Callback Phishing Checklist for Fort Myers Businesses in 2026
A single phone call can turn an ordinary invoice email into a stolen Microsoft 365 account. Callback phishing starts with a message that tells you to call a number, often about a renewal, refund, security alert, or payment.
The caller may sound professional and know the name of a vendor your company uses. That still doesn't make the request safe. Use this checklist before anyone calls, shares information, approves a payment, or gives remote access to a Fort Myers business system.
Key Takeaways
- Treat unexpected callback requests as untrusted, even when the email includes familiar branding.
- Verify the request through a known website, saved phone number, vendor portal, or existing contact.
- Never share passwords, MFA codes, payment details, or remote access with an unsolicited caller.
- If someone already called, notify your IT provider and manager before deleting evidence or changing systems.
- Written procedures, Microsoft 365 protections, and short employee training reduce confusion during a real incident.
How Callback Phishing Works
A callback phishing attack usually begins with an email that contains a phone number instead of a traditional malicious link. The message may claim that a software subscription will renew, a payment failed, an account needs verification, or a large charge requires immediate attention.
After the employee calls, the scammer follows a prepared script. The caller may offer to cancel a charge, fix a security problem, issue a refund, or connect to the employee's computer. Some attackers ask for a one-time MFA code. Others persuade the employee to install remote-access software, such as AnyDesk, TeamViewer, or Microsoft Quick Assist.
Once the attacker gains access, the goal may shift quickly. They could search email for invoices, reset passwords, create mailbox forwarding rules, steal files, or watch an employee enter banking information. A compromised mailbox can also help the attacker send convincing payment instructions to customers and vendors.
Common warning signs include:
- An unexpected request to call a number about a charge or renewal.
- Pressure to act before the end of the day or before an account is suspended.
- A phone number that doesn't match the vendor's website, prior invoices, or contract.
- A sender address that uses a look-alike domain or a mismatched reply-to address.
- Instructions to keep the call private or avoid contacting your normal IT support.
- A request to install software, share your screen, read an MFA code, or provide a password.
- A caller who insists that normal verification steps are unnecessary.
Caller ID, logos, signatures, and accurate employee names don't prove the request is real. Attackers can copy branding and manipulate caller ID information. The phone call is part of the attack, not independent proof that the email is legitimate.
The Pre-Call Checklist for Small-Business Employees
The safest callback is the one you don't make from the suspicious message. Pause the request and verify it through a separate channel.
Use this checklist before contacting a vendor, bank, software provider, or customer about an unexpected callback request:
- Read the full sender address, not only the display name. Check the reply-to address as well.
- Ask whether the request matches a recent purchase, renewal, ticket, or billing change.
- Do not call the phone number in the email, reply to the message, or use a link in the message to verify it.
- Open a saved bookmark for the vendor's website or type the known address manually.
- Use the phone number on an existing contract, prior statement, account portal, or company directory.
- Contact your known account representative through a separate email address or phone number.
- Ask your manager or IT provider to review the message before anyone acts on it.
- Save the original email, full headers if available, attachments, phone number, and screenshots.
- Report the message through your email system's phishing-report option.
Legitimate verification takes place outside the suspicious message. Unsafe verification depends on information supplied by the message or caller.
| Safer verification | Unsafe behavior |
|---|---|
| Use a known vendor phone number from an old contract or portal. | Call the number printed in an unexpected email. |
| Sign in through a saved bookmark or manually typed website address. | Click the message link and sign in from the resulting page. |
| Ask a known contact to confirm the request separately. | Reply to the suspicious sender and ask whether it is real. |
| Let IT inspect the message and mail headers. | Forward the email to coworkers with instructions to call. |
| Approve changes through your normal purchasing process. | Accept a refund, renewal, or payment change during an unsolicited call. |
| Use a documented remote-support ticket and approved technician. | Install remote software because a caller says it is required. |
The purpose of verification is to confirm the request using a source the attacker didn't provide. Searching for a vendor online can help, but check the domain carefully and avoid relying on a sponsored result or an unfamiliar support number.
