Deepfake Zoom CEO fraud in 2026: the $25M Arup pattern and how to stop it

The Friday afternoon Daniel sent the wire

Daniel works at a mid-size architecture firm in Chicago. About 180 people across three offices. Public-sector clients mostly, some commercial. He is 34, has been with the firm for six years, and runs operations and finance on a day-to-day basis. He reports to Maria, the CFO. Maria reports to Karim, the CEO. The chain of command is short and informal. People text each other. People ping each other on Slack. People walk into each other's offices. That is the firm's whole culture.

On a Friday in late February, at 2:54 PM Central, Daniel's Slack pings. It is Maria. The message reads: "Quick Zoom about a wire transfer for the Singapore acquisition deal. Join now. Karim is on already. We need to close before end of day." There is a Zoom link below. The link reads zoom.us/j/82547... and then a long string of numbers. Daniel does not look at the prefix. The message comes from Maria's Slack account, with her profile photo, her usual short writing style ("Join now" without a period, exactly how she always types).

Daniel clicks the link. Zoom opens. Two video tiles. Maria's face, top left. Karim's face, top right. Both are nodding gently. Maria's voice comes through the speakers, slightly compressed, slightly muffled, the way Zoom audio always sounds. "Hey Daniel, thanks for jumping on. Quick one. The Singapore engineering firm we have been talking about, the small acquisition, the lawyers finalized the escrow this afternoon and the seller wants the deposit before end of day or they walk. Karim, you want to add anything?"

Karim's face on the right tile turns slightly. His mouth opens and the audio comes through. "Yeah, Daniel, this is time-sensitive. I know it is unusual but we have been discussing this for two months internally, the board signed off last week. Send the wire today. Five-eighty thousand to the escrow agent. Maria has the wire instructions, she will drop them in the Zoom chat."

Daniel says "Okay, sure, no problem." He has done dozens of wires under Maria's direction. The amount is unusual but not outside the range of work the firm does. Maria pastes wire instructions into the Zoom chat. Beneficiary name. SWIFT code. Account number. Bank in Singapore. Daniel screenshots the chat for his own records, says "Got it, sending now," and the meeting ends after about four minutes total.

Daniel walks to his desk. He logs into the firm's bank portal. He fills in the beneficiary fields. He types $580,000.00. He hits the SMS-to-phone two-factor confirmation step (the firm requires it for any wire over $50,000). The wire goes out at 3:11 PM Central. Confirmation number lands in his email. He forwards it to Maria on Slack with a thumbs-up emoji. She replies with a heart. He closes his laptop at 5:30 PM and drives home for the weekend.

On Monday morning at 9:08 AM, the real Maria walks past Daniel's office on the way to the espresso machine. She sticks her head in. "Hey, how was your weekend? Anything go out Friday I should know about?" Daniel says, "Yeah, the Singapore wire, all good, confirmation went to your inbox." Maria's face does a small thing. She tilts her head. "Singapore wire?" Daniel says, "The acquisition. The deposit. You and Karim were on the Zoom Friday afternoon." Maria says, "What Zoom?"

Daniel feels the floor tilt. He pulls up Slack. He scrolls to Friday at 2:54 PM. The message is still there. The Zoom link is still there. He clicks it. The link goes to a 404 now, the meeting is gone, the room never existed in the firm's licensed Zoom workspace. He scrolls Maria's actual sent messages on Slack. The 2:54 PM message is not in her message history. It only appears in Daniel's view of the conversation, sent from a session he cannot now identify.

Karim walks in two minutes later because Maria has already paged him. The three of them stand in Daniel's office at 9:14 AM Monday and try to reconstruct what happened. Karim says, "I was on a flight Friday at 3 PM, no internet, definitely not on a Zoom." Maria pulls up her Slack admin panel. There is a session from Friday afternoon, logged in from an IP address she does not recognize. Slack security flagged it and emailed her, but the email went to her promotions tab because of how it was formatted. She had not seen it.

The firm's IT director arrives. He starts pulling logs. The Slack account was compromised the previous Tuesday, six days earlier, via what looks like an OAuth phishing email Maria clicked on (a fake "Slack Workspace migration confirmation" prompt). The attacker had been quietly reading Slack conversations for six days, learning the firm's tone, the people Daniel trusted, the time of day wires usually went out, the way Maria wrote, the projects Karim mentioned. By Friday the attacker had everything needed to stage a four-minute video call with two synthetic faces nodding through a brief.

