Americans spend an average of two hours and five minutes a week making video calls via online meeting platforms like Zoom, Skype, and Microsoft Teams, according to research by NordVPN. With videoconferencing platforms gaining popularity, cybersecurity experts are warning users about the dangers of being scammed and potentially infected by malware through them.
“Since the beginning of the Covid-19 pandemic, cybercriminals have been using visual meeting platforms as a new way to reach their victims. This resulted in new attacks that app developers were not ready for, including virtual meetings being disrupted by pornography and hate images, private meetings being made public, and many more serious issues,” said Daniel Markuson, a cybersecurity expert with NordVPN, in a statement.
What is a BEC Scam?
In February, the FBI issued a public service announcement, stating criminals are using virtual meeting platforms for business email compromise (BEC scams). A BEC scam is when a criminal hacks a business email account (a CEO’s, for example) to trick other employees into transferring money or giving up important company information.
This is not a new issue. Losses related to these types of attacks increased to $1.8 billion in 2020, according to an FBI report (compared to $1.2 billion in 2018).
Criminals have begun to use virtual meeting platforms to conduct BEC related scams due to the rise of remote work due to the pandemic, which has caused more workplaces and individuals to conduct routine business directly.
Three ways criminals use virtual meeting platforms to conduct BEC scams
Criminals can compromise an employer or a financial director’s email and request employees to participate in a virtual meeting where the criminal will insert a still image of the c-level executive with no audio or a “deep fake” audio, and claim their audio/video is not working. They then instruct employees to imitate transfer of funds via the virtual meeting platform or in a follow up email.
Criminals can also compromise employee emails to insert themselves in workplace meetings via virtual meeting platforms to collect information on a businesses day to day operations.
Another tactic criminals will do is compromise an employer’s email, such as the CEO, and sending spoofed emails to employees instructing them to initiate transfer of funds , as the CEO claims to be in a meeting and unable to complete the transfer.
How to protect yourself and the organization
- Do not send invites or accept invitation links from people you don’t trust. Always double-check the sender.
- Never share the meeting ID publicly.
- Don’t download or click on anything that pops out on the chat section until you’re sure that the sender is legit.
- Make sure you download the online meeting platform from the official site. Hackers have been creating fake Zoom websites to spread malware. Also, don’t forget to update the application regularly for the most recent security patches.
- If you are organizing a call, make yourself the only host so you’re in full control of the call. In the case of zoombombing, you can turn off someone’s camera or microphone or even disable them.
- Use a cybersecurity product with a threat detection feature to help protect your device from malware
If you discover you are the victim of a fraud incident, immediately contact your financial institution to request a recall of funds and file a complaint with with ic3.gov, for BEC/EAC victims, BEC.ic3.gov, as soon as possible.