Warning! Fake Zoom “HR meeting” emails phish for your password

Scammers have turned to employment worries as their latest lure for Zoom phishing scams.

SophosLabs sent us several examples of spam messages received in the last few days that said, rather worryingly:

---sample 1---
Subject: You are invited to join the q2 meeting

Hello xxx@yyyyy.example,
Meeting Reminder with yyyyy.example Team on Zoom!

This is a reminder that your scheduled zoom meeting with 
Human Resources and Payroll Administrative Head will start 
in few minutes.
Your presence is crucial to this meeting and equally 
required to commence this Q1 perfomance review meeting

Join this Live Meeting

Meeting Purpose: Contract Suspension / Termination Trial
---sample 2---
Subject: Please join Zoom meeting in progress

Hello aaa@bbbbb.example,

Join your bbbbb.example CEO and Management Board Meeting
for all staffs on Zoom Meeting

This is a reminder that your zoom meeting appointment with
H.R and Audit Head will start in few minutes.
Your presence is crucial to this meeting and equally 
required to commence this Q1 perfomance review meeting
Join this Live Meeting

Meeting Purpose:
Contract Suspension / Termination Trial

The subject lines, message layout and meeting descriptions vary slightly, but the basic idea is the same.

To native speakers of English, the wording in both these examples is rather unnatural, and there’s a spelling mistake (perfomance) that you probably wouldn’t expect.

But the implications of the message are clear enough: if you miss this meeting, which is happening right now, you won’t get to fight your corner to keep your job.

As you can imagine, there’s a Zoom-like button to join you to the meeting…

Screenshot of phishing content showing bogus “Live Meeting” button.

…but if you click it you don’t end up on zoom.us, as you might expect.

However, you do end up on an HTTPS (padlock showing) web page, as you would expect, and the login page is almost pixel perfect:

Fake “Zoom” login page displayed if you click the “Live Meeting” link in the email.

To remind you how quickly the crooks move once they’re ready to run a scam, note that the encryption certificate for this website was issed yesterday, not long before the spam that connected to it was sent.

TLS certificate used by the phishing site in sample 1 above.

For comparison, here’s the real Zoom login page to match up with the phoney page above:

The phishers probably don’t care what password you enter as long as it’s a valid one they can use on one of your accounts, but you’ll notice they’ve put the suggestion text Email Address Password into the password field instead of just Password as you see on Zoom’s page.

Presumably they’re hoping that if you notice this “hint”, you might use the password to your email account instead of your Zoom password.

Remember that access to your email account is likely to be worth a lot more to the crooks than your Zoom account would be, for the important reason that your email account is probably the way you go about doing password resets for many of your other accounts.

Whatever we entered as our password on the fake site, we ended up redirected to a genuine and vaguely relevant Zoom help page, as though something went wrong and perhaps we should simply try again:

In this way, the crooks don’t need to simulate a successful login or to pretend that your login failed – they just leave you in one of those “I wonder what happened there” moments where your inclination is simply to go back and start over.

Of course, by the time you see the (entirely genuine) Zoom help page, the email address and the password you entered have already been posted to the crooks instead of sent to Zoom, and whatever password you entered is now in enemy hands.

What to do?

If someone else is inviting you to a meeting, you shouldn’t need to login to Zoom first, given that they’re hosting.

So even if fear gets the better of you here and you click on the link, the appearance of a login page when you are expecting to join a meeting, rather than to host one, should be suspicious.

  • Don’t login after clicking links in emails. In this case, if you were to go to Zoom directly, or switch to the Zoom app, and then try to put in the meeting number given as text in the email, you would sidestep the phishing page altogether. (In theory, the crooks could have set up a meeting to “catch” people who do this, so never blindly believe a meeting is the real deal just because it’s running when you show up.)
  • Enable two-factor authentication if you can. Zoom supports 2FA, based on one-time codes generated by an app on your phone, and most email services do, too. With a different code every time you login, the inconvenience to you is very slight, but the extra effort for the crooks is huge because your password alone is no longer enough.
  • Tell your IT team promptly if you receive a message like this. Crooks rarely send phishing emails to just one person in a company, so if you can act as your organisation’s early-warning system, you’ll help to protect everyone else.
  • If you were phished, change your password at once. Even if you fall for a phish at first, many phishes are obvious after you put in your password because you don’t end up where you should and the deception stands out. The sooner you change your password, the less time the crooks have to try it out first.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.