The Friday Zoom call had been hosted on a workspace zoom-meet.us/j/82547... not zoom.us/j/82547. Daniel's brain had pattern-matched the first four characters and stopped looking. The deepfake video of Maria and Karim had been generated from publicly available video clips. Maria had given a 12-minute webinar talk at an industry conference six months earlier, on YouTube, with crystal-clear footage of her face from three angles. Karim had a TEDx talk from two years ago. Both had LinkedIn videos. Together this gave the attacker more than enough source material for a real-time face-swap video model. The voices were cloned from the same YouTube videos in under 90 seconds each.

$580,000 had landed in a Singapore correspondent bank at 3:12 PM Central Friday, was wired to a second bank in another jurisdiction by 4:30 PM the same day, and broken into nine smaller transfers across eight further jurisdictions over the weekend. The firm's bank tried to recall the wire Monday morning. The first hop bank in Singapore said the funds had already moved. The recovery posture quickly became "report to law enforcement, file the insurance claim, brief the board."

The board meeting was Wednesday. The board partner who had been pushing the firm for a year to formalize a callback rule on wires looked at Karim and said, "We talked about this in April."

How the deepfake Zoom attack actually works

The Arup case, the WPP attempt, and the composite Daniel scenario all follow the same five-step chain. The mechanics are public knowledge by now. The numbers are not theoretical.

• Step 1, foothold via collaboration account. The attacker compromises a Slack, Microsoft Teams, or Google Workspace account belonging to a finance or executive team member. Typical vector is an OAuth consent phishing prompt that looks like a routine workspace migration or app permission request. The user clicks "Authorize", the attacker now has a refresh token and can read all messages and channels the victim can read. The compromise often goes undetected for one to three weeks.
• Step 2, reconnaissance. The attacker silently observes communication patterns. Who approves wires. What language the CFO uses. What time of week wires usually go out. Which deals are real, which are rumored, which board approvals exist. The attacker also pulls publicly available video footage of the executives from YouTube, LinkedIn, conference recordings, and press interviews. Sixty seconds of clean face footage and ninety seconds of clean voice is enough to train a real-time deepfake.
• Step 3, the urgent trigger. The attacker, posing as the CFO inside the compromised Slack or Teams account, sends a message to a finance team member: "Quick video call about a confidential wire. Join now." A Zoom or Teams link is included. The link is a near-lookalike domain (zoom-meet.us, zoorn.us, teams-microsoft-365.com, meet-google.us) hosting a real video room the attacker controls. The Slack message itself comes from a real, verified internal account, which silences most "is this really from my CFO" suspicion.
• Step 4, the video call. The target joins. One or more deepfake video tiles render synthetic faces of the CFO, CEO, or board members. The faces nod, blink, glance off-camera, and speak in cloned voices that match the executives' real audio characteristics. The call is short, three to seven minutes. The script is tight. Wire instructions are dropped in the chat. The target is asked to confirm verbally and proceed.
• Step 5, the wire and the lateral movement. The target executes the wire from the firm's bank portal. Funds land in a correspondent bank in Hong Kong, Singapore, the UAE, or another jurisdiction where rapid lateral movement is possible. Within two to four hours the funds are split across multiple beneficiary accounts in other jurisdictions, then layered through legitimate-looking shell companies. By Monday morning the trail is cold.

The whole chain takes the attacker about three weeks of reconnaissance and four minutes of video acting. The target takes about eleven minutes from "Join now" Slack ping to wire confirmation. The bank cannot recall the wire after the first jurisdictional hop. Insurance covers some of it, sometimes. The board meeting is always painful.

Why voice-only defenses miss deepfake video

Until 2023, the standard "vishing" or CEO-impersonation defense was: if it sounds urgent on a phone call, call back on a number you know. That advice still works for audio-only impersonation. But the Arup case showed that the moment you add a video tile with a familiar face nodding, the brain stops asking the "is this really my CFO" question.

The Pindrop Voice Intelligence Q4 2024 report found that deepfake voice attacks against banks were up roughly 350 percent over the prior year, and that the average cost per successful deepfake voice attack to a financial institution was around $600,000 in 2024. Pindrop also flagged that the attacks are no longer mostly audio. The video deepfake on Zoom or Teams is now the more dangerous variant because human trust signals (eye contact, head movement, micro-expressions) carry far more weight than voice alone.

