Skip to main content

Callback Phishing

PhishingBox Support
  • Updated

Overview

The Callback Phishing feature allows you to send phishing emails containing a phone number that the recipient can call. Once the recipient dials the number and enters the provided Extension and PIN code, an action is logged. This simulates real-world phishing scenarios where attackers use social engineering via phone calls.

How It Works

  1. A phishing email containing a phone number, extension, and a unique PIN code is sent to the recipient.
  2. The recipient calls the number and hears an automated voice play the Greeting prompt.
  3. The recipient enters the extension from the email.
  4. If the recipients Target has a phone number assigned, a callback number dialed action is recorded and a data extended action is logged. 
  5. The Recipient is asked to enter their unique code/PIN.
  6. Depending on whether the correct PIN was entered or not, the Correct PIN or Incorrect PIN prompt will play. The caller will have several opportunities to enter the PIN correctly.
  7. A data extended action is logged if the correct PIN is entered. If no phone number is assigned to the Target, this will also record the click link action. 
  8. The Closing prompt is played, and the call is automatically ended.

Setting Up a Callback Phishing Campaign

1. Get a Callback template

  • Navigate to Templates > Library: Templates.
  • Select the Callback filter under the Experiences section.
  • Select an appropriate template for your scenario.

Above: An example of what a recipient receives after being sent a Callback Phishing template. Hook links will load a empty page, and no action is recorded. These should be removed from the template. 

2. Configure the Callback Prompts

  • Navigate to Manage Templates, open the Completion Settings menu, and select Callback.

  • Customize the voice prompts for different call scenarios:

    • Greeting: The message played when the recipient calls.
    • Correct Pin: The message played if the recipient enters the correct PIN.
    • Incorrect Pin: The message played if the recipient enters an incorrect PIN.
    • Closing: The final message before the call ends.

  • Optional: Review the From Email to ensure it aligns with the template.

Above: The prompts available to customize when editing a Callback Phishing template.

3. Create a campaign

  • Navigate to Campaigns/Tests and select Callback Campaign as the campaign type.
  • Select the campaign's schedule and targets in the same way you would with a normal phishing campaign.
  • Select your template. Only Callback Phishing templates will be displayed here. You may also obtain new templates from this tab by clicking the Template Library tab.
  • Review your settings and create the campaign. 

Tracking & Reporting

Tracking users' actions and test metrics for Callback Phishing campaigns is easy and works just like any other campaign. Callback Phishing campaigns will display two action types. Email Opened and Data Extended, for when a user opens the phishing email and enters their unique code, respectively.

    • Navigate to Campaign/Tests and select Manage Campaigns
    • Select the Callback Phishing campaign you wish to review. This page displays overall campaign data as well as metrics for individual tests. 
    • To view a specific group's metrics, select the magnifying glass for that group's test.

 

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.