diff --git a/detection-rules/suspicious_request_financial.yml b/detection-rules/suspicious_request_financial.yml
index 3f2f4da4442..8534c59eb43 100644
--- a/detection-rules/suspicious_request_financial.yml
+++ b/detection-rules/suspicious_request_financial.yml
@@ -49,7 +49,8 @@ source: |
     // suspicious sender display name
     or (
       regex.icontains(sender.display_name,
-                      'Accounts? (?:Payable (?:Dep(\.|t\.?|artment)|e?Receipt)|(Co[[:punct:]]?ordinator|Admin|Manager|Payee))'
+                      'Accounts? (?:Payable (?:Dep(\.|t\.?|artment)|e?Receipt)|(Co[[:punct:]]?ordinator|Admin|Manager|Payee))',
+                      '(?:pay(ment|([[:punct:]]|\s?)app)|EFT|ACH|deposit|remit(tance)?|settle(ment)?) (?:noti(ce|fication)|confirm(ation)?)'
       )
       // sender email listed as a recipient or recipients undisclosed/null
       and (
@@ -59,7 +60,8 @@ source: |
         )
         // non-benign nlu intent 
         or any(ml.nlu_classifier(body.current_thread.text).intents,
-               .name != "benign"
+               // callback phishing is outside the scope of this rule
+               (.name != "benign" and .name != "callback_scam")
         )
       )
     )