NEWS · BRAND IMPERSONATION

Fake invoice with a phone number, no link: the callback-phishing scam of 2026

A receipt email showing a charge you never made, a phone number, and no link to click is not a billing mistake. It is callback phishing, and it is one of the fastest-growing email scams of the year.

SB

SafeBrowz Threat Research Security ResearchJune 10, 20269 min read

What callback phishing is, and why it is spreading now

For years the rule was simple: do not click the link. Scammers adapted. Callback phishing removes the link entirely. The email is built to look like a routine receipt or invoice from a brand you trust, with a charge large enough to alarm you, usually somewhere between $300 and $1,500. The only thing it tells you to do is call a number "to cancel or dispute this charge." There is nothing to scan, nothing to hover over, nothing for a link-based filter to flag.

That is the entire point. The Cybersecurity and Infrastructure Security Agency (CISA) describes callback phishing as an email-gateway evasion method: because the malicious payload is a phone number sitting in plain text or inside a PDF, the message sails past filters that are tuned to look for bad links and bad attachments. Proofpoint, which coined the term TOAD for this technique, has tracked it as one of the highest-volume social-engineering patterns reaching inboxes, precisely because the hard part of the attack happens on the phone where no email security tool can see it.

In June 2026, Malwarebytes threat intelligence caught one of these campaigns mid-build: infrastructure being staged, fake-invoice templates wired up, before the first wave even shipped. That is the texture of this threat right now. It is not a one-off, it is a production line. The brands rotating through the templates are the ones with the most recognizable receipts: PayPal, Apple, Amazon, and Geek Squad / Best Buy.

What the email actually looks like

The body is a fake receipt. It carries a logo, an order or invoice number, a date, and a total. Then, instead of a "View order" button, it gives you a sentence like one of these:

• "You have been charged $649.99 for your auto-renewed subscription. To cancel or dispute this charge, call +1-8XX-XXX-XXXX within 24 hours."
• "Order confirmed. Total: $1,299.00. If you did not authorize this purchase, contact our billing department at +1-8XX-XXX-XXXX."
• "Your invoice is attached. For any questions about this payment, our support line is +1-8XX-XXX-XXXX." (The amount and phone number live inside the attached PDF, not the email body.)

Notice what is missing. No login link. No "click here." No tracking URL. Just a brand, a scary number, and a phone number. Sometimes the message comes from a free Gmail or Outlook address; sometimes, as covered below, it is sent through the real brand's own invoicing system so that it passes every "verified sender" check your mail client runs.

This scam has no link to scan, so test the domain you should type instead

Most phishing posts let you paste the scam link into a checker. This one does not, because the lure is a phone number, not a URL. There is nothing safe to scan in the email. The useful move is the opposite one: forget the email entirely and go to the brand's real site by typing it yourself. These are the genuine domains, and they are the only addresses you should ever sign in to:

• paypal.com for any PayPal charge.
• appleid.apple.com and reportaproblem.apple.com for an Apple receipt.
• amazon.com for an Amazon order.
• bestbuy.com for a Geek Squad plan.

If you ever do get an email that does include a link, that is the moment to test it. A lookalike like paypal-billing-dispute.com or apple-receipt-cancel.net is not the brand, no matter how convincing the body looks. Paste any suspicious link into the checker below before you go anywhere near it. The structural tell of callback phishing stays the same whether or not a link is present: a recognizable brand, a large payment amount, a standalone phone number, and a "call to cancel or dispute" instruction, with zero clickable destination.

The "verified sender" checkmark is meaningless here, and why

The most dangerous variant of this scam abuses email authentication. Your mail client can show a "verified sender" or a small checkmark when a message passes SPF, DKIM, and DMARC, the three checks that prove an email really came from the domain it claims. People have been trained to trust that mark. Callback phishing turns the training against you.

Two mechanics make it work. First, the real invoicing systems of brands like PayPal and Apple let anyone generate and send an invoice. The scammer simply creates an invoice from inside the genuine platform, drops the dollar amount and a phone number into the notes field, and the brand's own servers mail it to you. It passes every authentication check because it genuinely is from the brand. Only the contents are fraudulent.

Second is the DKIM-replay trick. A DKIM signature proves the message body was not altered after it left a legitimate server, but it does not bind the message to its original recipient. An attacker who receives a single validly signed message can re-send that same signed payload to thousands of new inboxes, and the signature still verifies. The result is a spoofed-looking email that genuinely passes the "verified" check.

Here is the part that matters: even when the checkmark is real, it tells you nothing useful, because the link is not the lure. The lure is the phone number, and no email-authentication standard inspects a phone number sitting in the body or a PDF. A perfectly authenticated email can carry a 100 percent fraudulent callback. Authentication answers "did this come from PayPal's servers." It never answers "is the phone number in here safe to call." For this scam, the second question is the only one that matters.

How to spot it in 10 seconds

• You do not recognize the charge. If you did not buy a $649 antivirus plan, you were not billed for one. A receipt for something you never bought is the scam, full stop.
• The only action is a phone call. Real receipts let you view the order, manage the subscription, or open a dispute online. An email whose single instruction is "call this number" is engineered to get you on the phone.
• The number is in bold or framed as urgent. "Call within 24 hours or the charge is final." Real billing is not a countdown.
• The amount is round-ish and high. $399, $599, $1,299. High enough to alarm, specific enough to look real.
• Generic greeting, vague product. "Dear Customer," and a product named "Premium Protection Plan" with no SKU, no item detail.
• The invoice arrives as a PDF. Pushing the amount and number into an attachment is a deliberate move to dodge text-scanning filters.

