Callback Phishing And Social Engineering Scams, What They Are And How To Avoid Them
Unfortunately for the recipient of the email, calling the phone number included in the email is exactly what the threat actor behind a callback campaign wants the email recipient to do. The phone number connects callers directly to a scammer who masquerades as a customer support agent. The scammer can then use various social engineering methods to trick callers into installing malware on their systems.
Running this file triggers the final stage of the attack, at which point some form of malware is installed on the victim’s system. The malware may install additional malicious packages, encrypt the victim’s files as part of a ransomware attack, or aid the scammer in completing some form of payment fraud by giving the scammer remote access to the victim’s computer under the guise of providing further support.
The first and foremost step users can take to avoid falling victim to these kinds of phishing attacks is not calling any phone numbers listed in unexpected invoices. Those wishing to dispute some kind of charge with a legitimate company should ignore any links or phone numbers included in an email invoice and instead go directly to the company’s official website to find a support number or chat service. Users could also check their bank accounts and credit cards to see whether they were actually hit by any unexpected charge or not. There’s no need to dispute a faulty charge if it’s fake to begin with.
If, for some reason, users find themselves on the phone with a customer support agent who directs them to download and open or execute some file, users shouldn’t be eager to comply. They should instead ask clarifying questions about the purpose and function of the file. Users may even want to hangup and search the web or ask friends and family members with more technical knowledge for advice. If users decide to download the file, they should upload the file to VirusTotal, which scans files with over 70 different antivirus tools to check for the presence of malware. If VirusTotal doesn’t determine the file to be malicious, users shouldn’t take this result as an indisputable judgment that the file isn’t malicious.
The overall takeaway here is that that users should always be hesitant to run a file or install software on their devices at the direction of customer support. Cybercriminals often use urgency as a social engineering tactic, but users should do their best not to buckle under pressure.