With more businesses implementing remote working policies for their employees in light of the COVID-19 crisis, the usage of popular videoconferencing apps like Zoom is rising – and cybercriminals are using this spike to their advantage.
MailGuard intercepted a phishing email scam masquerading as a Zoom meeting reminder that aims to trick users into handing over their confidential details. Using a display name of “Zoom IP Monday, August 24, 2020”, the email is titled “Reminder: Your meeting attendees are waiting. Monday, August 24, 2020”. The scam actually originates from an Amazon Simple Email Service address which is unique to every email sent. The body of the message is addressed to the email address displayed in the “to: field”, and informs recipients that they have received a video conferencing invitation. A button is provided to “review invitation”.
Here is what the email looks like:
Unsuspecting recipients who click on the email are led to a fake Microsoft-branded login page, and asked to “sign in to Zoom with your Microsoft 365 account”. Interestingly, this page is not hosted either on a Zoom or a Microsoft domain, as per the below:
Upon “logging in”, another message appears, telling users to verify their password due to a “sign in attempt timeout”:
After inserting their password a second and third time, users are led to another page informing them that “this video conferencing has been cancelled”. After a few seconds, they are redirected to the legitimate Zoom homepage.
We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.
This is a good example of how cybercriminals are leveraging on the uncertainty posed by the recent COVID-19 outbreak and its implications on the way we communicate and work. With Zoom increasingly becoming a popular videoconferencing app among businesses, it is not uncommon for professionals to receive an email like this in their inbox who might click on it thinking it is a legitimate invitation for an upcoming business meeting. Here are a few ways how cybercriminals have attempted to make this email look like a legitimate notification:
- The use of a display name like “Zoom IP” suggests the email is sent from an official source. The inclusion of the date and day in the email’s display name and subject also places it in real-time and boosts its credibility.
- The presence of a subject line informing users that their “meeting attendees are waiting” serves to intrigue while also creating a sense of alarm & urgency, motivating users to click on the links in the email without pausing to check for their credibility.
- the inclusion of the Microsoft logo and its branding elements in the phishing pages further aims to convince users into thinking the email is authentic.
Despite these techniques, eagle-eyed recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the phishing pages aren’t hosted on a Microsoft or Zoom domain, and that the email address used in the “from” field doesn’t use a familiar domain.
This practice of launching cyberattacks that are centered around ongoing trends isn’t anything new. Cybercriminals have long employed these tactics to take advantage of any disruptions and vulnerabilities in the hope that users’ uncertainties and fear around new changes will get better of them and they will not pause to check for the legitimacy of these emails.
COVID-19 themed cyberattacks are often designed to play with human psychology and emotions, like this one we intercepted earlier. As such, we strongly advise being extra vigilant when you receive emails such as these and lookout for any tell-tale signs that might be suspicious.
As a precaution, MailGuard urges you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from.
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
Don't get scammed
If your company’s email accounts aren’t protected, emails like these are almost certainly being received by your staff. Cybercriminals know people can be tricked; that’s why they send out millions of scam messages and put so much effort into making them look convincing.
People are not machines; we're all capable of making bad judgement calls. Without email filtering protecting your business, it’s just a matter of time before someone in your organisation has a momentary lapse of judgement and clicks on the wrong thing.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.