As individuals and businesses become increasingly reliant on video conferencing to stay connected during the Covid-19 outbreak, fraudsters have used the opportunity to target users with a malicious Zoom phishing scam.
The Zoom phishing scam begins with an email that impersonates a notification from the video conferencing platform. The email informs the recipient that they have recently missed a scheduled meeting. It encourages the user to click the link for more details and access a recording of the meeting.
By informing the user that the meeting has been missed, the Zoom phishing scam aims to provoke a sense of urgency and panic to encourage recipients to click on the malicious link, a key trait of many similar phishing scams.
With more people working from home than ever before, it is likely that targets are more willing to trust such emails, as daily online meetings and video conferencing become part of the new normal for remote workers.
In an effort to provoke further urgency, the message also states that Zoom will only keep the message for 48 hours, after which it will be deleted.
When the link has been clicked, recipients of the phishing scam are directed to a fake Zoom login page which mimics a genuine Zoom sign-in page. However, this page requests the victim to log in using their work email credentials.
The instructions state: “Zoom now allows you to join and host meetings without signinup. Simply continue with your organization email login to proceed.“
Although the spoof login page mimics Zoom’s branding, the page contains red flags, such as an unusual URL, non-functioning links, and spelling mistakes in the instructions.
If an unsuspecting victim enters their enterprise login details, their credentials will be harvested and can then be sold on the dark web, held for ransom, or used to compromise other accounts which may contain sensitive information.
A report earlier this month found that more than 500,000 stolen Zoom accounts were being bought and sold on the dark web for as little as $0.002 per account. Some accounts, the report claims, are even being shared for free to be used for Zoom-bombing and other malicious activities.
Given the current situation, people regularly receive meeting notifications and invitations from various video conferencing software. In a recent announcement, Zoom founder and CEO Eric S. Yuan stated that the video conferencing platform surpassed 300 million daily Zoom meeting participants, many of them from enterprise users.
As such, the surge in video conferencing has created the perfect circumstances for opportunistic fraudsters to exploit those working from home.
Email security researchers say this particular attack has successfully found its way into more than 50,000 mailboxes.
With 90% of all data breaches caused by phishing, and 3.4 billion fake emails sent every day, users must remain cautious and vigilant. Despite the increasing sophistication of these emails, there are a number of ways to avoid falling for a phishing scam.
How to Avoid Falling For a Phishing Scam
- Never click on links or download attachments without confirming the source.
- Verify the authenticity of links and pay close attention to URL addresses. Many bad actors will host landing pages on unrelated URLs.
- Avoid logging in from the links provided in emails. Instead, log in directly to the requested website.
- Always take time to think about a request for your personal information, and whether the request is appropriate.
- Pay close attention to the spelling of an email or web page. If there are any inconsistencies, users should be cautious.
- Ignore and delete emails with unexpectedly poor grammar and formatting.
- Question the validity of any email that asks you to submit personal or financial information.
- Use strong passwords to reduce the chance of devices being hacked.
- Consider the use of a password manager to maintain the security of multiple accounts.
Improve Staff Cyber Security Awareness
To support organisations mitigate the risk of cyber threats during this time of uncertainty, MetaCompliance has launched a free guide, detailing 10 practical tips on how to improve staff Cyber Security awareness, right now.
In this guide, you will learn:
- How to develop a robust Cyber Security awareness plan that decreases the risk of a data breach
- What is required for a Cyber Security awareness program to be effective
- Practical tips to improve staff Cyber Security awareness, that you can start implementing today
Click here to access your 10 Ways to Improve Staff Cyber Security Awareness guide.
Protect Your Organisation Against Phishing
For further information on how you can protect your business from phishing attacks, download our free Ultimate Guide to Phishing.
Our award winning MetaPhish platform provides a powerful defence against phishing and ransomware attacks by training employees how to identify and respond appropriately to these threats. It has helped protect organisations across the world from this ongoing threat and provides the first line of defence against phishing attacks.