Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Voicemail Phishing Email Scams are Targeting User Passwords

    A devilishly ingenious scam plays on your user’s familiarity with business voicemail, seeking to compromise online credentials without raising concerns.

    Many organizations today have their PBX system integrated with email; miss a call and the recording pops into your Inbox. Nothing inappropriate with this scenario. But, that’s exactly what scammers are hoping you’ll think when your users receive their email pretending to be an internal voicemail notification.

    Using subjects such as Voice:Message, Voice Delivery Report, or PBX Message, these emails contain another email as the attachment (to avoid detection by email scanning security solutions) containing the actual phish (shown below).

     

    1-28-19 Blog-pic1

     

    The phishing email appears to come from the legitimate voicemail vendor, RingCentral but includes a Microsoft logo (no doubt, to make the user associate Microsoft with this process – more on that in a moment).

     

    1-28-19 Blog-pic2

     

    The user is then prompted to click a link to Listen to the voicemail. In reality, the link takes the user to a spoofed Microsoft login page where they are promoted not once, but twice to logon (likely to ensure the passwords typed match so the cybercriminals can be certain the account details are correct).

    As a nice touch, once the logon has completed, a generic voicemail does play – probably to throw users off the scent of this being a scam.

    The danger of scams like this is they incorporate concepts both familiar to corporate users and, in many cases, expected. If your organization has voicemails automatically sent to the users Inbox, it’s not a stretch to believe that one or more users will fall for a scam like this.

    Users need to be educated on the common tactics used in scams like this via Security Awareness Training. For example, they would be informed on how cybercriminals intent on stealing credentials attempt to tie in authentication into the scam experience, and that this is a red flag. This kind of training elevates the users sense of security, makes them as knowledgeable and, therefore, as suspicious as you’d be when seeing phishing emails, and lowers the organizations risk of becoming a victim.

    Find out how affordable new-school security awareness training is for your organization. Get a quote now.

     
    Get A Quote
    Request A Demo
     

     

    Return To KnowBe4 Security Blog

    Topics: Phishing, Password Security

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews