3 Things to Know About Callback Phishing

Cybercriminals are getting increasingly creative about how they’re targeting small and medium businesses (SMBs). One of the latest innovations seeing massive growth is callback phishing, which rose 625 percent in frequency since Q1 2021.

Phishing as a category overall is one of the most common vectors of attack that compromise an organization, with 83 percent of organizations reporting phishing attacks in 2021 and 90 percent of data breaches occurring as a result of phishing. Attackers typically execute phishing by sending an email with a malicious link or attachment, which, when clicked, can compromise the individual or organization. Callback phishing is a new form of “hybrid vishing” (voice phishing through some form of a phone call) that combines traditional email phishing with voice social engineering calls as a way to breach corporate networks.

A common callback phishing attack may look like an end user receiving an email, perhaps sending them an invoice or another issue that must be resolved. Then, the email instructs them to call a phone number to resolve a problem with the item, directing them to the attackers (though they don’t know that). The bad actors on the other end of the phone would then ask for sensitive information or install a remote access tool, giving them access to their machine or potentially the entire corporate network.

According to a recent report, these new hybrid attacks reached record levels in Q2, up 625 percent from the prior quarter. Additionally, they accounted for 24.6 percent of the total attacks in the response-based threats category. These are significant numbers that an SMB should not ignore as they look to protect their organization from the latest threats.

For an SMB, this rise is particularly significant because it represents another tactic it needs to prepare against to better protect its organization. What’s more, it helps attackers navigate any training they may have given their employees to avoid falling victim to a phishing attack, such as not clicking on links or calling to verify the identity or validity of the note. Unfortunately, callback phishing helps get around this training, potentially leaving users still at risk.

What can an SMB do to combat these threats? One of the most significant steps it can take is education. SMBs IT or security leaders should take the time to ensure their employees are informed and aware of this latest risk and the signs of how to spot potential bad actor activity. Additionally, SMBs should implement email monitoring and other technology tools that can flag emails that might contain signs of phishing or prevent downloading malicious material.

Cybersecurity threats continue to evolve and cause significant impacts to organizations around the world, especially SMBs. It is important that SMBs stay current on the latest threat trends, such as callback phishing, and take the time to put additional protections or awareness training in place to protect their organization. In doing so, they can help limit their organizations’ risk and ensure they can continue delivering their unique value to customers.