
Callback Phishing: The Invoice That Asks You to Phone a Number
Most phishing training teaches people to distrust links and attachments. Callback phishing, known in the industry as telephone-oriented attack delivery (TOAD), succeeds precisely because it contains neither. The email is clean; the trap is a phone number. By moving the attack off email and onto a call, it slips past the filters that would normally catch it.
The short version: you receive a plausible email, a renewal notice or an invoice for something you did not buy, with no link and no attachment, just a number to call if you want to dispute the charge. On the line, a friendly “agent” walks you into installing remote-access software or handing over card and login details. Because the email carries nothing malicious, it reaches the inbox untouched.
How TOAD sidesteps your filters
Email security is built to inspect links and attachments. A callback-phishing message deliberately includes neither, so there is nothing for a scanner to flag. The only “payload” is a phone number written in plain text. The danger begins only when the recipient picks up the phone, at which point the attack leaves the world of email logs entirely and becomes a live human conversation.

Why it is so convincing
A phone call feels personal and legitimate in a way an email no longer does. The lures lean on brands people recognise, such as a fake antivirus or software renewal, a well-known retailer, or a subscription “about to auto-renew” for a few hundred pounds. Alarmed at being charged for something they never bought, victims call to cancel, and a patient, professional-sounding “support agent” does the rest: guiding them to install a remote-access tool, read out a code, or confirm card details to “process the refund”.
The warning signs worth sharing
- An unexpected invoice or renewal for a product or subscription you do not recognise.
- No link, just a number and a nudge to call quickly to dispute the charge.
- A caller who asks you to install software or grant remote access to “sort out” the refund.
- Pressure and reassurance in equal measure: a calm voice steering you, step by step, past your own doubts.
How to defend against callback phishing
Name the tactic in training
Staff who know that “call this number to cancel” is itself a red flag are far less likely to dial. Because these emails pass filters, human awareness is the primary control.
Verify through official channels
If a charge looks real, check it through the vendor’s official website or a saved contact number, never the number printed in the suspicious email.
Lock down remote-access tools
Restrict which remote-support applications can run on company devices, so a talked-into installation is blocked before it starts.
Make reporting effortless
Give people a simple way to report a suspicious email, and run realistic simulations that include callback scenarios so the tactic feels familiar when it appears for real.
The bottom line
Callback phishing thrives in the blind spot between email security and the telephone. With no link or attachment to catch, it is your people, not your filters, who form the front line, so the fix is to teach the tell: an unexpected “call this number” invoice is a prompt to stop, not to dial. Verify the charge independently, and the scam falls apart.
Phishing Tackle offers the tools businesses need to strengthen their human risk strategies, with multi-platform testing, real-time behavioural insights, and actionable data to keep your organisation ahead of modern cyber threats.
Contact us today to learn how Phishing Tackle can help safeguard your organisation from the growing array of cyber risks.
