A hybrid cyberattack involving email spam and phone calls, known as callback phishing, lures victims into calling a bogus customer hotline listed in a phishing email, where they are tricked into divulging personal information or downloading malware.
The attackers use social engineering tactics to manipulate victims and emphasize urgency, making it difficult to detect the attack until it’s too late, which highlights the increase in such attacks and the various techniques used by scammers to craft and send the initial phishing emails.
The BazarCall scheme has evolved from using text-based spam to employing more sophisticated techniques like text obfuscation. Text-based spam, such as the Binance impersonation email, relies on social engineering to entice victims into calling a malicious phone number.
Text obfuscation, as seen in the student loan phishing email, uses invisible characters to evade email security tools while maintaining human readability, which highlights the ongoing arms race between cybercriminals and security measures.
Spammers utilize various attachment-based tactics to deceive victims by embedding content within image files, such as GIFs, to circumvent text-based filters.
They also employ document formats like PDFs, often associated with professional transactions, to entice victims into opening malicious attachments, which can contain fraudulent information or malicious code, aiming to trick recipients into divulging sensitive data or installing malware.
The phishing campaign leverages a popular scheduling platform to trick victims into revealing personal information. Disguised as a QuickBooks upgrade notification, the email prompts victims to contact fake customer support.
A Calendly link is embedded to schedule a meeting, allowing scammers to collect victim data, where the attackers use legitimate fintech platforms to send emails, making them appear more authentic and less suspicious.
According to Trustwave, cybercriminals are leveraging legitimate cloud-based platforms like PayPal, Xero, and HoneyBook to launch sophisticated phishing attacks.
By exploiting these platforms’ features that allow users to send money requests or invoices to any email address, attackers create fraudulent notifications with convincing content, which often contain fake payment requests or invoices, urging recipients to call a bogus phone number.
By relaying these emails through dummy accounts, attackers bypass email header authentication checks, making the scams appear more authentic, which aims to trick victims into divulging sensitive information or making unauthorized payments.
Callback phishing, a sophisticated cyberattack leveraging social engineering, employs various tactics to deceive victims and often involves unsolicited emails or calls, urging recipients to contact seemingly legitimate entities.
To safeguard against this threat, individuals should maintain skepticism towards unsolicited communications, verify contact details independently, avoid sharing personal information, and monitor financial accounts closely.
Organizations must stay informed about emerging trends and conduct regular security awareness training to mitigate the risks associated with callback phishing and other forms of TOAD.