Social Engineering Evolves as Hackers Leverage PDFs and Callback Tactics

Attackers are transforming the landscape of social engineering by employing callback phishing, also known as Telephone-Oriented Attack Delivery (TOAD), in combination with PDF attachments. Instead of relying on malicious links, these campaigns persuade victims to call phone numbers embedded in seemingly legitimate PDFs, often impersonating trusted brands like Microsoft, DocuSign, and the USPS.

Once engaged, the attacker, posing as a customer service representative, manipulates victims into revealing sensitive information or installing malware, exploiting the inherent trust in voice communication and the perceived security of phone calls.

Trusted Brands Become Prime Targets for Impersonation

The latest wave of phishing attacks leverages the credibility of well-known brands to deceive targets. Microsoft and DocuSign have emerged as the most impersonated, with others like NortonLifeLock, PayPal, and Geek Squad also frequently abused.

Attackers embed brand logos, official-looking language, and even QR codes within PDFs, enhancing the illusion of legitimacy. This tactic capitalizes on users’ familiarity with these brands, making them more likely to comply with urgent requests or initiate a callback.

Did you know?
In the first quarter of 2025, callback phishing scams surged to represent nearly one in five phishing attempts globally, marking a dramatic shift from traditional link-based attacks and highlighting the adaptability of cybercriminals in response to evolving email security technologies.

PDF Attachments and QR Codes Expand the Attack Surface

PDFs have become the attachment of choice for cybercriminals, accounting for 36 percent of phishing-related email attachments, just ahead of SVG files. These documents are not only ubiquitous in business workflows but are also perceived as secure and tamper-proof, a misconception that attackers exploit.

Malicious PDFs may contain embedded QR codes or annotations that direct users to phishing sites or prompt them to call attacker-controlled numbers. On mobile devices, the risks are amplified due to limited visibility into file contents and weaker endpoint protections.

ALSO READ | How Are U.S. Agencies Preparing for a Surge in Iranian-Backed Cyberattacks?

Human-Centric Tactics Outpace Traditional Email Defenses

The shift toward callback phishing reflects a broader trend: attackers are prioritizing human-centric, low-tech methods that evade traditional email security filters. As organizations have improved their ability to detect malicious links, cybercriminals have pivoted to tactics that leave little digital trace.

In the first quarter of 2025, callback scams accounted for 16 percent of phishing attempts, a sharp rise from the previous year, while link-based attacks declined by 42 percent. The live interaction of a phone call allows attackers to manipulate emotions and responses in real time, increasing the likelihood of success.

Organizations Face Growing Pressure to Adapt Security Strategies

The surge in PDF-based callback phishing is forcing organizations to rethink their security postures. Standard email filtering is often ineffective against these threats, as the malicious payload is delivered through trusted file formats and live voice interaction rather than suspicious links.

Security experts recommend enhanced brand impersonation detection, user education on the risks of unsolicited communications, and advanced monitoring for VoIP-based callback numbers. Without swift adaptation, enterprises risk exposure to credential theft, malware infections, and large-scale data breaches.