Callback Phishing (TOAD): No Links, All Danger

You get an email from “Norton LifeLock” confirming your annual renewal at $499.99. You did not buy Norton LifeLock. There is no link to click, no attachment to open. Just a phone number to call if “this charge was made in error.”

So you call it. The person who answers sounds professional, patient, and genuinely helpful. They ask you to visit a website and download a “cancellation tool” so they can process your refund. What you are actually downloading is remote access software. Within minutes, the person on the other end controls your machine.

No malicious link was clicked. No attachment was opened. Your email security caught nothing because there was nothing to catch.

This is callback phishing, and it is one of the fastest-growing attack types in corporate environments.

Callback phishing is a phishing technique where the email itself contains no malicious payload. No links, no attachments, no macros. Instead, it includes a phone number and a convincing reason to call it. The attack happens entirely over the phone.

The security industry calls this a TOAD attack: Telephone-Oriented Attack Delivery. The term was coined to describe the hybrid nature of the technique. It starts in your inbox but finishes on the phone, combining the reach of email phishing with the persuasive power of live social engineering.

Proofpoint’s 2023 threat data reported that TOAD attacks peaked at 13 million messages per month. The BazaCall campaigns that popularized the technique in 2021 have since spawned dozens of copycat operations, and the model has been adopted by ransomware affiliates, business email compromise groups, and state-sponsored actors.

Traditional email security works by scanning for known threats: malicious URLs, dangerous attachments, suspicious sender domains, and signature-matched malware. Callback phishing contains none of these.

The email is text. Plain, clean text with a phone number.

There is no URL for a web proxy to inspect. No attachment for a sandbox to detonate. No encoded payload for a pattern matcher to flag. The email passes SPF, DKIM, and DMARC checks because the attacker often sends it from a legitimate bulk email service.

This is not a flaw in your security tools. It is a limitation of what automated systems can detect. The malicious intent lives in the phone call, not the email. And your email gateway cannot listen to phone calls.

Some advanced email security platforms have started flagging emails that contain phone numbers but no other links as potentially suspicious. But these detections produce high false-positive rates because plenty of legitimate business emails match that same pattern. Your IT department sends password reset instructions. Your insurance provider sends policy updates. Your bank sends fraud alerts. All with phone numbers, all without links.

The attacker’s message looks identical to these legitimate communications. That is the point.

The attack follows a consistent three-stage pattern. Understanding each stage helps you recognize the technique before it reaches the dangerous part.

The email impersonates a well-known brand or service. Common pretexts include:

• Subscription renewal. “Your annual subscription to [Norton/McAfee/Geek Squad] has been renewed at $349.99. Call to cancel.”
• Unauthorized charge. “A payment of $499.99 was processed from your account. If you did not authorize this, call immediately.”
• Account suspension. “Your [Microsoft 365/Adobe/Amazon] account will be deactivated in 48 hours. Call to verify your identity.”
• IT department notice. “A security update requires manual verification. Contact the help desk at the number below.”

The dollar amounts are chosen carefully. High enough to cause alarm, but not so high that they seem implausible. $299 to $499 is the sweet spot.

Notice what is missing: there is no link offering an easy digital resolution. The phone number is presented as the only way to fix the problem. This forces the target onto the attacker’s preferred channel, where social engineering works best.

When the target calls, the attacker runs a polished script. They have practiced this. Many TOAD operations employ actual call center setups with hold music, automated greetings, and multiple “agents” to create the illusion of a real customer service operation.

The caller is told the charge was indeed a mistake and that they will process a refund. But first, the “agent” needs to verify the account or “process the cancellation” on the target’s computer.

The manipulation techniques used during the call are borrowed directly from vishing playbooks:

• Scripted empathy. “I completely understand your frustration. Let me fix this for you right now.”
• False reassurance. “This is a routine process. Thousands of customers go through this every day.”
• Controlled urgency. “I can cancel this right now, but if we don’t process it today, the charge becomes permanent.”
• Technical jargon. The agent uses terms like “back-end verification” and “secure cancellation protocol” to make the process sound legitimate.

The caller is directed to download software that gives the attacker remote access to their computer. Common tools include AnyDesk, TeamViewer, and ScreenConnect, all legitimate remote desktop applications that will not be flagged by antivirus.

Once connected, the attacker works fast. Common objectives include:

• Installing persistent malware that survives reboots
• Harvesting credentials from browsers and password managers
• Deploying ransomware across the network
• Stealing documents, financial data, or intellectual property
• Establishing a backdoor for future access

In some variants, the attacker skips the software download entirely. Instead, they walk the target through handing over login credentials, MFA codes, or banking information directly over the phone.

Callback phishing targets everyone, but some roles face higher risk.

Finance and accounting teams receive the bulk of fake invoice and charge confirmation emails. These teams process real invoices daily, so a fraudulent one does not immediately register as unusual. The attacker only needs the pretext to feel routine enough that someone calls instead of deleting.

