Very few exploits outside of social engineering have been delivered via telephone service, but modern criminals have found a way to incorporate it through a new voicemail phishing (vishing) scam. The modern twist is that the voicemail is delivered as an attachment in an email.
To accomplish this, a bad actor sends a phishing email designed to look like a legitimate email notifying the recipient they have a voicemail; the fake voicemail notification email carries a malicious attachment and when the recipient opens the attachment, the malware executes on the endpoint. Another method used by bad actors is to harvest credentials using the voicemail phishing scam. These emails contain a button that, if clicked, leads to a website that looks exactly like the Office 365 sign-in page. If a user types in their login name and password, the information gets recorded and ends up in the hands of cybercriminals.
Vishing is just another arm of phishing, and you can protect yourself from becoming a victim using the same tips designed to safeguard against phishing attempts:
- Never click on links or open attachments that look suspicious or from unknown senders.
- Inspect the email for bad grammar and spelling mistakes.
- Be suspicious of emails requesting login credentials, payments information or sensitive data.
- When in doubt, report the email using the Phish Alert Button in the Microsoft Office navigation bar.
Check back for more security best practices and tips.