During the past several weeks I've been the recipient of voice mail messages emailed to me from companies that I didn't recognize. At first glance, I thought perhaps it was a PR stunt to entice me to hear about each company's UC offerings or some advantage they have over another. While I didn't bite on these unenticing opportunities, I can't help but wonder how many users did ... because in these instances, they were not friendly.
After looking at the email message headers I decided to email both companies using their posted [email protected] addresses, and I received replies from each confirming that these messages were not from their firms and to avoid opening them. Spoofing of UC firms and using their logos and copies of their formatted messages sent out to customers is nothing new, but they are using new hooks to unsuspecting users that will likely click away. For examples of past and recent exploits:
• ADP Blackhole exploit mentioned here
• Microsoft exploit mentioned here
• Skype Angler exploit mentioned here
• YouMail exploit mentioned here
But phishing and malware isn't the only concern with administering efficient and safe UC platforms. In one example of integrating with Office 365 cloud service, use SMTP over TLS, instead of POP or default SMTP accounts that are used less securely in other client applications and services. Another preventative step is to use security policies to lock down the allowable IPs that your voice mail notices.
A simple and preventive measure is adding a key message or verbiage to the subject line that employees will recognize. This doesn't safeguard anything or secure the voice mail message, but it can aid in a marginal sense - until the bad guys start doing the same thing. User desktops may be protected at the office, but what about at their homes and on their smartphones? As in past exploits that extract address books, there is now certainly more sensitive information in smartphones than ever before. Are sensitive voice mail messages being left for enterprise users, and if so, what kind of potential liability or disruption and damage to businesses does this present?
Voice mail via email presents numerous potential issues. With the use of smartphones, home computers and other devices/services that users want to use –come risks to the enterprise. FAX provided by our hosted provider Jive Communications requires a security code in the email message header's subject line that is authenticated. Whenever we push out faxes via email, we are required to use a security code, and the code is administered by us and can be changed as often as we like.
Follow Matt Brunk on Twitter and Google+!
@telecomworx
Matt Brunk on Google+