The right way to verify (never call the number in the email)

1. Check your actual bank or card statement. Open your banking app or card site directly. If there is no matching charge, the invoice is fake. Delete it.
2. Go to the brand by typing its address. Open paypal.com, reportaproblem.apple.com, or amazon.com yourself and check your real order or subscription history. A genuine charge will appear there. A fake one will not.
3. If you must call, use the number on the back of your card or the one published on the brand's real site, never the number printed in the email or PDF.
4. Report it. Forward PayPal spoofs to phishing@paypal.com, Apple spoofs to reportphishing@apple.com, and Amazon spoofs to reportascam@amazon.com. Then file with the FTC at reportfraud.ftc.gov.
5. Delete and move on.

If you already called the number

What you did on the call decides what you need to do now.

You called but gave nothing

Hang up. Your number is now on a "live target" list, so expect more scam calls. Block the number. You are otherwise unharmed.

You installed remote-access software (AnyDesk, TeamViewer, UltraViewer, Quick Assist)

1. Disconnect from the internet right away. Unplug ethernet, turn off Wi-Fi.
2. Uninstall the remote-access tool they had you add.
3. Run a full malware scan with Windows Defender or Malwarebytes. Scammers often leave a hidden backdoor.
4. Change every password for accounts you touched recently, using a different, clean device.
5. If you signed into your bank while they watched, call the bank to lock the account and order new cards.

You read out card details or sent money

1. Card or bank details: call your bank now, freeze the card, dispute any charge. Card fraud reported quickly is usually reversible.
2. Gift cards: call the card issuer immediately. Some can freeze the balance if you call within the hour. Keep the card numbers and receipts.
3. Wire transfer: call the sending bank and request a recall. Possible only if it has not been collected yet.
4. Cryptocurrency: recovery is unlikely. File with the FBI's IC3 at ic3.gov and report to the exchange you used. A fast report sometimes lets an exchange freeze the receiving account.
5. Report to reportfraud.ftc.gov regardless. These reports feed the databases that eventually shut down repeat call centers.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. A pure no-link email is, by design, something no URL scanner can catch, and we will not pretend otherwise. What SafeBrowz catches is the next step, because callback phishing rarely ends in the inbox.

• Layer 1 - Local detection: 60+ URL patterns plus 550+ brand-specific signatures run in the extension before the page renders. When a victim does get a link variant, or is steered to a fake "billing portal" mid-call, our pattern engine and brand-impersonation database key on the structural signature: a known brand name appearing on a non-official domain. A brand keyword on a domain that is not the brand's official address is treated as impersonation on its own, independent of how convincing the page content is.
• Layer 2 - API checks: aggregates established threat feeds and reputation sources to catch domains already known to be malicious.
• Layer 3 - AI deep scan (Premium): 100+ language content analysis flags the fake-payment-portal and remote-access landing pages that follow the call, including brand-new variants.

This is also why a green "verified sender" checkmark and a green SafeBrowz verdict measure different things. Email authentication answers "did this come from the brand's servers." SafeBrowz answers "is this destination safe to open." For a callback scam the destination is a phone number, so the honest defense is the rule itself: never call a number in an unexpected invoice, and verify the charge from your bank statement or the brand's site you typed yourself.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Frequently asked questions

Is a PayPal or Apple invoice with a phone number and no link real?

Almost always no. A real receipt lets you manage the order or open a dispute online, inside your account. An invoice whose only instruction is to call a phone number, with no link and no way to act through your account, is callback phishing. Verify by signing in to paypal.com or appleid.apple.com directly, never by calling the number in the email.

The email passed my mail client's "verified sender" check. Doesn't that mean it's safe?

No. The verified mark proves the message came from the claimed domain, sometimes because the scammer sent it through the brand's real invoicing system, or replayed a validly signed message. Authentication never inspects the phone number, which is the actual lure here. A fully authenticated email can carry a 100 percent fraudulent callback. Trust your bank statement, not the checkmark.

What is TOAD or callback phishing?

TOAD stands for telephone-oriented attack delivery. The email contains no malicious link or file, only a lure that gets you to call a phone number. The attack then plays out on the call, where a fake agent extracts card details or talks you into installing remote-access software. Because the payload is a phone number, it evades email filters tuned to catch bad links.

Why is there no link to click in the email?

The link is removed on purpose. Email security gateways are tuned to flag malicious URLs and attachments. A plain-text phone number, or one buried in a PDF, gives those filters nothing to detect, so the message reaches the inbox and looks more trustworthy than a typical phishing email.

The "agent" asked me to install AnyDesk or TeamViewer. What does that do?

Those are legitimate remote-access tools that scammers abuse to take full control of your screen and keyboard. Once connected they can read your saved passwords, browser history, and bank logins. No real billing department asks you to install remote-access software to "process a refund." If you installed one, disconnect from the internet, uninstall it, and run a full malware scan.

Can SafeBrowz block a callback-phishing email that has no link?

No URL scanner can block a pure no-link email, and we will not claim otherwise. SafeBrowz catches the next step: if the scam steers you to a fake billing portal or a remote-access download page, the browser-layer scanner flags it before it loads using the 3-layer engine and the 550+ brand database. The first defense against the email itself is the rule, never call the number in an unexpected invoice.

Bottom line: A receipt with a charge and a phone number but no link is callback phishing. The email is safe to read and the phone call is the trap. Do not call the number. Verify any charge from your bank statement or the brand's real site you typed yourself, and forward the message to the brand and the FTC.

Install SafeBrowz free

Add the browser extension that scans every page before it renders and flags the fake billing portals and remote-access pages that follow a callback scam. Free forever.

Add to Chrome Add to Firefox Add to Edge