You do not want your voice mail accessible from the outside world
Although it may seem convenient to be able to dial into your business phone system to listen to voice mail and reconfigure parts of your phone system, there are a number of dangers that may not be apparent.
Can't Restrict Access
One of the primary risks is that you cannot restrict who connects to your phone system - it is easy to spoof Caller ID, and there is no real way to restrict access to specific calling numbers without very expensive equipment and something called an SS-7 link. Only telecommunications companies and very large companies, universities, and government offices have this level of access to the phone system.
This means that even if you have something in your PBX that allows you to filter by Caller ID, it is an unreliable method of filtering that can be circumvented by anyone with a VoIP account.
Brute-Force Attacks
Any external access methods to your internal phone systems are vulnerable to brute-force attacks, where a computerized system tries every possible passcode to gain access to your voicemail. Someone looking to steal money or customers from your company would find access to the internal voicemail of a company to be an invaluable resource for gathering information. It is trivial to break most voicemail passwords - most voicemail passcodes are 4 digits, and computers are very good at going over a list of possible passwords.
For example, let's take a standard voicemail system with 8 mailboxes and 4-digit passcodes. It takes 30 seconds to connect in and you have three tries at 5 seconds per attempt before it kicks you out. In 41 hours and 40 minutes, a machine could try every possible voicemail code. In 2 weeks of work, they would have access to every voicemail box you have.
Would your system log that many attempts? Yes. But when was the last time you audited your voicemail access logs?
Phone Taps
Another way to gain access to that internal voicemail is to use a phone tap. Yes, they still exist, both for cellular phones and old-fashioned land lines. Anyone who can listen to your phone calls can use a simple device to decode the voicemail passcode - so even using a 6 or 8 digit passcode, which will protect you from most passcode guessing attacks, will not protect you from snooping.
Security of Other Phone Lines
How secure are the phone lines outside your house? Your Gym? Is your cell phone encrypted? If not, someone could have your passcodes without you even knowing.
A Better Alternative
A better alternative that many phone systems offer is having an email sent to you upon receipt of a voicemail that contains a sound file of the message. Just open the attachment to listen to the voice message.
Don't Let Them In!
For someone looking to either attack your company, or use your company as a front for their own purposes, a voicemail box that they can access is a treasure. Don't allow scammers and thieves access to your internal communications!
