Zoom Call Fraud

Even before the COVID-19 pandemic, Zoom had been established as one of the most important tools for conducting digital meetings and video calls, both in professional and private settings. However, with growing popularity, fraudulent schemes involving Zoom calls have significantly increased. Cybercriminals are using various methods to exploit the tool – seeking access to sensitive personal data, stealing identities, or fraudulently obtaining large sums of money.

Fraud via Zoom is becoming increasingly critical in the B2B context as well, particularly because these attacks often target companies, executives, and sensitive business processes and systems. The consequences range from financial losses and reputational damage to the complete breakdown of business operations.

Against this backdrop, it is more important than ever for companies to implement effective Know-Your-Employee (KYE) and Know-Your-Customer (KYC) processes, with a particular focus on identity verification solutions.

The Most Common Zoom Fraud Schemes

Fraud schemes involving Zoom are largely similar to other social engineering tactics, as illustrated in the following examples:

Fake Zoom Invitations and Phishing

Employees, especially decision-makers, often receive many emails inviting them to suppose internal Zoom meetings. These messages appear to come from colleagues or superiors and often contain fake vanity URLs that closely resemble official company domains.

The links lead to counterfeit Zoom login pages designed to capture login credentials. Alternatively, these invitations may include attachments or links that install malware once they are opened.

Potential consequences:
The stolen credentials may allow cybercriminals to access internal systems, email accounts, and sensitive company data. In the worst case, attackers could take over the email system to send fraudulent invoices on a large scale to the company’s customers.

CEO-Fraud via Zoom

Attackers impersonate executives or business partners and exploit the familiarity of Zoom meetings to deceive employees.

Using manipulated participation links or fake invitations, employees are tricked into disclosing confidential information or initiating wire transfers on behalf of the company.

In the financial sector, millions in losses have already been documented due to fake Zoom calls in which supposed colleagues or partner companies requested the transfer of large sums of money.

Malware and Ransomware Infiltration

The consequences of a fake Zoom invitation can be especially severe if the invitation leads to a fake Zoom site that distributes malware like Vidar Stealer or other malicious software targeting banking data, passwords, and crypto wallets.

Even in companies where employees regularly participate in Zoom meetings, there’s a high risk that they may inadvertently introduce malware into the company’s systems.

Potential consequences:
Once installed, the malware can give criminals access to sensitive company data and may be used for extortion or sold on the dark web.

Special Challenges in the Business Context

As mentioned, criminals often use vanity URLs, customized Zoom links that mimic corporate ones, to deceive employees. They also exploit the high frequency of meetings, which is typical in many companies. Since employees are used to receiving numerous invitations, the likelihood of successfully sneaking a fraudulent Zoom call into business workflows increases.

In the corporate or B2B context, financial damage can be particularly severe, as criminals often deliberately target payment processes or treasury operations.

How Companies Can Protect Themselves from Zoom Call Fraud

The following standard measures are essential to safeguard against the various forms of Zoom call fraud:

• Regular awareness training on phishing and social engineering
• Two-step approval processes and personal confirmation for unusual transaction requests
• Technical safeguards, such as multi-factor authentication, regular software updates, antivirus tools, and web filters
• Clear protocols for handling security incidents.

Digital Identification Procedures Help Prevent Zoom Call Fraud

Given the increasing threats posed by deep-fake technology and social engineering, traditional security measures such as secure passwords or two-factor authentication are often no longer sufficient.

Advanced digital identity verification methods, such as those offered by WebID, are now playing a decisive role in combating Zoom call fraud in the B2B sector:

• Preventing identity theft:
  Digital ID verification solutions allow companies to confirm the identities of participants before granting access to sensitive internal Zoom meetings.
• Protection from deepfakes:
  Criminals targeting B2B companies are increasingly using deepfakes to impersonate colleagues. Digital wallets with verified and cryptographically secured credentials ensure that only authorized individuals gain access to Zoom meetings and sensitive company information.
• Real-time verification:
  Modern identity verification tools enable real-time identity checks, such as scanning a QR code using a digital wallet.