QR Code & Fake Voicemails Target Users

Researchers at Check Point Harmony Email have discovered a surge in cyberattacks involving fake voicemails. According to the company’s report shared with, cybercriminals are exploiting corporate phone systems’ links to email servers, embedding malicious links in voicemail playbacks for credential harvesting.

Scammers are increasingly using voicemail as a lure to trick users into clicking on malicious links one of which is creating legitimate-looking voicemails. Since corporate phone systems are tied to email, scammers are using this to include a voicemail recording hyperlinked to a malicious page. In this case, 1,000 attacks have been reported during the last two weeks.

What happens in this attack is that through social engineering, scammers send QR codes with conditional routing based on the device, targeting any end-user. The email analyzed by Check Point researchers appeared to be sent by payment processor service Square. However, in reality, the name was only used to mislead users. 

Moreover, the email’s subject line contained a phone number, which was illegitimate when searched on Google. The email also includes an embedded MP3 player, containing the voicemail. It redirects users to a credential harvesting page when clicked.

This attack relies on user participation. Any successful phishing attack requires user input, except for zero-click attacks. Users must replay, click on links, or enter information for the attack to progress. This allows scammers to experiment with creative options, such as impersonating a reputable brand and using voicemails. They observe user behaviour and adjust their attacks accordingly, ensuring a successful phishing attack.

Hackread has been reporting a rise in the trend of combining voice and phishing, aka Vishing to trap unsuspecting users into giving away sensitive data. We earlier reported Check Point researchers identifying a vishing campaign targeting users in South Korea with a new Android malware, dubbed “FakeCalls.” Cybercriminals tricked users into sharing sensitive financial information through fake calls supposedly made by legitimate financial organizations. This is part of a growing global threat to mobile banking customers, using sophisticated social engineering techniques to make calls seem legitimate.

During the COVID-19 pandemic, email security firm IronScales discovered around 100,000 new phishing campaigns targeting companies using PBX telephone systems for communication and information sharing. These scams, targeting working-from-home employees from various sectors like engineering, real estate, IT, oil & gas, healthcare, financial services, and IT, involved voicemail email phishing.

Vishing, or voice phishing, involves using telephones to trick users into disclosing financial and personal information, such as account numbers and passwords. Fraudsters may claim compromised accounts, represent banks or law enforcement, or offer software installation assistance. Protecting yourself involves knowledge, hanging up if asked for personal information, and calling a reliable source. Security professionals can implement AI-based security, check and emulate all URLs, and use multiple layers of protection.