Voicemail Phishing Email Scams are Targeting User Passwords



A devilishly ingenious scam plays on your user’s familiarity with business voicemail, seeking to compromise online credentials without raising concerns.

Many organizations today have their PBX system integrated with email; miss a call and the recording pops into your Inbox. Nothing inappropriate with this scenario. But, that’s exactly what scammers are hoping you’ll think when your users receive their email pretending to be an internal voicemail notification.

Using subjects such as Voice:Message, Voice Delivery Report, or PBX Message, these emails contain another email as the attachment (to avoid detection by email scanning security solutions) containing the actual phish (shown below).

 

1-28-19 Blog-pic1

 

The phishing email appears to come from the legitimate voicemail vendor, RingCentral but includes a Microsoft logo (no doubt, to make the user associate Microsoft with this process – more on that in a moment).

 

1-28-19 Blog-pic2

 

The user is then prompted to click a link to Listen to the voicemail. In reality, the link takes the user to a spoofed Microsoft login page where they are promoted not once, but twice to logon (likely to ensure the passwords typed match so the cybercriminals can be certain the account details are correct).

As a nice touch, once the logon has completed, a generic voicemail does play – probably to throw users off the scent of this being a scam.

The danger of scams like this is they incorporate concepts both familiar to corporate users and, in many cases, expected. If your organization has voicemails automatically sent to the users Inbox, it’s not a stretch to believe that one or more users will fall for a scam like this.

Users need to be educated on the common tactics used in scams like this via Security Awareness Training. For example, they would be informed on how cybercriminals intent on stealing credentials attempt to tie in authentication into the scam experience, and that this is a red flag. This kind of training elevates the users sense of security, makes them as knowledgeable and, therefore, as suspicious as you’d be when seeing phishing emails, and lowers the organizations risk of becoming a victim.


Find out how affordable new-school security awareness training is for your organization. Get a quote now.

 
Get A Quote
Request A Demo
 



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews