Computer Security Phishers Exploiting Employee Layoffs and Payroll Concerns

Phishers Exploiting Employee Layoffs and Payroll Concerns

covid-19 phishing scamsThe current climate of working from home saw several phishing campaigns going after WebEx and Zoom credentials of company employees around the world. Two new campaigns were trying to exploit these fears by delivering fake 'Zoom meeting about termination' emails and fake notifications concerning 'COVID-19 stimulation/payroll processing.'

Zoom Phishing During a Pandemic

One of the phishing campaigns, noticed by Abnormal Security, was working with emails allegedly coming from the organization's Human Resources. It was asking the recipients to attend a Zoom meeting that allegedly starts in a few minutes.

The supposed point of the meeting is the targeted employee's termination. The provided link may fool the victim into a spoofed Zoom login page hosted on The company mentioned the email has the looks and format of a legitimate meeting reminder that is often used by Zoom. The only difference is the functionality on the phishing page, with login fields used to steal any credentials the victim puts in. The victims would have a hard time understanding this was a design made to steal their login information.

Most Zoom users would take a look at the login page, believing their session expired, and they may try to sign in again. Doing that would likely lead to inputting their login credentials without looking at the URL or checking for nonfunctioning links in the page.

Phishing Used to Deliver Malware to Victims

The second phishing campaign is made to look like a legitimate email from an HR contractor. It informs employees of additional stimulus provided to them and prompting them to review the latest 'Payroll Report'.

The email contained a link to a fake payroll report in Google Docs, with another link within it. The document claimed the report cannot be viewed on mobile devices, so it has to be seen on corporate desktop computers. The link leads to a malware download, the company disclosed.

In this case the attack uses the growing concerns over employee payrolls during the COVID-19 pandemic. Targeted users are very likely to read the messages, worried about their situation, being in a hurry to grab the alleged stimulus and ignoring the obvious signs of something amiss. Taking advantage of people's desperation in a crisis is nothing new, since attackers and scam artists have been doing it for a long time.

Users are advised to pay careful attention to details during the crisis, looking for odd URLs or things that don't fit the usual to spot scammers and social engineers.