Fake Zoom Meeting Invitations: A New Phishing Technique
The shift to remote and hybrid work created a permanent opening for phishing attacks disguised as meeting invitations. In January 2026, a coordinated campaign sent fake Zoom invitations to over 50,000 corporate email addresses in a single week. The emails were indistinguishable from real Zoom notifications to most recipients. Seventeen percent clicked the link. Of those, nearly half entered their credentials on the phishing page.
What the Fake Invitation Looks Like
The phishing email mimics Zoom's standard meeting invitation format:
"Hi,
James Wilson is inviting you to a scheduled Zoom meeting.
Topic: Q2 Planning Review
Time: Apr 4, 2026, 10:00 AM Eastern
Join Zoom Meeting
https://zoom.us/j/82341556789
Meeting ID: 823 4155 6789
Passcode: 847291"
Everything looks correct — the formatting, the meeting ID format, even the passcode. But the hyperlink behind the text doesn't actually point to zoom.us. It points to zoom-us-meeting.com or zoom.us.secure-join.net. The text displays the legitimate URL while the actual link goes elsewhere.
Three Attack Vectors
Credential theft. The link opens a page that looks like the Zoom web client, asking you to "Sign in to join this meeting." You enter your Zoom credentials, and they're captured. Since many organizations use SSO, your Zoom password may be the same as your corporate network credentials — giving attackers access to far more than just Zoom.
Got a suspicious email?
Paste it here for an instant analysis.
Free · No signup required · Cmd+Enter to scan
Malware installation. The phishing page displays a message: "This meeting requires the latest version of Zoom. Click here to update." The "update" is malware — typically an infostealer that captures passwords, browser cookies, and cryptocurrency wallets, or a remote access trojan that gives attackers persistent access to your computer.
Man-in-the-middle attacks. More sophisticated campaigns proxy the real Zoom login. You actually sign into Zoom through the attacker's server, which captures your session token. You join a real meeting (or see an error that the meeting ended), while the attacker now has an authenticated session to your Zoom account.
Red Flags to Watch For
You weren't expecting the meeting. If you receive a Zoom invitation for a meeting you don't remember being invited to, verify with the supposed host before clicking. This is especially important for invitations from people outside your organization.
The sender address is wrong. Real Zoom invitations come from no-reply@zoom.us. Phishing versions come from lookalike addresses like noreply@zoom-meetings.com or meeting@z00m.us (with zeros instead of o's).
The join link doesn't match. Hover over the link before clicking. The displayed text might show zoom.us/j/82341556789, but the actual URL (visible in the bottom-left corner of your browser) points elsewhere. This is the single most reliable way to detect the scam.
It asks you to download something. If you click a meeting link and are told to install or update Zoom, stop. Open Zoom separately from your Applications folder or Start menu. If an update is genuinely needed, Zoom will prompt you to update through the app itself, not through a browser page.
It asks for credentials you shouldn't need. If you're already signed into Zoom and a meeting link asks you to sign in again, something is wrong. Real Zoom links open directly in the app or launch the web client using your existing session.
How to Safely Join Zoom Meetings
Instead of clicking links in emails, copy the Meeting ID and paste it into the Zoom app directly. Open Zoom, click "Join," enter the Meeting ID and passcode, and join from there. This bypasses any phishing links entirely.
If you use a calendar integration (Google Calendar, Outlook), joining through the calendar event is safer than clicking email links, because the calendar event was typically created by the real Zoom scheduling system.
For organizations, configure Zoom SSO so that authentication happens only through your identity provider. This means even if an employee clicks a phishing link and sees a fake Zoom login page, they'll recognize it's not the usual SSO login flow.
After Clicking a Suspicious Link
If you entered your Zoom credentials on a suspicious page, change your Zoom password immediately at zoom.us/profile. If you use the same password elsewhere, change those too. Enable two-factor authentication on your Zoom account. If you downloaded anything, disconnect from the network and run a full malware scan. Notify your IT team if this is a work account — the attacker may have already accessed meeting recordings, chat logs, or contact lists.
Meeting invitations are part of daily work life, and that's exactly why they make such effective phishing lures. Build the habit of verifying links before clicking, and join meetings through the app rather than through email links.
Received something suspicious? Check it now for free →