Welcome to Unhook the Phish, a series presented by the Fermilab Cybersecurity Team. This series offers a deep dive into common email scams (or “phishing”) by explaining the traditional features of these messages, how they try to trick you and easy ways to spot them in your inbox. If you ever suspect that you have received a malicious email, please forward it to the Cybersecurity Team at firstname.lastname@example.org. By doing so, you will be entered to win a collectible Fermilab trading card as a token of appreciation for your efforts.
Social engineering, the process of tricking people into doing something they wouldn’t normally do, is most effective when attackers are able to leverage current events to trigger an emotional response in their victims. As people are working from home and getting accustomed to new technology and new ways of communicating in an uncertain world, attackers are taking advantage of confusion and stress by using voicemail phishing. One report indicates that over 100,000 mailboxes have been targeted with voicemail phishing scams during the COVID-19 pandemic.
Since much of the workforce is telecommuting full time, business calls are generally received via phone software on computers and not on a physical desk phones in the office. Attackers send emails claiming to be from a voicemail or phone service stating that you missed a call and that you can retrieve the voicemail message by clicking on a link or viewing an attachment. However, instead of taking you to an actual voicemail, the link or attachment will take you to a form to steal your credentials or will launch malicious code on your computer.
Currently, Fermilab’s phone software does not send emails to inform you of missed calls. It is all handled in the software itself, so any time you receive an email claiming to contain a voicemail, you can dismiss it as a scam. Please report these (and any other phishing attempts) to the Cybersecurity Team at email@example.com.
It is especially important to be extra vigilant when reviewing emails to prevent falling for the latest in social engineering attacks. Be sure to add the following tips to your antiphishing toolbox to help you avoid these scams.
- Learn about Fermilab’s software phone service, Cisco Jabber, by following the instructions in this article. Learning about Cisco Jabber will help you operate the phone software and learn what legitimate voicemails will look like. Currently, Fermilab’s phone software does not send emails to inform you of missed calls, so you can dismiss any emails you receive claiming to contain a voicemail. If you think you should be getting a legitimate phone call, go straight to the phone app on your computer. You will be able to see and play all real voicemails there and return the call accordingly. Bypassing a suspicious-looking email and instead going straight to the phone app is the safest way to access your voicemail.
- Slow down when you are reviewing emails and take time to analyze the contents of the messages. Ask yourself questions as part of this process, such as: Am I expecting a voicemail? Do I normally receive notifications about missed calls via email? Do I recognize the sender? Does it make sense that I’d be getting an email claiming to be from Office 365 regarding a voicemail? If you are not sure how to answer these questions, seek alternative methods (see below) to find out more information and do not click on anything in the message.
- Call back individuals with the number you have on file. If you are expecting a call from someone and you think a voicemail may be from them, return the call with the number you have on file instead of using a number provided in a suspicious message or clicking on a link. By doing this, you will be talking to the legitimate caller and not compromising your workstation or communicating with an attacker.
- Communicate with your Fermilab colleagues regarding any phishing messages you receive. It is unlikely that you are the only person in your group or department to have received a phishing message, so warning others at the lab will help protect them against similar threats.
The following screenshots show some examples of voicemail phishing scams.
Looking for more information about phishing and other cybersecurity resources? Check out our website: securityawareness.fnal.gov. Email us at firstname.lastname@example.org for general questions and to report phish.
Jessie Pudelek is a computer security analyst at Fermilab.