Scammers are once again abusing PDFs to trick victims into calling fake support numbers
No, you're not talking to a Microsoft representative
- Cisco Talos warns of callback phishing scams on the rise
- Phishing emails come with PDF attachments, in which are phone numbers
- Threat actors are exploiting people's trust in phone calls
Security researchers from Cisco Talos have warned of an ongoing phishing campaign in which victims are tricked into calling the attackers on the phone.
In a new report, the researchers said that between early May and early June 2025, they observed threat actors spoofing major tech companies, such as Microsoft, Adobe, or Docusign.
Cisco Talos calls this type of scam “callback phishing” - in the phishing emails, they would notify the victims of a problem, or an incoming/pending transaction, then share a phone number they control, and invite the victim to dial in and address these issues. During the call, the attackers would masquerade as a legitimate customer representative and explain to the victim that in order to sort out their problem, they need to either disclose sensitive information, or install a piece of malware on their device.
Get 55% off Incogni's Data Removal service with code TECHRADAR
Wipe your personal data off the internet with the Incogni data removal service. Stop identity thieves
and protect your privacy from unwanted spam and scam calls.
Callback phishing
“Attackers use direct voice communication to exploit the victim's trust in phone calls and the perception that phone communication is a secure way to interact with an organization,” the researchers explained.
“Additionally, the live interaction during a phone call enables attackers to manipulate the victim's emotions and responses by employing social engineering tactics. Callback phishing is, therefore, a social engineering technique rather than a traditional email threat.”
Most phone numbers used in these campaigns are VoIP ones, Cisco Talos further explained, stating that these are more difficult to trace.
The key information, including the attacker-controlled phone number, is shared via a .PDF file sent as an attachment. This is usually done to bypass traditional email security mechanisms and ensure the email lands in the inbox.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
As an added layer of obfuscation, the attackers would sometimes add a QR code into the body of the PDF file, since most AV and email protection tools cannot scan that deep. Furthermore, QR codes are usually scanned via smartphone cameras, and mobile devices rarely have the same level of security as laptops or desktop computers do.
Via The Hacker News
You might also like
- America is the top source of spam, and it’s getting worse thanks to growing data center infrastructure
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.