Don’t Get Tricked: Phishing Attacks Pretending to be Voicemail Attachments

Human beings are naturally inquisitive creatures, which makes it all the easier for us to be convinced of different things. Cereal mascots promise wild flavors that will send kids on a Mom-approved adventure, magazine covers promise countless sure-fire ways to be rid of that stubborn belly fat, and—more sinisterly—phishing attacks promise to be something that they are not. As hackers have found, this tactic has proven to be worth investing time in.

Before we go in too deep with the details, it will help to first establish what phishing is at its core. Simply put, phishing is a simple means of attacking someone via a deceitful message that appears to have come from someone else.

For instance, phishing attacks may appear to come from a financial institution or online service that is requesting that you check into your account to spot an issue, or seem to be a message from someone up the corporate ladder asking you to do them a favor and send over some data or payment confirmation. Both examples have proven quite common over the years amongst hackers and other online scammers.

Many hackers will use every trick in the book to design their trap to make it as effective as possible. While phishing attempts can come in the form of text messages, social media posts, voice calls, and advertisements, the most well-known form of it is email. Here, however, I wanted to shine a light on another phishing method that has come to my attention… and, if I’m being honest, a bit to my surprise.

Phishing Through Voicemail

Yes, you read that right. As I am sure you are aware, many modern phone systems (especially with Voice over Internet Protocol being a popular way of establishing a connection) can now direct your incoming voicemails to your email. So many of us already spend so much time in our inboxes, it only makes sense for us to check our missed communications in one place.

Unfortunately, this has not been missed by hackers, who have taken it upon themselves to target businesses with phishing attempts disguised as email notifications for a new voicemail message.

Designed to look like a legitimate notification, the email you receive will have a subject line that reads something like “New Voicemail from: [Phone Number here]” and include a file that would appear to be an audio clip for you to listen to, or a button to let you download the presumed audio file.

However, instead of your missed call, that file is instead a bundle of malware, or a link to a malicious site. This is how voicemail phishing works in a nutshell, and it is something that you need to avoid.

How to Avoid Voicemail Phishing

As is the case with all phishing, you simply need to know what to look out for while acknowledging that it is only going to get harder to do as attackers refine their efforts. Currently, your best option to help you avoid fraudulent phishing attacks is to have your legitimate voicemails labelled as such in your inbox.

Some VoIP systems send you these email notifications from a specific address with an equally specific subject line. By creating a filter or rule based on one you know is real, you will be able to determine how legitimate the ones you get in the future are by seeing whether or not they are labelled as they come in.

Find some of your older email notifications that you know are genuine. Take note of the sender’s address and how the subject line is filled out, as this will tell you what to include in the filter/rule we’re about to create.

Gmail

• Behind the Gear icon, access your Settings.
• Under Filters and Blocked Addresses, find Create a New Filter.
• Fill out the details to include any consistencies you were able to identify, like the email address the notifications were sent from and phrases used in the subject line.
• Click Create Filter.
• On the following screen, do what you can to make these messages stand out. Maybe have your filter assign them to a new label called “Voicemail”, or star them as they come in.
• To wrap up, click Create Filter one last time.

Outlook

• Find an actual voicemail notification email and, after right-clicking it, go to Rules and then Create Rules…
• Fill out the details to include any consistencies you were able to identify, like the email address the notifications were sent from and phrases used in the subject line.
• In the section marked Do the Following, make sure that Move Item to Folder is checked and that you’ve selected/created a folder called Voicemail.
• Click Okay to finalize your changes.

With any luck, doing this will help you by sorting out the good stuff for you to attend to, but that doesn’t mean you can become lax in your awareness of spam and phishing. For additional help in resolving these threats, reach out to us. There are options waiting for you at Reciprocal Technologies, so call 317-759-3972 to see what we can do.