Callback Phishing and CEO Fraud: The Scam That Asks You to Call Them Back

Most phishing scams push you to click a link. This one asks you to pick up the phone.

Callback phishing is a rapidly growing attack where scammers send an email or text that doesn't contain a malicious link at all. Instead, it includes a phone number and an urgent reason to call — an unauthorized charge on your account, a subscription you need to cancel, a problem with your tax filing. When you dial the number, you reach a scammer posing as customer support, a bank representative, or even the IRS. From there, they walk you through "verifying" your identity by handing over your credentials, installing remote access software on your computer, or authorizing a wire transfer.

LevelBlue SpiderLabs tracked a 140 percent increase in callback phishing campaigns in 2025. And it's not just random consumers being targeted. Business Email Compromise — the corporate cousin of callback phishing — caused $2.77 billion in reported losses in 2024, according to the FBI's Internet Crime Complaint Center. The Verizon 2025 DBIR put BEC-related losses even higher, at $6.3 billion. CEO fraud now targets at least 400 companies per day.

The reason callback phishing is growing so fast is that it's nearly invisible to traditional security tools. There's no malicious link to scan, no attachment to flag, no suspicious domain to block. It's just an email with a phone number. And when you call it, everything that follows happens in a voice conversation that leaves no digital trail.

How It Works

Callback phishing comes in two main forms, and they target different people for different reasons.

Consumer callback phishing usually starts with an email or text that looks like a receipt or subscription confirmation for something you didn't buy. A common version claims you've been charged $399 for an antivirus subscription, a tech support plan, or a streaming service upgrade. The message includes a phone number to call "if you didn't authorize this charge." When you call, the scammer pretends to be customer support and asks you to install remote access software so they can "process the refund." Once they have remote access to your computer, they can steal passwords, access bank accounts, install malware, or stage a fake refund that actually transfers your money to them.

CEO fraud and business email compromise targets employees at companies, particularly people in finance, HR, and accounts payable. The scammer impersonates a CEO, CFO, or trusted vendor via email and requests an urgent wire transfer, a payroll change, or sensitive employee data like W-2 forms. SpiderLabs found that 40 percent of BEC emails in Q2 2025 were AI-generated, making them grammatically flawless and stylistically consistent with the person being impersonated. Some campaigns now use deepfake voice calls to follow up on the email, adding a layer of credibility that makes the request feel routine rather than suspicious.

The newest evolution is dual-channel attacks — a BEC email followed by a text or phone call on a different platform to confirm the request. By moving across channels, the scammer exploits the fact that most security tools only monitor one channel at a time. An email filter can't see a follow-up phone call, and a phone call can't be verified against a prior email.

Why It's So Effective

Callback phishing exploits authority bias and urgency in a way that link-based phishing can't match. When you're reading an email, you have time to hover over links, check sender addresses, and think critically. When you're on the phone with someone who sounds professional and claims to be from your bank, the dynamic shifts. The conversation creates social pressure to comply in real time.

CISA reports that 84 percent of employees who receive phishing emails act on them within ten minutes. On a phone call, that window compresses even further — victims often share credentials or authorize payments within the first few minutes of the conversation.

The financial stakes are enormous. BEC accounted for 27 percent of all cybersecurity incident response engagements in 2025, second only to ransomware. Rising average wire amounts — with a 97 percent quarter-over-quarter increase reported in one dataset — mean that fewer successful attacks generate larger payoffs. A single spoofed email pretending to come from a CEO or supplier can redirect hundreds of thousands in wire transfers.

And the barrier to entry is collapsing. AI-based phishing tools now cost as little as $75, and 82.6 percent of phishing emails detected in the first half of 2025 utilized AI-generated content. Scammers no longer need sophisticated technical skills — they need a convincing script and a phone number.

How to Protect Yourself

Never call a number from an unsolicited email or text. If you receive a message about an unauthorized charge or account problem, don't use the phone number provided. Instead, find the company's real customer service number on their official website or on the back of your credit card. Call that number directly.

Verify requests through a separate channel. If your "CEO" emails asking for an urgent wire transfer, don't reply to the email. Call them directly on a number you already have. If a "vendor" asks to change their payment details, call your existing contact at the vendor to confirm. Verification kills callback phishing.

Be suspicious of urgency. Legitimate businesses don't threaten you with immediate consequences over the phone. If someone says your account will be closed, a warrant will be issued, or a charge can't be reversed unless you act right now, that pressure is the scam.

Never install remote access software at someone else's request. No legitimate company will ask you to download AnyDesk, TeamViewer, or similar tools during a customer service call. If someone asks you to do this, hang up immediately.

Paste suspicious emails and links into ScamSecurityCheck.com. Even if the email itself doesn't contain a link, it may reference a fake company or website. Run any unfamiliar names, URLs, or phone numbers through ScamSecurityCheck.com before engaging.

For businesses: implement dual-approval for financial transactions. No single email should be sufficient to authorize a wire transfer or payroll change. Require a second verification — by phone, in person, or through a pre-established code phrase — for any transaction above a set threshold.

Know the seasonal spikes. Callback phishing and BEC campaigns surge during tax season, when scammers impersonate the IRS, tax preparers, and payroll departments. Our breakdown of the IRS Dirty Dozen tax scams for 2026 covers the specific phone and email tactics being used right now.

The Bottom Line

Callback phishing works because it takes the scam off the screen and into a real-time conversation where social pressure replaces critical thinking. The emails are clean — no malicious links, no suspicious attachments, nothing for your spam filter to catch. The phone call feels legitimate because you initiated it. And by the time you realize something is wrong, the money or data is already gone.

The defense is simple but requires discipline: never trust a phone number from an unsolicited message, always verify requests through a second channel, and treat urgency as a warning sign rather than a reason to act faster.

Got a suspicious email asking you to call a number? Check it at ScamSecurityCheck.com before you dial.