As more companies are implementing remote working policies for their employees in light of the COVID-19 crisis, the usage of popular videoconferencing apps like Zoom is rising – and cybercriminals are using this rise to their advantage.
MailGuard intercepted an email spoofing Zoom that aims to trick users into handing over their confidential details. Using a display name of “Zoom Video Communications”, the email is titled “Zoom Video Conferencing invitation Wednesday, May 13, 2020”. The email actually originates from multiple randomly generated email addresses hosted on amazonses.com. The body of the message is addressed to the email address displayed in the “to: field”, and informs recipients that they have received a video conferencing invitation. A button is provided to “review invitation”.
Here is what the email looks like:
Unsuspecting recipients who click on the email are led to a fake Microsoft-branded login page, and asked to “sign in to Zoom with your Microsoft 365 account”. Interestingly, this page is not hosted either on a Zoom or a Microsoft domain, as per the below:
Upon “logging in”, another message appears, telling users to verify their password due to a “sign in attempt timeout”:
After inserting their password a second time, users are led to another page informing them that “this video conferencing has been cancelled”. After a few seconds, they are redirected to the legitimate Zoom homepage.
We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.
This is a good example of how cybercriminals are leveraging on the uncertainty posed by the recent COVID-19 outbreak and its implications on the way we communicate and work. With Zoom increasingly becoming a popular videoconferencing app among businesses, it is not uncommon for professionals to receive an email like this in their inbox who might click on it thinking it is a legitimate invitation for an upcoming business meeting. Here are a few ways how cybercriminals have attempted to make this email look like a legitimate notification:
- use of a display name like “Zoom Video Communications” suggests the email is sent from an official source. The inclusion of the date and day in the email’s subject also places it in real-time and boosts its credibility.
- incorporating elements (like the Zoom header) in the email that are similar to Zoom’s branding and logo.
- the inclusion of the Microsoft logo and its branding elements in the phishing pages further aims to convince users into thinking the email is authentic.
Despite these techniques, eagle-eyed recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the phishing pages aren’t hosted on a Microsoft or Zoom domain, and that the email address used in the “from” field doesn’t use a familiar domain.
This practice of launching cyberattacks that are centered around ongoing trends isn’t anything new. Cybercriminals have long employed these tactics to take advantage of any disruptions and vulnerabilities in the hope that users’ uncertainties and fear around new changes will get better of them and they will not pause to check for the legitimacy of these emails.
Coronavirus-themed cyberattacks are often designed to play with human psychology and emotions, like this one we intercepted a few weeks ago. As such, we strongly advise being extra vigilant when you receive emails such as these and lookout for any tell-tale signs that might be suspicious.
As a precaution, MailGuard urges you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from.
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
Don't get scammed
If your company’s email accounts aren’t protected, emails like the one above are almost certainly being received by your staff. Cybercriminals know people can be tricked; that’s why they send out millions of scam messages and put so much effort into making them look convincing.
People are not machines; we're all capable of making bad judgement calls. Without email filtering protecting your business, it’s just a matter of time before someone in your organisation has a momentary lapse of judgement and clicks on the wrong thing.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.