During the COVID-19 pandemic and mandated statewide quarantines, people are staying connected through the free platform Zoom. The application has become the hot spot for virtual connectivity with its easy-to-use interface and changeable backgrounds. But it turns out that online gatherings, much like physical ones, are susceptible to criminal behavior – and employers need to be prepared.
The Zoom Boom amid Coronavirus Outbreak
Launched in 2013, Zoom experienced massive success prior to the pandemic, achieving unicorn status (i.e., a privately held startup valued at $1 billion or more) in 2017. But Zoom membership spiked from 10 million users in December 2019 to 200 million users in March 2020 in a skyrocketing uptick. It quickly became the top free app for the iPhone (the app may be free, but participants must pay after a 40-minute limit).
Members are now celebrating virtual happy hours, birthday parties and concerts all on the app. On the business side, Zoom has become a host for classrooms, dissertations, conferences and day-to-day meetings to keep the workforce operating at business as usual – or as close to that as possible.
‘Zoombombing’ Becomes Cybercrime’s Latest Weapon
Despite its nearly ubiquitous use in both personal and professional circles, Zoom has become notorious for its hijacks aka . Though these hijacks are illegal in the United States, Zoom’s privacy settings, data leaks to third parties and accessible links that it make it fairly easy for an outsider to join a meeting in progress are creating a window of opportunity for cybercriminals. For example, attackers can peruse Google to find active Zoom links and join anonymously with fake aliases and hidden faces.
The attack usually involves the ‘zoombomber’ spamming the Zoom messenger boards with negative language and hijacking screens to share disturbing images. Regardless of how quickly the Zoom host responds, the attack can last long enough to traumatize participants, including children. Schools in California, Georgia and Utah have suspended videoconferencing after horrific zoombombings. Virtual events from informal family catchups to city council meetings have been affected.
Zoom leadership has been quick to respond to criticism, and the app’s recent 5.0 update sought better encryption, stronger password protocols and more tools for hosts to boot out intruders. But the problems run deep; Researchers found that hackers could disrupt Zoom’s software to spy through a computer’s webcam or microphone. The website Motherboard found that Zoom shared data with Facebook – even data on people who are not Facebook users.
Hijackers Specifically Target People of Color
The content of the attacks varies, but zoombombers target people of color and share racist epithets with startling frequency. This isn’t a coincidence. According to a New York Times investigation, participants on right-wing message boards purposefully targeted minority communities through mass organized harassment campaigns.
In mid-April, two assailants hijacked an orientation for over 600 incoming freshmen at a historically black college or university (HBCU). They played pornographic videos on a shared screen and repeated the phrase, “lynch yourself,” as well as racist slurs. Students tweeted messages of resilience in response to the attack, and administrators appeared to reschedule. Local police departments across the country have opened hate crime cases involving zoombombing incidents, expressing the gravity of the target attacks.
For a Safer Zoom Meeting, Employ Security Best Practices – and Prepare for a Possible Intrusion
Users can be proactive in making their Zoom meetings safer, even with the app’s flaws.
- Leverage cybersecurity best practices. Whether a family or business, cybersecurity protocols and support are critical, especially when social distancing and dependence on the technology is high. If possible, consult a professional to continually monitor your devices to ensure that apps like Zoom are updated regularly, and that users have documented plans to follow to ensure secure communication.
- Pick another app. Experiment with other video telecommunication services such as Google Hangout, Cisco WebEx, Microsoft Teams, Skype or Slack. There isn’t an app out there that is completely fortified against cyberattacks – but some are less susceptible than others.
- Check your privacy settings. Zoom is adding more settings for users with every new update, and it’s essential to check on these settings whenever beginning a meeting. For example, the host should always ensure that a password is required to enter the meeting.
- Do not allow anonymous users. Past incidents have shown that hijackers often sneak into meetings under anonymity, not sharing their name or face. Requesting everyone “show themselves” will allow a participant to quickly identify someone who is out of place and may need to be removed.
- Prepare for zoombombing in the workplace. As of right now, no preventative measures are full proof against a prospective hacker. If using Zoom for business, ensure your organization has a protocol by which employees can report a zoombombing incident. In that same protocol, outline how to respond to such an incident.
- Recognize how a zoombombing could be traumatic. Zoombombers are sharing disturbing images and content that would upset any viewer – and many are specifically targeting individuals based on race and other factors. It is best practice, especially during the COVID-19 pandemic, to develop a mental health-friendly culture – and part of that is ensuring everyone feels welcome and safe while working. Ensure that your company has a strategy for ensuring participants in a zoombombed meeting can access the help and resources they may require after a traumatic incident.
Hackers with the intent to disrupt a meeting for fun, seek personal information or target individuals of a specific background will continue to test the boundaries of virtual gatherings. If you’re not sure about the safety and security of your virtual meeting platform, our personal and cybersecurity experts can help. Contact us to set up a consultation.