2021-12-02: Fraudulent Voicemail emails

Body

We've been getting an increase in fake voicemail emails lately - and I wanted to pass along some guidance for how to differentiate between legitimate voicemail messages via email, and fraudulent ones.  As always - thanks to those who reported these emails to us!  You may not see them now (even if you did previously) as we have been retroactively deleting the fraudulent messages upon detection.

 

First and most importantly - if you never had voicemail-to-email setup for your office phone - then ANY such email you see is going to be fraudulent.  No need to worry about anything else!

Assuming you do have voicemail-to-email setup, here's how to differentiate these messages using some examples of real and fraudulent voicemails.


The first fraudulent email, shown below, has several red flags which should be a sign that the message is not legitimate.

  1. Legitimate emails from the college voicemail systems have no message text - only a subject line and .wav file attachment.
  2. Legitimate emails (not just voicemails - but any sort of email) will almost never have a .html file attachment.  This is why the orange caution banner has been added.
  3. The message has "This sender has been verified from safe senders list".  This was just text and color added by the scammer to the message body.  There is never an indication that a message is 'safe' since no system can be 100% certain enough to indicate that.  Any indication in the body of the message that states it is "safe" is a warning on its own!
  4. The from address has absolutely nothing to do with the college or any company I've ever heard of.


The second fraudulent email below is much shorter but still has some warning signs, though less since they kept the email so short.

  1. They used 'Newpaltz' in the From address, but the domain name has nothing to do with New Paltz.
  2. There's another .html attachment - another warning sign (though I need to find out why the warning banner didn't get attached....).

 

Let's say you actually opened that attachment though.  What would you see?  Below is a screenshot of the attachment.

  1. In the screenshot the red text/arrows and box around "Click to Listen" were added by me to highlight something.  If you hover over the "Click to Listen" link you'll see the actual destination is to some random website that obviously has nothing to do with the college.
  2. The message says "2021 Intellectual Property. All Rights Reserved".  Cybercriminals love throwing random copyright/trademark or similar statements in their messages as they believe it makes them more legitimate.
  3. What is :"Mailbox 301"?  I can guarantee that no one on-campus has a three digit phone extension so it's definitely unrelated.

 

 


Here are two examples of voicemail-to-email that are ACTUALLY from our voicemail system.

In the first message - I've highlighted the fact that there is no message body - only a single .wav file attachment called VoiceMessage.wav.  ALL voicemail-to-email from the campus system looks like this.

The only difference between the internal and external examples is the subject line.  In internal messages, it will show the campus 4 digit extension, and the name or department name of the caller.  In the latter message I called from our server room as a test.

 

Example of a voicemail from an external caller:

 

Example of a voicemail from an internal caller:

 

Another example of an internal sender.  Below is how it would look if you got a voicemail from another person on-campus with voicemail setup:

 

Details

Details

Article ID: 139940
Created
Thu 12/2/21 9:36 AM
Modified
Mon 5/13/24 10:58 AM