Phishing Evolves to Phone Call Scams

The “Call Me” Phishing Pivot: Why Your Users are Dialing into Danger

As security awareness professionals, we’ve spent years training employees to “think before they click.” But what happens when there is no link to click? A growing trend in phishing involves emails that bypass traditional security filters by omitting malicious attachments and URLs entirely. Instead, they provide a phone number and a compelling reason to call.

This tactic—often called “phone call phishing”—is distinct from traditional vishing because it puts the user in the driver’s seat. By tricking the victim into initiating the call, scammers leverage a false sense of control and trust that a human voice provides, making the subsequent social engineering attempt far more effective.

Guidance to Encourage in Your Cybersecurity Awareness and Training Programs

To help your workforce defend against this “analog” pivot in a digital world, prioritize these actionable teaching points:

• Identify the “Filter Bypass”: Teach your team why this is happening. Explain that because there are no links or files, automated email security tools often miss these messages. This underscores the importance of the “human firewall”—if the email feels off, the presence of a phone number doesn’t make it safe.

• The “Out-of-Band” Verification Rule: This is the golden rule for phone-based threats. Instruct employees that if they receive an urgent notification about a purchase, a subscription renewal, or a security alert, they must never call the number in the email. Instead, they should find the company’s official contact information via a trusted bookmark or the official website.

• Recognize the “Urgency Hook”: Scammers use high-pressure scenarios—like a $1,500 unauthorized laptop purchase or a “virus infection”—to trigger panic. Train your users to recognize that legitimate companies don’t use “final notices” or “immediate lockout” threats as their first point of contact via a random email.

• Beware the “Helpful” Voice: Warn your team that hearing a friendly, professional voice on the other end is part of the script. Scammers are trained to build rapport and use psychological manipulation to extract MFA codes, credit card numbers, or remote access to a workstation.

• Report the “No-Link” Phish: Ensure your reporting process includes a way for employees to flag these text-only or phone-based emails. Analyzing the phone numbers used can help your security team block related infrastructure and warn the rest of the organization.

By evolving your training to cover these “interaction-required” scams, you ensure your employees remain vigilant even when the attack moves away from the browser and onto the phone.

Read the full breakdown on the evolution of phone call phishing here: Phishing Evolves to Phone Call Scams