Callback Phishing (BazarCall): The Phone-First Attack Method

Security Education: This article describes cyber threats for defensive awareness and education purposes only. Understanding how attacks work helps organizations and individuals protect themselves. Never use this information for unauthorized access or malicious purposes.

Callback phishing flips the traditional attack model on its head. Instead of embedding malicious links in emails, attackers send benign-looking messages that contain only a phone number and a reason to call it. When the victim dials the number, they reach an attacker-operated call center where a live operator guides them through actions that compromise their system. Because the email itself contains no links or attachments, it sails through security filters undetected.

How Callback Phishing Campaigns Operate

The attack begins with an email that appears to be a subscription confirmation, invoice, or renewal notice for a service the victim may or may not recognize. The message states that a charge has been or will be applied to the recipient’s account and provides a phone number to call if they wish to cancel or dispute the charge.

The amounts are chosen carefully, large enough to motivate action but small enough to be plausible. A notification about an upcoming charge for a premium software subscription or an automatic renewal for a security product creates sufficient urgency for the recipient to call without verifying the legitimacy of the notice through other means.

When the victim calls, they reach a professional-sounding operator who confirms the supposed charge and offers to help cancel it. The operator then guides the victim through a process that involves visiting a website and downloading a “cancellation form” or “remote support tool.” This downloaded file is actually malware that provides the attacker with remote access to the victim’s computer.

Why This Approach Evades Detection

Email security systems analyze messages for malicious URLs, suspicious attachments, known threat indicators, and content patterns associated with phishing. Callback phishing emails contain none of these elements. The message is plain text with a phone number, making it indistinguishable from a legitimate business communication in the eyes of automated filters.

The separation of the email from the malicious action creates an attribution gap. Even if the victim later realizes they were compromised, connecting the breach to the initial email is more difficult when the actual exploitation occurred during a separate phone interaction.

The use of human operators adds adaptability that automated attacks lack. Live callers can adjust their approach based on the victim’s responses, overcome objections, and guide technically unsophisticated victims through complex procedures. This social engineering flexibility makes callback phishing effective against a broader range of targets.

The Escalation After Initial Access

Once the victim installs the remote access tool, the attacker has direct control of their computer. From this position, the attacker typically deploys additional malware, exfiltrates sensitive files, harvests stored credentials, and establishes persistent access mechanisms that survive system restarts.

In corporate environments, the compromised machine serves as a beachhead for lateral movement through the network. The attacker can access shared drives, internal applications, and other systems reachable from the victim’s workstation. Ransomware deployment is a common end-stage objective of callback phishing campaigns.

Protecting Against Callback Phishing

Treat unexpected subscription confirmations and renewal notices with skepticism, especially when they include a phone number as the only contact method. If you receive a notice about a charge you do not recognize, do not call the number provided. Instead, log in directly to the service in question using your normal access method and check your account status there.

Never download software or grant remote access based on instructions from an unsolicited phone call. Legitimate companies do not require customers to install remote access tools to process cancellations.

Educate employees about callback phishing specifically, as traditional phishing awareness training focused on link and attachment identification does not address this attack vector.

For more on phone-based phishing, see our guide on Vishing: How Voice Phishing Scams Work and How to Stop Them. You can also learn about related defensive strategies in our article on What Is Phishing? A Complete Guide to Recognizing and Avoiding Attacks.

Organizational Defense Measures

Organizations should include callback phishing scenarios in their security awareness programs and phishing simulations. Establishing a policy that prohibits installing remote access software in response to unsolicited communications prevents the exploitation stage of these attacks. Endpoint detection and response tools that alert on the installation of known remote access frameworks provide a technical safety net for cases where an employee follows the attacker’s instructions before recognizing the threat.