Scammers are taking advantage of COVID-19 pandemic to spread a voicemail email phishing scam when most users across the globe are working from home.
The COVID-19 pandemic has changed the way we live, communicate, and work. Workforces across the world are currently relying on digital communication platforms like Zoom, Microsoft Teams, Slack, and Private Branch Exchange (PBX) to perform their day-to-day official duties and work remotely.
However, malicious threat actors are also aware of this fact and are trying their level best to benefit from the current situation.
According to email security firm IronScales, companies using PBX telephone systems to enable communication and information sharing between their employees are the prime targets of sophisticated phishing attacks that can evade email security quite convincingly.
IronScales identified around 100,000 new phishing campaigns in May 2020 delivering fake PBX notifications to steal login credentials. These campaigns are targeting “hundreds of enterprises” from almost every sector including engineering, real estate, IT, oil & gas, health care, financial services, and IT, etc.
PBX is a handy tool that sends voice message recordings directly to an employee’s email account and eliminates the need to access official landlines. Employees can retrieve important voicemails by integrating PBX with their company’s email client.
Exploiting this mechanism, attackers are sending malicious emails under the guise of PBX voice notifications featuring custom subject lines containing the name of the company or employee name to pass the authenticity test.
Here are two screenshots shared by IronScales showing how the email looks like:
Through such subject lines, attackers are trying to bypass email defenses like SEGs, Reporting and Conformance system, and the Domain-based Message Authentication (DMARC). Since there is no attachment in the email, the messages do not raise an alarm and are freely allowed through.
The main objective behind this campaign is to obtain PII (personally identifiable information), login credentials, and critically important business data. It is very important that employees are trained to identify a phishing email, and companies should implement such security systems that can recognize phishing scams.
If your organization automatically sends voicemails to workers inboxes, then your company is at risk of falling victim to this scam. As we know, if an email looks real then someone will fall for it, the company warned in its blog post.