishing

As security awareness professionals, we’ve spent years drilling the “don’t click” rule into our workforces. However, threat actors are pivoting. As traditional link-based phishing becomes less effective due to better filters and higher user skepticism, scammers are returning to a more “human” element: Callback Phishing (or Vishing).

By removing malicious links and attachments entirely, these emails often sail past automated security gates. Instead, they use high-pressure narratives—like a $1,000 Amazon charge or a legal summons—to trick the employee into picking up the phone and calling the attacker directly.

Guidance to Encourage in Your Training Programs

To protect your organization from this “analog” shift, your next awareness update should prioritize these specific behavioral defenses:

• The “No-Call” Rule for Emails: Instruct employees that any email providing a specific “support” or “billing” number for an unsolicited issue is a major red flag. Advice: Never call the number listed in the email.

• Master the Independent Search: Teach your team that the only safe way to verify a claim is to find the company’s official contact information independently. They should go directly to the verified website (e.g., Amazon or UPS) or use a known, trusted phone number from a physical bill or the back of a credit card.

• Identify the “Panic Lure”: Scammers rely on triggering a “fight or flight” response. Training should highlight common themes that use extreme urgency, such as unauthorized large purchases, subscription renewals (Norton, Disney+), or “failed” package deliveries.

• The “Zero Disclosure” Policy: Remind staff that no legitimate representative from a bank or government agency will ever ask for a PIN, password, or full MFA code over the phone. If a “representative” asks for these, it is an immediate signal to hang up.

• Report the “Linkless” Phish: Ensure your reporting process encourages employees to flag these text-only emails. Even without a malicious link, your security team can use the provided phone numbers to block related infrastructure and warn the rest of the organization.

By evolving your training to cover “callback” tactics, you help your employees recognize that just because there isn’t a link doesn’t mean there isn’t a trap.

Read the full breakdown on callback phishing here: Phishing via Phone Calls