Your Subscription Is Up

November 30, 2022

If it’s not one scam, it’s another. Hackers have a seemingly endless supply of new and creative ways to bilk you out of your money. The latest rage for hackers is “callback phishing.” In this scam, fraudsters don’t call you, you call them.

Callback phishing scams, perpetrated by groups such as Luna Moth, Silent Ransom Group, Quantum, and Roy/Zeon have cost victims hundreds of thousands of dollars, according to a report from the cybersecurity firm Palo Alto Network. The scams can be directed towards individuals and businesses. These schemes have “revolutionized data breaches,” says AdvIntel. AdvIntel researches and publishes cyberthreat intelligence reports. From the beginning of 2021 to March 2022, callback phishing has increased by 625%, according to the email security company Agari.

The scam begins when the intended victim receives an email saying their credit card will be billed for a subscription or payment they weren’t expecting or don’t want. The email lists a phone number to call to stop the payment. Scammers take advantage of the victim being caught off guard, acting on impulse, and immediately calling to straighten out the problem. Callback phishing is especially effective in times when consumers are looking for ways to cut costs.

When the victim calls to dispute the charge, the call center walks them through the alleged steps to take on their computer to correct the issue. In reality, taking those steps puts a target on their computer. The attackers can download a tool that gives them remote access to the computer. Once the hackers are inside the victim’s computer, they can steal data and either hold it for ransom or use the victim’s personal information for financial gain.

In 2022, thousands of people indicated they received emails that looked like they were from Norton, an antivirus and anti-malware software company. The Federal Trade Commission’s Consumer Alerts website gives this example of an email one victim received:

“From: [redacted].

Date: Tue, Feb 9, 2021.


To: [redacted].

“You have been charged $299.99 for your Norton auto renewal. If there has been a mistake, please call 1-999-999-9999 within one business day when you are in front of your computer.

Thanks & Regards, Norton (TM) Billing Team.”

[Image of Norton logo with yellow circle and black checkmark.]

Emails like this say you’ve been (or are about to be) charged for a renewal or a new Norton product. Tip #1: These emails aren’t likely from Norton. The email instructs you to call immediately if this is a mistake. Tip #2: Don’t call. If you call, you’ll be connected to a scammer. They might ask you to “verify” your credit card information. They also might say they need your password to access your computer remotely to remove the Norton program. If you do, you’ll have unsuspectingly given them access to your personal and/or financial information.

Since their inception in 2020, callback phishing scams have gotten increasingly sophisticated. Previously, groups like Silent Ransom and Luna Moth used recycled phone numbers. Now they use unique phone numbers for each victim, limiting the ability of victims to detect whether the numbers are malicious, says Palo Alto Network. Earlier callback phishing scams relied on victims clicking on links that downloaded malware. Now the scam doesn’t involve victims downloading anything onto their computers. The hackers are using commercially available tools designed to let IT administrators gain remote access to computers. These legitimate tools are less likely to “set off alarms with traditional anti-virus products,” says Palo Alto Network.

These callback phishing scams do require more work on the hacker’s end. “It requires the threat actor to allocate someone to take the call with the victim, walk them through downloading the remote assist software, and keep them on the line long enough to install the remote management software,” says Kristopher Russo of Palo Alto Network. “These attackers would also need to have business operations set up to track things like a reference number to have the details of the campaign against the victim including name, email, amount, and service they sent the phishing email saying they’re subscribed to.”

Callback phishing schemes can be sophisticated and hard to detect. Cybersecurity experts recommend focusing on awareness to defend against the attacks. “Since there are very few early indicators that a victim is under attack, employee cybersecurity awareness training is the first line of defense,” says Palo Alto Network.

The Federal Trade Commission recommends taking these steps if you receive an unexpected email or an email you’re not sure about:

  • “Don’t click on any links.
  • Don’t use the number in the email or text. If you want to call the company that supposedly sent the message, look up their phone number online.
  • Don’t give your password to a stranger on the phone, even if they claim to be from a company you recognize. If you did give out your password, change it right away, update your computer’s security software, run a scan, and delete anything it identifies as a problem. Make your passwords long, strong, and complex.
  • Don’t give your bank account, credit card, or personal information over the phone to someone who contacts you out of the blue.”

If you do receive an email that appears to be fake, you can help your community by reporting it to the FTC at


Starks, Tim. “Don’t Fall for Those Emails Telling You About a Subscription Charge.” The Washington Post, November 21, 2022. Last accessed November 28, 2022.

Wu, Emily. “Spotting Scammy Emails.” Federal Trade Commission, March 17, 2021. Last accessed November 28, 2022.

Related Hot Topics