Administrative assistants and office managers are targeted because they handle vendor communications and are conditioned to resolve billing issues quickly. An email about an “unauthorized charge” on a corporate card is exactly the kind of thing they would follow up on.

IT help desk staff are targeted with reverse-TOAD attacks, where the attacker calls the help desk pretending to be an employee. But they are also targeted as victims through emails impersonating security tool vendors with “license renewal” pretexts.

New employees are especially vulnerable because they have not yet learned which vendors their company uses, which services are legitimate, and which billing patterns are normal. They are also less likely to question an email when they are still building organizational context.

The good news: callback phishing emails share recognizable patterns if you know what to look for.

An invoice or charge you did not expect. This is the most common trigger. If you did not purchase a service, you are not being charged for it. Companies do not randomly bill strangers.

A phone number as the only response option. Legitimate companies always provide multiple ways to manage your account: website, app, email support, chat. An email that offers only a phone number for resolution is suspicious by design.

No account-specific details. Callback phishing emails rarely include your actual name, account number, or transaction history. They use generic language because the same email goes to thousands of people.

Brand impersonation without brand infrastructure. The email may use a company’s logo, but the sender address does not match their actual domain. The phone number is not the one listed on the company’s real website.

Urgency around a deadline. “Call within 24 hours or the charge becomes permanent.” Real companies do not set arbitrary deadlines for disputing charges. Consumer protection laws guarantee dispute windows measured in weeks and months, not hours.

Do not call the number in the email. This should be the default response to any unsolicited communication that includes a phone number and asks you to act urgently. If you believe the charge might be real, look up the company’s actual phone number from their official website and call that instead.

Check your actual accounts. Log into the real service’s website directly (not through any link in the email). If there is no charge on your account, the email is fraudulent. Delete it and move on.

Report it to your security team. Forward the email to your company’s phishing reporting address. Even if you recognized it immediately, your security team needs to know these emails are landing in inboxes. They may need to warn others or adjust email filters.

Do not engage at all. Calling to “waste the scammer’s time” or “see what happens” is not harmless. You confirm your phone number works and that you respond to these emails. Some TOAD operations record calls and use voice samples for deepfake generation.

Our callback phishing exercise walks you through identifying these emails in a realistic simulation, including the decision points most people get wrong.

The two attacks target different cognitive weaknesses.

Standard phishing is a volume game. Send a million emails, get a fraction of a percent to click. Callback phishing trades volume for depth. Fewer targets, but each one receives a more convincing, personalized attack.

The distinction matters for training. Employees who have learned to spot suspicious links may still call a phone number in a fake invoice email. The detection skills are different because the attack vector is different.

TOAD attacks have become a preferred initial access method for ransomware groups. The BazaCall campaigns, operated by the threat actors behind TrickBot and Conti, pioneered the model: send the email, answer the call, guide the target through installing a trojan, then deploy ransomware once inside the network.

The reason ransomware groups favor this technique is simple. Email-delivered malware faces increasingly effective automated defenses. Endpoint detection catches known malware signatures. Sandboxes detonate suspicious attachments. URL filtering blocks known-bad domains.

Callback phishing sidesteps all of it. The target downloads a legitimate remote access tool voluntarily. No signature to match. No sandbox to trigger. The attacker gets hands-on-keyboard access without tripping a single automated alert.

From there, the ransomware playbook is standard. Reconnaissance, credential harvesting, lateral movement, data exfiltration, and encryption. The difference is just how they got in.

Most security awareness programs focus heavily on link-based phishing. Employees learn to hover over URLs, check sender addresses, and avoid clicking suspicious attachments. These are valuable skills, but they do not prepare anyone for an attack that contains none of those elements.

Callback phishing training needs to address the specific patterns of this attack type.

Teach the “no link” red flag. An email about a financial transaction that provides only a phone number is suspicious specifically because it avoids the digital channels where security tools operate. Make employees conscious of this absence.

Practice phone-based skepticism. The same critical thinking people apply to emails needs to extend to phone conversations. Just because someone sounds professional and uses your company’s name does not mean they are legitimate. Our vishing awareness exercise covers these phone-based social engineering techniques.

Reinforce the “look it up yourself” habit. If an email mentions a charge, look up the company’s actual phone number independently. If an email claims to be from your IT department, call the help desk using the number you already have. Never use contact information provided in an unsolicited message.

Include callback phishing in your exercise rotation. Employees need to encounter TOAD-style pretexts in training, not just traditional link-based phishing. The callback phishing exercise simulates a realistic fake invoice scenario so employees can practice the detection and response workflow before they face a real one.

Experience a callback phishing attack without the consequences. Try our free callback phishing exercise and practice identifying TOAD emails before the phone rings. You can also explore our full security awareness training catalogue for exercises on vishing, social engineering, and phishing detection.