Zoom became the platform to keep business running remotely during the pandemic. With the upsurge in popularity (and stock value) came an upsurge in scams.

“Zoom scams are a good reminder that not all attacks begin with a technical breach,” said Javvad Malik, lead CISO advisor at KnowBe4. “These attacks work well because we’re all very much used to receiving meeting invites and click them without a second thought. So, it’s important that we take steps to safeguard ourselves.”

These are the main Zoom scams you should be looking out for and how to avoid falling victim to them. You’ll see some common themes running throughout such as impersonating a trusted figure or being asked to click on dodgy links to download malware.

Fraudulent meeting

Senior figures within the business are often targeted with meetings – this is because they have access to more valuable and sensitive data. The meeting link will look like the standard Zoom URL, but there’ll be subtle differences. The fake landing page that’s sent to you will be able to capture your login details and allow hackers into your computer system. They may also use malicious download links to make their way in to your internal systems.

In a similar fashion, attackers could pretend to be a senior figure in the company, or a partner/external organisation. From there, they’ll invite you to a fake meeting screen, ask you to download something or ask you to share your screen – more on that in a moment.

The scammer will use their chosen avenue into your internal systems to steal data or plant malware.

Screen sharing

Similarly, a screen sharing scam will involve the scammer asking the victim to download screen sharing or remote access software which they’ll use to access files, steal passwords or transfer money.

The ‘software update’

This one’s under the guise of a software update. Unsuspecting users are guided towards a realistic-looking Zoom page and prompted to download an installer from a legitimate company, which the scammer will use to install malware.

Some malware can target banking details and passwords and your information could even be sold on the dark web.

How do I report scams to Zoom?

You’ll need to request a Trust & Safety request form, then you enter your name and email address and select ‘report fraud’ under the ‘what can we help you with?’ menu. The form requires a description of the incident and screenshots of the activity.

What you can do to prevent Zoom scams

• Encourage employees to stay vigilant – especially if they have a lot of meetings.
• Enable multi-factor authentication (MFA) as far as possible – the Information Commissioner’s Office (ICO) may even issue a fine if there’s a security breach and you’re caught without it.
• Ensure anti-virus software is up to date across the business.
• Hover your cursor over any links you’re unsure of. If the URL doesn’t look as it should, then don’t click on it.
• Set out clear processes for dealing with security incidents.
• Digital ID can allow participants of a meeting to be identified before the meeting begins. A few providers offer this so it’ll be an extra paid service.
• Zoom will never ask for control over your screen – treat this request with suspicion.
• Disable remote access abilities on Zoom, unless they’re business-critical. Disable meeting access to anonymous users unless they’re verified.
• Verify meeting requests that seem urgent or suspicious – try contacting the person or company on a separate channel, such as the email address listed on their website.
• Be aware that software doesn’t update itself in the middle of a meeting, so if this happens, it’s a glaring red flag.
• Set your email so that it doesn’t auto populate meetings in your calendar from an email. Set it so that the recipient has to verify the calendar request themselves. 

“Overall, it’s worth remembering that the virtual meeting room has become another threat vector,” said Malik. “People should remain wary of unexpected communication, a non-standard ask, and pressure to carry out actions urgently or in a heightened emotional state.”

“Educate your team specifically on AI-powered impersonation,” said Muhammad Yahya Patel, vCISO and cybersecurity advisor at Huntress. “People need to understand that a convincing voice on the end of a phone, or a message that references real internal details, is no longer proof that someone is who they say they are. Build simple internal verification procedures, a shared code word for sensitive requests, a rule that financial or access related actions always require confirmation through a second channel. These don’t need to be complicated.”

How a major glitch by Companies House revealed an uncomfortable truth about business data – The Companies House incident highlighted the outdated way business data is handled in a time where fraud is rife. This is how we overcome it

How to use a Web Application Firewall to keep hackers out of your company’s systems – Myra Sugg explains what a Web Application Firewall (WAF) is, why your business needs one and how they’re different to other firewalls

State-backed cyberattacks are no longer a government problem – they’re now a boardroom priority – Building resilience can help you maintain business operations in the face of state-backed cyberattacks, especially if you’re a small supplier