Never click on this kind of Zoom invite. You’ll thank us forever

By Zlati Meyer

December 07, 2020

 
Your inbox is chock full of Zoom invitations, as everyone from your boss to your Aunt Elaine to your book club keeps your work and social calendars packed.

But amid the sales meeting slots and the family holiday reunions lurk Zoom invites that want to do the opposite of welcome you. They want to steal your personal information and ruin you.

Zoom phishing scams are the latest conduit for planting malware, designed to leave victims with stolen identities, destroyed credit histories, compromised passwords, and empty bank accounts.

The bait is decorated with the Zoom logo and sent via text, email, or social media message to say that your account has been suspended (but can be reactivated by clicking on the attached link), that you missed a meeting (but can click on the link to find out the details and schedule), or that Zoom is welcoming you (but you need to click on the link to activate your account), according to the Better Business Bureau. Of course, the link does none of those things and instead downloads malware to your computer or mobile device or takes you to login page where you need to enter your login and password, which lets the thieves gain access to other accounts with similar combinations.

According to the IT security company Check Point Software Technologies, 16,004 Zoom-related domains were registered between late April and today. Con artists are impersonating Microsoft Teams and Google Meet, too.

“For people who are in this business of doing phishing schemes, it becomes the scam du jour. What’s popular now? How can I capitalize on something that’s in people’s minds, that they use?” explains Edgar Dworsky, founder of the consumer education website Consume World. “The timeliness and popularity is something they look for.”

The videoconferencing platform, after all, has seen its number of daily meeting participants zoom upward to 350 million. Even successfully conning 1% of Zoomers would be lucrative.

 

Everyone’s a target

This kind of swindle hits both businesses and individuals; for example, a Zoom phishing scam took down an Australian hedge fund by stealing close to $6.5 million in the fall.

Reached for comment, Zoom spokesman Matt Nagel said the company takes security seriously. “Since phishing emails often try to appear to be from known companies, we encourage users of all platforms to be extra cautious around emails from outside parties,” Nagel said in an email to Fast Company. “We recommend users report all phishing emails to the U.S. Anti-Phishing Working Group at phishing-report@us-cert.gov.”

Getting a message from the videoconferencing platform makes sense when so much of socializing and business happens there every day. That’s the open door for phishing scams. Overall, phishing attacks have skyrocketed since the pandemic began. According to the Anti-Phishing Working Group, an international consortium of industry, government, and law enforcement, the number of phishing sites went from around 75,000 to an estimated 200,000 between March and September and unique email subjects jumped from less than 50,000 to about 125,000 in the same period.

“They create a sense of urgency, because they know you have some upcoming meeting and need to fix this,” Dworsky says. “With any one of theses phishing scams, you have to look before you click. The relevance lends credence to fact that that’s legit.”

To avoid falling for this Zoom phishing scam, the BBB advises the following:

    always check to see that the message is coming from one of the real Zoom’s legitimate domains, zoom.com and zoom.us

    avoid clicking on links sent to you by strangers

    if you are worried that your account has issue, reach out to Zoom directly via the company website

“They compromise the brand,” Protect Now security expert Robert Siciliano says about the people who dream up these schemes. “That’s the basis of all successful phishing campaigns. When the user responds with their credentials or credit card information, that’s how the bad guy wins.”

 

With so many Americans spending so much time at home due to the COVID-19 pandemic, the uptick in online cons isn’t surprising. People are working, shopping, and partying from the their computers, and brands associated with this lifestyle shift are the perfect ploy. Among the other hot scams right now are bogus Netflix membership-termination emails designed to snatch debit or credit card information and fake delivery-service emails, scouting for payment information, account numbers or passwords.

To report a Zoom phishing scam, e-mail phishing-report@us-cert.gov.

(44)