Callback Phishing: BazarCall & Invoice Phone Scams

Callback phishing (also referred to as telephone-directed ransomware delivery or BazarCall) is a hybrid social-engineering tactic that chains email and phone support interactions. Unlike traditional campaigns, these emails contain no malicious attachments, macro-enabled documents, or direct links. Instead, they present a high-value fake invoice (such as a renewal for cybersecurity software or tech support) and prompt the victim to call a listed “support number” to cancel the charge, redirecting the attack vector to fraudulent call centers where operators walk the victim through installing remote access tools.

Email gateway technology has made massive leaps in detecting traditional threats. Automated sandboxes detonate attachments, check link redirect paths, and parse domain reputations. Scammers, realizing their software payloads are flagged before hitting the inbox, have adapted by taking the malicious code out of the email.

This hybrid attack vector is known as callback phishing. By replacing links with a phone number, scammers exploit a blind spot in email filters. An email containing only plain text and a phone number looks completely harmless to a gateway. The payload is delivered not by a script, but by a human voice on the other end of the line.

Here is an analysis of how callback phishing campaigns operate, the social engineering psychology behind them, and how to protect yourself and your organization from these invoice traps.

The Mechanics of a BazarCall Campaign

The name BazarCall originates from the threat group that pioneered this technique to distribute BazarLoader malware. Modern campaigns have refined the playbook, but they follow a structured four-stage lifecycle:

Stage 1: The Linkless Lure

The victim receives an email that looks like an automated invoice or receipt. The email claims that a subscription (typically for high-value services like Geek Squad, Norton Antivirus, or a corporate SaaS license) has renewed, and a charge of $400 to $900 is pending on their account.

The email contains no links, no login buttons, and no attachments. The only call to action is a text block: “If you did not authorize this charge, please call our customer support team immediately at +1 (XXX) XXX-XXXX.”

Because there are no technical signatures (like executable files or external URLs), secure email gateways analyze the mail, classify it as a low-risk plain text message, and deliver it directly to the inbox.

Stage 2: The Urgency Trigger

The victim, seeing a massive charge they did not authorize, reacts with alarm. This is a deliberate psychological trigger. Scammers rely on this panic to motivate the victim to make a phone call without taking time to verify the sender.

This uses a classic social engineering trick: establishing artificial time pressure to bypass critical thinking. Understanding why urgency is the most dangerous word in your inbox explains how these cognitive biases are manipulated in details.

Stage 3: The Fake Call Center

When the victim dials the listed support number, they do not reach a generic scammer in a quiet room. They connect to a fully staffed, professional-sounding call center. The agent speaks calmly, uses corporate scripts, and assigns the victim a “cancellation case number” to make the process seem official.

The operator instructs the victim to sit at their computer so they can guide them through the cancellation process. To stop the pending payment, the operator claims they must connect to a secure portal to verify the workstation.

Stage 4: Delivering the Payload

The operator directs the victim to a website they control (often using look-alike domain names or free SaaS hosting). The site contains a link to download a “secure support utility.”

The download is a legitimate remote monitoring and management (RMM) tool, such as AnyDesk, ScreenConnect, or a custom-compiled helper script. Because RMM tools are legitimate business applications, local antivirus software does not flag them as malicious.

Once the victim installs the software and provides the operator with the connection code, the attacker has complete remote control of the machine. Under the guise of “processing the refund,” the operator blanks the victim’s screen and installs credential stealers, browser cookie harvesters, or ransomware loaders in the background.

The Social Engineering Psychology of Voice-Based Attacks

Callback phishing is incredibly effective because it leverages human-to-human interaction to bypass digital trust thresholds:

• Reframing the Assistant: In standard phishing, the attacker is an intruder trying to get in. In callback phishing, the attacker positions themselves as a helpful support representative assisting you in resolving a financial issue.
• Cognitive Offloading: When users are guided step-by-step by an authoritative voice, they tend to offload their security skepticism to the helper, ignoring warnings that they would normally flag if they were acting alone.
• Antivirus Evasion via Consent: Antivirus tools are built to stop unauthorized exploits. If a user downloads AnyDesk, runs the installer, clicks “Allow” on security prompts, and consents to the remote session, the security suite registers this as completely authorized user behavior.

How to Spot and Defuse Callback Phishing

Defending against telephone-directed attacks requires breaking the communication chain before dialing the phone.

• Verify the Invoice Independently: If you receive an invoice for a service you do not recognize, do not use the phone number listed in the email. Go to your bank or credit card account directly to check if any pending charges exist. If there is no charge on your card, the email is a scam.
• Audit the Sender Domain: Check the sender’s email address. Scammers often send these invoices from free services (like Gmail, Outlook, or Yahoo) or compromised domains that have no relation to the brand they claim to represent.
• Look Up Official Numbers: If you want to check the status of a subscription, look up the official customer service phone number on the company’s official website. Never trust a number provided in a suspicious email.
• Beware of “Cancellation” Demands: Real support representatives do not need remote control of your computer to cancel a subscription or process a refund. If an agent tells you to download remote access software to stop a charge, hang up immediately.

For organizations, educating employees about these linkless email lures is vital. Standard training teaches users to check URLs before clicking, but callback phishing skips links entirely. Security programs must expand their training to cover phone-escalation tactics and enforce strict policies prohibiting employees from installing unauthorized remote management utilities on corporate workstations.

If you are ever unsure about a message, copy its text and paste it into the PhishPond.io Heuristic Scanner to check for social-engineering markers. While Heuristic Scan is a helpful diagnostic indicator, a manual verification of the listed phone number is the absolute safest approach. Similar text scams can arrive via SMS; see our guide on how to spot smishing attacks for details on mobile indicators.

Sources and References

• CISA Cyber Advisory: Telephone-Directed Ransomware Delivery (BazarCall) Campaigns
• FBI IC3 PSA: Scammers Impersonating Tech Support to Steal Credentials and Funds
• CrowdStrike Threat Intelligence: The Evolution of Callback Phishing and Ransomware Access Brokers
• PhishPond Lab Brief: Temporal Urgency and Financial Fear in Callback Phishing Scams

← All posts · Home