As individuals and businesses become increasingly dependent on video conferencing to stay connected during the Covid-19 outbreak, fraudsters have used the opportunity to target users with a malicious Zoom phishing scam.
The Zoom phishing scam begins with an email that impersonates a notification from the video conferencing platform. The email informs the recipient in different tricky ways like
- you have recently missed a scheduled meeting. It encourages the user to click the link for more details and access a recording of the meeting.
- your account has been suspended (but can be reactivated by clicking on the attached link), or
- you missed a meeting (but can click on the link to find out the details and schedule), or
- Zoom is welcoming you (but you need to click on the link to activate your account),
By informing the user that the meeting has been missed, the Zoom phishing scam aims to provoke a sense of urgency and panic to encourage recipients to click on the malicious link, a key trait of many similar phishing scams.
With more people working from home than ever before, it is likely that targets are more willing to trust such emails, as daily online meetings and video conferencing become part of the new normal for remote workers.
In an effort to provoke further urgency, the message also states that Zoom will only keep the message for 48 hours, after which it will be deleted.
When the link has been clicked, recipients of the phishing scam are directed to a fake Zoom login page which mimics a genuine Zoom sign-in page. However, this page requests the victim to log in using their work email credentials.
The instructions state: “Zoom now allows you to join and host meetings without signinup. Simply continue with your organization email login to proceed.“
Although the spoof login page mimics Zoom’s branding, the page contains red flags, such as an unusual URL, non-functioning links, and spelling mistakes in the instructions.
If an unsuspecting victim enters their enterprise login details, their credentials will be harvested and can then be sold on the dark web, held for ransom, or used to compromise other accounts which may contain sensitive information.
A report earlier this month found that more than 500,000 stolen Zoom accounts were being bought and sold on the dark web for as little as $0.002 per account. Some accounts, the report claims, are even being shared for free to be used for Zoom-bombing and other malicious activities.
Given the current situation, people regularly receive meeting notifications and invitations from various video conferencing software. In a recent announcement, Zoom founder and CEO Eric S. Yuan stated that the video conferencing platform surpassed 300 million daily Zoom meeting participants, many of them from enterprise users.
As such, the surge in video conferencing has created the perfect circumstances for opportunistic fraudsters to exploit those working from home.
Email security researchers say this particular attack has successfully found its way into more than 50,000 mailboxes.
With 90% of all data breaches caused by phishing, and 3.4 billion fake emails sent every day, users must remain cautious and vigilant. Despite the increasing sophistication of these emails, there are a number of ways to avoid falling for a phishing scam.
How to Avoid Falling For a Phishing Scam
- always check to see that the message is coming from one of the real Zoom’s legitimate domains, zoom.com and zoom.us
- avoid clicking on links sent to you by strangers
- if you are worried that your account has issue, reach out to Zoom directly via the company website
- Never click on links or download attachments without confirming the source.
- Verify the authenticity of links and pay close attention to URL addresses. Many bad actors will host landing pages on unrelated URLs.
- Avoid logging in from the links provided in emails. Instead, log in directly to the requested website.
- Always take time to think about a request for your personal information, and whether the request is appropriate.
- Pay close attention to the spelling of an email or web page. If there are any inconsistencies, users should be cautious.
- Ignore and delete emails with unexpectedly poor grammar and formatting.
- Question the validity of any email that asks you to submit personal or financial information.
- Use strong passwords to reduce the chance of devices being hacked.
- Consider the use of a password manager to maintain the security of multiple accounts.
Improve Staff Cyber Security Awareness
To support organisations mitigate the risk of cyber threats during this time of uncertainty, MetaCompliance has launched a free guide, detailing 10 practical tips on how to improve staff Cyber Security awareness, right now.
In this guide, you will learn:
- How to develop a robust Cyber Security awareness plan that decreases the risk of a data breach
- What is required for a Cyber Security awareness program to be effective
- Practical tips to improve staff Cyber Security awareness, that you can start implementing today
Click here to access your 10 Ways to Improve Staff Cyber Security Awareness guide.
Protect Your Organization Against Phishing
For further information on how you can protect your business from phishing attacks, download our free Ultimate Guide to Phishing.
According to the IT security company Check Point Software Technologies, 16,004 Zoom-related domains were registered between late April and today. Con artists are impersonating Microsoft Teams and Google Meet, too.
“For people who are in this business of doing phishing schemes, it becomes the scam du jour. What’s popular now? How can I capitalize on something that’s in people’s minds, that they use?” explains Edgar Dworsky, founder of the consumer education website Consume World. “The timeliness and popularity is something they look for.”
The videoconferencing platform, after all, has seen its number of daily meeting participants zoom upward to 350 million. Even successfully conning 1% of Zoomers would be lucrative.
Everyone’s a target
This kind of swindle hits both businesses and individuals; for example, a Zoom phishing scam took down an Australian hedge fund by stealing close to $6.5 million in the fall.
Reached for comment, Zoom spokesman Matt Nagel said the company takes security seriously. “Since phishing emails often try to appear to be from known companies, we encourage users of all platforms to be extra cautious around emails from outside parties,” Nagel said in an email to Fast Company. “We recommend users report all phishing emails to the U.S. Anti-Phishing Working Group at phishing-report@us-cert.gov.”
Getting a message from the videoconferencing platform makes sense when so much of socializing and business happens there every day. That’s the open door for phishing scams. Overall, phishing attacks have skyrocketed since the pandemic began. According to the Anti-Phishing Working Group, an international consortium of industry, government, and law enforcement, the number of phishing sites went from around 75,000 to an estimated 200,000 between March and September and unique email subjects jumped from less than 50,000 to about 125,000 in the same period.
“They create a sense of urgency, because they know you have some upcoming meeting and need to fix this,” Dworsky says. “With any one of theses phishing scams, you have to look before you click. The relevance lends credence to fact that that’s legit.”
To avoid falling for this Zoom phishing scam, the BBB advises the following:
- always check to see that the message is coming from one of the real Zoom’s legitimate domains, zoom.com and zoom.us
- avoid clicking on links sent to you by strangers
- if you are worried that your account has issue, reach out to Zoom directly via the company website
“They compromise the brand,” Protect Now security expert Robert Siciliano says about the people who dream up these schemes. “That’s the basis of all successful phishing campaigns. When the user responds with their credentials or credit card information, that’s how the bad guy wins.”
With so many Americans spending so much time at home due to the COVID-19 pandemic, the uptick in online cons isn’t surprising. People are working, shopping, and partying from the their computers, and brands associated with this lifestyle shift are the perfect ploy. Among the other hot scams right now are bogus Netflix membership-termination emails designed to snatch debit or credit card information and fake delivery-service emails, scouting for payment information, account numbers or passwords.
To report a Zoom phishing scam, e-mail phishing-report@us-cert.gov.
Ref: Fast Company – MetaCompliance