The popularity of Zoom — the world’s number one most-downloaded app in 2020 — has made it a target for phishing attacks, and the Better Business Bureau is now warning users to avoid sketchy meeting invites that could actually infect your system with malware. Here’s what you need to know.
How the phishing scam works
A scammer will send you an unsolicited email, text, or social media message branded with a Zoom logo and including some kind of notification about your account, like “your Zoom account has been suspended, click here to reactivate,” “please activate your account,” or “you missed a meeting, click here to see the details and reschedule.”
These phony invites have links that, when clicked, either download malware directly onto your computer or take you to a fake Zoom login page. The fake login page exists to trick users into inputting their email and Zoom password, giving them control over your account. Scammers might also try to use your email and password combination to log into other services or platforms, too (53% of people reuse the same password across multiple accounts).
How to avoid getting tricked
Throughout the pandemic — and before — the mantra has remained the same when it comes to unsolicited messages: don’t click on anything. This includes links, but also photos (which can be clickable) and files. Speaking from experience, I nearly clicked on one of these fake Zoom links a couple months ago despite knowing that the scam existed — it’s very easy let auto-pilot take over if you aren’t focused on remaining vigilant.
The Better Business Bureau recommends taking these precautions, which will help you avoid falling for the scam:
- Double check the sender’s information. Zoom.com and Zoom.us are the only official domains for Zoom. If an email comes from a similar looking domain that doesn’t quite match the official domain name, it’s probably a scam.
- Never click on links in unsolicited emails. Phishing scams always involve getting an unsuspecting individual to click on a link or file sent in an email that will download dangerous malware onto their computer. If you get an unsolicited email and you aren’t sure who it really came from, never click on any links, files, or images it may contain.
- Resolve issues directly. If you receive an email stating there is a problem with your account and you aren’t sure if it is legitimate, contact the company directly. Go to the official website by typing the name in your browser and find the “Contact Support” feature to get help.
Also, it’s worth spot-checking any suspicious notifications or login pages for spelling errors, which are an obvious clue they aren’t legit. I narrowly averted my own phishing attack by spotting a few typos in the bogus invitation.