Voicemail-Themed Phishing Attacks on the Rise

voicemail phishing attackResearchers at Zscaler warn of an increase in voicemail-themed phishing campaigns designed to steal credentials for enterprise applications. The emails purport to be automatically generated notifications from enterprise applications, like Office 365 and Outlook, informing recipients that they’ve received a voicemail from a caller. The messages include an HTML attachment that will redirect the user to the phishing site, where they’ll be asked to enter their credentials in order to log in and hear the message.

Interestingly, Zscaler found that one of these campaigns used Google’s reCAPTCHA to prevent web crawlers from accessing the site and flagging the site as malicious.

The researchers also observed a campaign that spoofed Cisco’s Unity Connection voicemail portal using the domain “secure[.]ciscovoicemail[.]cf.“ When the user clicks to listen to their voicemail, they’ll be taken to a page that asks them to select their email provider from a list of options: Office 365, Mimecast, Outlook, Gmail, Yahoo, and “Others.” Clicking on any of these options would take the user to a phishing page that spoofed the login page of the service they selected. Choosing “Others” would present the user with a generic login portal.

Zscaler concludes that users should follow security best practices in order to avoid falling for these attacks.

“This threat actor leverages well-crafted social engineering techniques and combines them with evasion tactics designed to bypass automated URL analysis solutions to achieve better success in reaching users and stealing their credentials,” the researchers write. “As an extra precaution, users should not open attachments in emails sent from untrusted or unknown sources. As a best practice, in general, users should verify the URL in the address bar of the browser before entering any credentials.”

It’s also worth noting that voicemail-themed phishing campaigns aren’t new, but the fact that they’re growing more common means this tactic is still effective. If a user knows that attackers frequently use fake voicemail notifications as phishbait, they can recognize these attacks immediately. New-school security awareness training can help your employees stay up-to-date with evolving phishing trends, as well as teaching them about the fundamentals of social engineering.

Zscaler has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews