3 Zoom scams you need to avoid

By Anna Jordan on Small Business UK - Advice and Ideas for UK Small Businesses and SMEs

Zoom became the platform to keep business running remotely during the pandemic. With the upsurge in popularity (and stock value) came an upsurge in scams.

“Zoom scams are a good reminder that not all attacks begin with a technical breach,” said Javvad Malik, lead CISO advisor at KnowBe4. “These attacks work well because we’re all very much used to receiving meeting invites and click them without a second thought. So, it’s important that we take steps to safeguard ourselves.”

These are the main Zoom scams you should be looking out for and how to avoid falling victim to them. You’ll see some common themes running throughout such as impersonating a trusted figure or being asked to click on dodgy links to download malware.

Fraudulent meeting

Senior figures within the business are often targeted with meetings – this is because they have access to more valuable and sensitive data. The meeting link will look like the standard Zoom URL, but there’ll be subtle differences. The fake landing page that’s sent to you will be able to capture your login details and allow hackers into your computer system. They may also use malicious download links to make their way in to your internal systems.

In a similar fashion, attackers could pretend to be a senior figure in the company, or a partner/external organisation. From there, they’ll invite you to a fake meeting screen, ask you to download something or ask you to share your screen – more on that in a moment.

The scammer will use their chosen avenue into your internal systems to steal data or plant malware.

Screen sharing

Similarly, a screen sharing scam will involve the scammer asking the victim to download screen sharing or remote access software which they’ll use to access files, steal passwords or transfer money.

The ‘software update’

This one’s under the guise of a software update. Unsuspecting users are guided towards a realistic-looking Zoom page and prompted to download an installer from a legitimate company, which the scammer will use to install malware.

Some malware can target banking details and passwords and your information could even be sold on the dark web.

How do I report scams to Zoom?

You’ll need to request a Trust & Safety request form, then you enter your name and email address and select ‘report fraud’ under the ‘what can we help you with?’ menu. The form requires a description of the incident and screenshots of the activity.

What you can do to prevent Zoom scams

• Encourage employees to stay vigilant – especially if they have a lot of meetings.
• Enable multi-factor authentication (MFA) as far as possible – the Information Commissioner’s Office (ICO) may even issue a fine if there’s a security breach and you’re caught without it.
• Ensure anti-virus software is up to date across the business.
• Hover your cursor over any links you’re unsure of. If the URL doesn’t look as it should, then don’t click on it.
• Set out clear processes for dealing with security incidents.
• Digital ID can allow participants of a meeting to be identified before the meeting begins. A few providers offer this so it’ll be an extra paid service.
• Zoom will never ask for control over your screen – treat this request with suspicion.
• Disable remote access abilities on Zoom, unless they’re business-critical. Disable meeting access to anonymous users unless they’re verified.
• Verify meeting requests that seem urgent or suspicious – try contacting the person or company on a separate channel, such as the email address listed on their website.
• Be aware that software doesn’t update itself in the middle of a meeting, so if this happens, it’s a glaring red flag.
• Set your email so that it doesn’t auto populate meetings in your calendar from an email. Set it so that the recipient has to verify the calendar request themselves. 

“Overall, it’s worth remembering that the virtual meeting room has become another threat vector,” said Malik. “People should remain wary of unexpected communication, a non-standard ask, and pressure to carry out actions urgently or in a heightened emotional state.”

“Educate your team specifically on AI-powered impersonation,” said Muhammad Yahya Patel, vCISO and cybersecurity advisor at Huntress. “People need to understand that a convincing voice on the end of a phone, or a message that references real internal details, is no longer proof that someone is who they say they are. Build simple internal verification procedures, a shared code word for sensitive requests, a rule that financial or access related actions always require confirmation through a second channel. These don’t need to be complicated.”

Read more

Microsoft Teams impersonation attacks and how to spot them – Impersonation scams are really coming to the fore on Microsoft Teams. To keep your business safe, we’ve flagged some of the worst offenders

How to provide cybersecurity training for your home workers – Find out what cybersecurity training information to include, how to deliver it and what follow-up resources to provide for your home workers

A guide to cyber liability insurance for a small business – If your business takes online payments, stores customer data, or relies on IT systems, cyber liability insurance is essential. It provides financial protection, helps you comply with regulations, and can help your business to recover quickly from cyber incidents

The post 3 Zoom scams you need to avoid appeared first on Small Business UK.