Protect Your Remote Workers Against New Voicemail Phishing Campaign

Protect Your Remote Workers Against

Voicemail Phishing

Protect Your Remote Workers Against New Voicemail Phishing Campaign

With workforces largely remaining partially or fully remote, employees continue to rely on tools for greater efficiency and productivity. Attackers have found a new way to target employees working from home - distributing voicemails within an email that look as if they were generated by old-fashioned telephone systems called Private Branch Exchange (PBX).

A large number of remote workers have already fallen victim the above-mentioned cyberattack. According to findings made by email security firm IronScales, voicemail phishing attacks (also known as “vishing”) have reached almost 100,000 inboxes across the globe within hundreds of companies across all industries, including real estate, oil & gas, engineering, IT, healthcare, financial services and more. Let us show you how you can get prepared and protect your workforce.

What is the Goal of the “new voicemail message” Phishing Attempt? 

According to IronScales, this is being done with the intention of coercing remote workers into presenting sensitive information—such as Microsoft Office credentials—in order to access the newly-arrived voicemail. These stolen credentials could be leveraged on enterprise websites and platforms to gain access to more valuable information within platforms such as SharePoint, Microsoft Teams and E-Mail. Additionally, the threat actors could also pull information garnered from the voicemails for further social engineering attacks.

How Does it Appear to Attacked Users?

In this example, the “new voicemail message” email looks legitimate because of the images and text in the body of the email. The message displays an “official” Microsoft software logo along with text stating the message comes from a “trusted source.” The scammers take the scam one step further by adding additional content in the email. Some versions of the email scam have a portion of a voicemail transcribed in the email. “Please contact me ASAP about…” is an example. The goal is to convince the recipient that he/she has a new voicemail recording that is too large to send directly via email and to convince the recipient to click on the link in order to enter their credentials. Once the user clicks the link, it will download malware onto their computer or redirect them to a fake credentials form to fill out.

Voice Message Notification from Unified Messaging System
EXAMPLE: Voice Message Notification from Unified Messaging System, source: SoftwareONE

Advise for Companies With or Without Remote Workers

Any company that automatically sends voicemails to employee inboxes, with or without remote workers, remains at considerable risk of falling victim to voicemail phishing attacks. While remote workers do increase the risk even further, any company relying on legacy systems such as PBX should be cautious.

The first step is to make employees aware that such a threat exists. Following this, the right technology would be able to provide a sufficient shield against the threats posed to in-house and remote workers. For instance, software such as an email firewall or Microsoft´s M365 Security would be able to amply detect the background of potentially fraudulent emails—automatically marking them as phishing attacks if and where necessary.

Looking Ahead

Since these attack campaigns are low effort for cybercriminals to automate, voicemail phishing attacks will continue to grow in frequency and complexity over the next year. Microsoft 365 will continue to be a repeated target of this type of occurrence because of its large user base. It’s no secret that phishing attacks can be enormously costly (in the billions of dollars) and destructive, and new scams are appearing every week. According to the annual report of the security firm GreatHorn 33.9% of white-collar professionals report credential theft attempts bypassed their email security tools, while 32% saw business services spoofing attempts in their inboxes.

Phishing attacks will continue to exploit users within your organization. Aside from practicing good cybersecurity hygiene, your only other defense is to educate your workforce and carefully monitor email traffic. With an experienced cybersecurity expert like SoftwareONE, you are able to detect, block and respond to these attacks. We will help you to protect your Microsoft 365 environment.

About Managed 365 Security

Ensure your M365 environment is safe and secure with our tailored Managed Security Service.

Discover now

Stay Ahead Of Cyber Threats

Learn about latest data breaches and ransomware attacks and read the new edition of SoftwareONE's Cyber Threat Bulletin.

Be Cyber Smart

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment


Bala Sathunathan

Bala Sethunathan

Director, Security Practice & CISO


Related Articles


New Microsoft Teams Features to come

Microsoft recently announced plenty of new features being integrated into their communication and collaboration flagship platform, Teams. Learn more about the next level of intelligent communication and collaboration.

  • 21 octombrie 2020
  • Bala Sethunathan
  • Managed Security

Protect Enterprise Mobile Devices

Despite their size, mobile devices pose a huge threat to enterprises. Here are a few threats to start protecting against today.

remote working

Reset & Thrive Your Business Part EIGHT: The Remote Working Reset

How have organizations managed through the rapid IT and digital transformation sparked by COVID-19? Learn more in this summary of our latest webinar.