After skyrocketing in popularity with the near-universal virtual workplace ushered in by COVID-19, Zoom came under fire for a myriad of security issues. Recently, the company has updated its videoconferencing service to address detected problems, with the release of Zoom 5.0 in the coming week.
The latest version requires “waiting rooms” and passwords for calls by default. Also, the addition of the “Report a User” feature ameliorates the process for identifying Zoom-bombers to ensure they are prevented from continued abuse.
Are Zoom’s calls encrypted in 5.0?
Currently, Zoom does not support end-to-end encryption, though this may be introduced in the future. In the meantime, they are upping their encryption game. Forbes reports:
As part of Zoom 5.0 due to launch in around a week, Zoom will upgrade to Advanced Encryption Standard (AES) 256-bit GCM encryption, which is a big improvement on its 128-bit AES keys. Zoom 5.0 supports GCM encryption, and Zoom says this will take effect once all accounts are enabled with GCM, with system-wide account enablement taking place on May 30.
Zoom phishing scams
But Zoom still faces another problem: a smattering of phishing attacks posing as Zoom notification emails. Forbes explains:
There are three emails to look out for. The first has the subject line “Zoom Account” and includes a message welcoming new users to their account. However, attackers then encourage users to click on a link and activate their Zoom account by entering their login details–which the criminal will then steal.
The second email, which has the subject line “Missed Zoom Meeting,” informs you that you’ve just missed a Zoom meeting. Attackers then want you to click a link to “check your missed conference,” so you again enter your details which they can steal.
The third scam discovered by Proofpoint is aimed at U.S. based users working in industries such as technology, accounting, aerospace, energy, healthcare, telecommunications, transportation, government, and manufacturing companies. It targets another popular video conferencing service Cisco WebEx. The Cisco WebEx scam reads: “Alert!” “Your account access will be limited!” Attackers will then try to make you “update your WebEx” to fix a security vulnerability, by leading you to a phishing page.
To be fair, this phishing attack is no fault of Zoom’s: the fact of the matter is simply that Zoom’s increased user base has made it a prime target for phishers. As always, the best way to protect yourself from phishing attacks is to never open emails from unknown senders, don’t click on links in emails that look suspicious or are from unknown senders, and be cognizant of questionable senders or subject lines. Finally, never enter your credentials on a site via an email; instead, go to the app directly and check your account to see if any issues need your attention.