A devilishly ingenious scam plays on your user’s familiarity with business voicemail, seeking to compromise online credentials without raising concerns.
Many organizations today have their PBX system integrated with email; miss a call and the recording pops into your Inbox. Nothing inappropriate with this scenario. But, that’s exactly what scammers are hoping you’ll think when your users receive their email pretending to be an internal voicemail notification.
Using subjects such as Voice:Message, Voice Delivery Report, or PBX Message, these emails contain another email as the attachment (to avoid detection by email scanning security solutions) containing the actual phish (shown below).
The phishing email appears to come from the legitimate voicemail vendor, RingCentral but includes a Microsoft logo (no doubt, to make the user associate Microsoft with this process – more on that in a moment).
The user is then prompted to click a link to Listen to the voicemail. In reality, the link takes the user to a spoofed Microsoft login page where they are promoted not once, but twice to logon (likely to ensure the passwords typed match so the cybercriminals can be certain the account details are correct).
As a nice touch, once the logon has completed, a generic voicemail does play – probably to throw users off the scent of this being a scam.
The danger of scams like this is they incorporate concepts both familiar to corporate users and, in many cases, expected. If your organization has voicemails automatically sent to the users Inbox, it’s not a stretch to believe that one or more users will fall for a scam like this.
Users need to be educated on the common tactics used in scams like this via Security Awareness Training. For example, they would be informed on how cybercriminals intent on stealing credentials attempt to tie in authentication into the scam experience, and that this is a red flag. This kind of training elevates the users sense of security, makes them as knowledgeable and, therefore, as suspicious as you’d be when seeing phishing emails, and lowers the organizations risk of becoming a victim.