Has a suspicious-looking email with a PDF attachment and a phone number to call “tech support” landed in your inbox recently? You may be the target of the latest evolution of phishing attacks. A sharp increase in PDF-based scams was observed between May and June 2025, according to Cisco Talos. This time, the attackers aren’t asking you to click anything—they want you to call.
Understanding Callback Phishing
In the past, most phishing emails relied on malicious links. Today’s scammers are turning that on its head with callback phishing—where the only action required is a phone call.
Here's how it works:
• You receive an email from what looks like a trusted company (such as Microsoft, Adobe, or DocuSign).
• Inside the PDF attachment, you’re told there’s an issue—like a subscription renewal.
• A phone number is provided to “resolve” the matter.
• When you call, you’re connected to a fake support representative.
These bad actors sound convincing. They might ask for sensitive details, direct you to install remote access tools, or guide you into unintentionally compromising your own systems.
Why PDF-Based Scams Are Effective
Unlike traditional phishing emails, these PDFs often appear harmless and don’t contain malicious links or files. The real threat is the social engineering that happens once the call is made.
• Scammers build credibility by impersonating known companies
• They exploit users’ natural instinct to seek help by phone
• The interaction feels more “human” and less suspicious
This makes the scam harder to detect and easier to fall for—especially in busy work environments where quick decisions are common.
Protecting Your Organization From PDF Phishing
Awareness and preparedness can make all the difference. Businesses can take the following steps to reduce risk:
• Avoid interacting with PDF attachments from unknown or unexpected senders
• Do not trust phone numbers listed in unsolicited documents or emails
• Always verify contact information through the company’s official website
• Educate your employees to recognize tech support scams and phishing tactics
• Use email security tools that scan for suspicious attachments
If something feels off—pause. Don’t click, and don’t call. Simply delete.
Consider a full review of your organization’s inbound security practices with our Email Spam Protection and Security and Network Assessments services. If you're planning larger security initiatives, our vCISO Services can help align your strategy to reduce exposure to social engineering attacks like these.
This article contains content originally licensed from Article Aggregator and has been adapted and expanded by our team to better reflect our services and audience. The embedded source link is included as part of the original licensed material.