What to Say When a Suspicious Caller Reaches You
You don't need to debate the caller or prove that the request is fraudulent. State your boundary, end the call, and verify the issue yourself.
Use a short script such as:
"I don't approve account or billing changes from an unsolicited call. I'll contact the vendor using our existing records."
If the caller asks for an MFA code, say:
"I don't share verification codes. Please send the request through our documented support channel."
If the caller requests remote access, use this response:
"Remote support requires a ticket and approval from our IT provider. I won't install software during this call."
Then hang up. Don't stay on the line while opening a vendor portal, checking your bank account, or asking a colleague for advice. The caller can continue applying pressure while you work.
A suspicious email can also be handled with a brief internal message:
"I received an unexpected callback request about a vendor account. I didn't call the number or open the attachment. Please review it through our normal IT process."
If you already called, shared information, or allowed remote access, move quickly:
- Disconnect the affected computer from Wi-Fi or the wired network if the caller controlled it. Keep the computer powered on unless your IT provider gives different instructions.
- Notify your manager, managed IT provider, and any affected vendor. Include the email, number, caller's claims, and actions taken.
- From a known-clean device, change exposed passwords. Reset MFA methods if an attacker saw or requested a code, and ask IT to revoke active sessions.
- Have IT inspect Microsoft 365 sign-in logs, mailbox forwarding rules, inbox rules, delegates, newly created accounts, and installed remote-access tools.
- Contact your bank, card issuer, payroll provider, or payment processor immediately if financial details or payment instructions were exposed.
- Preserve evidence before deleting the message, uninstalling software, or resetting the computer.
- Report the email through Microsoft 365, then consider reporting the incident to the FTC or FBI Internet Crime Complaint Center when appropriate.
Removing a remote-access application may not remove an attacker's account, scheduled task, browser session, or stolen credentials. Let qualified IT staff examine the device and account first.
Build a Callback Phishing Routine for 2026
A policy works best when employees can follow it during a busy workday. Put the rule in writing: no employee calls an unexpected number from an email to resolve billing, security, or account issues without independent verification.
Give employees a known escalation path. It might include a supervisor, office manager, accounting lead, and IT provider. The policy should also require approval before anyone changes payment details, adds a vendor, installs remote-support software, or shares company data.
For Microsoft 365, review the protections available in your tenant. Require MFA for every account, use phishing-resistant methods such as security keys or passkeys where practical, and disable outdated authentication methods that your applications don't need. Turn on external-sender warnings, configure anti-phishing and impersonation policies, and make the phishing-report option easy to find in Outlook.
Email authentication also needs proper setup. SPF, DKIM, and DMARC can reduce forged messages sent from your domain, although they won't stop every callback phishing email. Your IT provider should review the settings alongside mail-flow rules and account sign-in alerts.
Keep separate, tested backups for important business files and systems. Microsoft 365 retention features can help recover messages, but retention isn't the same as a complete backup strategy. Review who can access backups and who can restore them.
Run a short callback-phishing exercise during staff training. Show employees how a suspicious message looks, where to report it, and how to verify a vendor independently. Keep the lesson practical, especially for staff who handle invoices, payroll, customer records, or account administration.
Finally, maintain a simple incident record. Note the date, sender address, phone number, affected account, information shared, and actions taken. That record helps your IT provider investigate faster and helps your team spot repeat attempts.
Conclusion
Callback phishing succeeds when a rushed employee treats a phone number in an email as trustworthy. Your strongest defense is a firm pause: don't call the supplied number, don't share access, and verify the request through a known channel.
Fort Myers small businesses can reduce the risk with clear approval rules, Microsoft 365 account protections, tested backups, and a practiced response script. When a suspicious caller creates urgency, your checklist gives employees permission to slow the conversation down.

