Warning Sign - Malware Ahead
Home Malware RingCentral “New Fax Message” Malware Email

RingCentral “New Fax Message” Malware Email

by Brett M. Christensen


Email purporting to be from Internet fax service RingCentral claims that the recipient has a new fax message that can be viewed by opening an attached file.

Brief Analysis

The email is not from RingCentral and the attachment does not contain a fax message. Instead, the attachment harbours malware. Once installed, this malware may harvest sensitive information from the compromised computer and download other dangerous malware components. If you receive this message, do not click any links or open any attachments that it contains.


You Have a New Fax Message
From: [Removed]
Received: Tuesday, April 8, 2014 at 9:34 AM
Pages: 1
To view this message, please open the attachmentThank you for using RingCentral.Ring central Fax Malware Email


Detailed Analysis

This email, which purports to be from the Internet-based fax service, RingCentral, claims that recipients have been sent a new fax message. The email invites recipients to open an attached .zip file to view the fax message.

However, RingCentral did not send the email and the attachment does not contain a fax message as claimed.

Those who go ahead and open the attached .zip file will find that it contains what may appear to less computer literate users to be a harmless .pdf. These users may expect a fax message transcript to be a .pdf and therefore click to open it without due caution. However, the file actually has a double extension (.pdf.exe). Thus, by opening the file, users are actually installing malware on their computers. 
The precise payload in these malware emails may vary. Typically, however, the malware can collect sensitive personal and financial information from the compromised computer and relay it to remote servers operated by criminals. It may also download and install other malware such as ransomware.

The fake fax notification email ruse has been used several times in the past by online criminals intent on distributing malware.

At one time, fax machines were used extensively for business communications. But reliance on the machines has lessened considerably as newer technologies have emerged. However, should the need arise, faxes can still be sent and received via online fax services such as RingCentral.

Because online fax services do generally notify people of incoming faxes via email, criminals often send emails pretending to be from such services to trick people into installing malware.

If you receive such an email, do not open any attachments or click any links that it contains. Instead, log in to your online fax service account by entering the account address into your browser’s address bar.  If you really did receive a fax, you should be able to safely access and view it via the service’s website.

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,