Phishers exploiting employees’ layoff, payroll concerns

A few days ago, we outlined several phishing campaigns going after Zoom and WebEx credentials of employees. Two new ones are trying to exploit their (at the moment very rational) fears by delivering fake “Zoom meeting about termination” emails and fake notifications about COVID-19 stimulation/payroll processing.

Phishing for Zoom credentials

Spotted by Abnormal Security, one phishing campaign comes in the form of emails seemingly coming from the organization’s Human Resources department, urging the recipient to attend a Zoom meeting scheduled to start in a few minutes:

fake termination emails

The purported topic of the meeting? The employee’s termination.

The provided link takes the victim to a spoofed Zoom login page hosted on

“The email looks and is formatted like a legitimate meeting reminder commonly used by Zoom. The landing page is also a carbon copy of the Zoom login page; except the only functionality on the phishing page are the login fields used to steal credentials. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials,” the company notes.

“Frequent Zoom users would look at the login page, think their session has expired, and attempt to sign in again. They would be more likely to input their login credentials without checking the abnormalities in the phishing page such as the URL or non functioning links.”

Phishing to deliver malware

The second phishing campaign is made to look like an email from an outsourced HR contractor informing employees of additional stimulus being provided to them and asking recipients to view the latest Payroll Report:

fake termination emails

The email contains a link to a fake payroll report hosted on Google Docs, which contains another link inside it.

“The document claims that the report cannot be viewed on mobile devices, and that it can only be viewed via corporation desktop computers. However, this second link leads to a malware download,” the company shared.

“This attack utilizes growing concerns regarding employee payroll during the COVID-19 pandemic. Users are likely to read this message, and rush to claim their supposed stimulus while ignoring obvious red flags along the way. Whether this is a result of greed or desperation, attackers are able to manipulate users into downloading harmful files.”

Don't miss