Deloitte's Center for Financial Services projected in its 2024 outlook that deepfake-driven fraud could drive losses of around $40 billion in the United States alone by 2027, up from roughly $12 billion in 2023, a compound annual growth rate above 30 percent. The Identity Theft Resource Center's 2024 Trends in Identity Report flagged synthetic identity fraud (closely related to deepfake-enabled fraud) as one of the fastest-growing categories of the year.

The brain trusts faces. That is the entire vulnerability. A video tile with a familiar nodding face is treated as authentication, even when no authentication actually happened.

For the audio-only sibling of this attack, see our coverage of voice cloning fake-arrest scams and AI voice cloning vishing attacks for the consumer version of the same technology used at executive scale here.

The Arup Hong Kong case and what we learned

In February 2024, Arup, the global British engineering firm best known for the Sydney Opera House and the Beijing Olympics aquatic center, lost the equivalent of around $25 million (HK$200 million) from its Hong Kong office to a deepfake video conference attack. The story, first reported by the South China Morning Post in February 2024 and later confirmed by an Arup spokesperson to multiple outlets including the Financial Times and CNN, ran as follows.

A Hong Kong-based finance employee at Arup received an email purporting to be from the firm's UK-based CFO, requesting a confidential transaction. The employee was initially skeptical and flagged it as a possible phishing attempt. Then the same supposed CFO invited the employee to a video conference call. On the call, the employee saw and heard what appeared to be the CFO and several other senior Arup staff, all on camera, all speaking in their familiar voices.

The employee proceeded with 15 transactions across multiple bank accounts in Hong Kong, totaling roughly HK$200 million (about $25 million USD at the time). When the employee later checked in with the head office, Arup confirmed no such transactions had been authorized. Every "person" on that video call other than the employee had been a deepfake.

Hong Kong Police later confirmed at a press briefing that this was one of the largest deepfake-enabled financial fraud cases they had ever investigated. The arrests that followed in Hong Kong involved a small number of money mules, but the technical operators behind the deepfakes were never publicly identified.

The Arup spokesperson later said the firm's "financial stability and business operations were not affected" by the loss, but acknowledged the broader lesson: "Like many other businesses around the globe, our operations are subject to regular attacks, including invoice fraud, phishing scams, WhatsApp voice spoofing, and deepfakes." That last word, in a corporate statement, was a quiet first.

The WPP CEO deepfake attempt in May 2024

Three months after the Arup loss, WPP CEO Mark Read became the target of a deepfake attempt that was caught before any money moved. The Guardian and the Financial Times reported in May 2024 that attackers cloned a publicly available image of Read, set up a fake WhatsApp account using that image, and then arranged a Microsoft Teams meeting between the fake Read, another senior WPP executive, and a third "agency leader" target.

On the Teams call the attackers played a YouTube clip of Read's voice and used a separate chat window to type messages impersonating him. The script attempted to solicit personal details and money from the target executive in connection with a fake new business venture. The target became suspicious during the call and the attempt failed. WPP CEO Mark Read sent a memo to the company afterwards thanking the team and warning about the rise of executive deepfake impersonation.

Two important details about WPP that make it useful as a defense case study. First, the attack used a real meeting in a real Microsoft Teams environment. The trust signal of "the meeting is on our Teams" did not catch this. Second, the target detected the fraud through pattern mismatch (the "CEO" was asking for personal information in a way the real CEO never did), not through any technical detection. Human pattern recognition is still the strongest defense layer when the technical layers fail.

What the 2024 and 2025 reports say about deepfake fraud at scale

This is not a curiosity attack pattern. The latest authority data shows it scaling fast.

• FBI Internet Crime Report 2024 (IC3, published April 2025): Business Email Compromise (BEC) and related executive-impersonation fraud generated reported losses of approximately $2.9 billion in 2024 across 21,489 complaints in that category alone. Total IC3 reported losses across all categories reached $16.6 billion, a 33 percent jump year over year.
• Pindrop Voice Intelligence Q4 2024: Deepfake voice attacks against banks and financial institutions rose roughly 350 percent year over year. Average loss per successful incident was around $600,000. The report flagged that video-and-voice deepfakes on Zoom and Teams are growing faster than audio-only.
• Deloitte Center for Financial Services 2024: Projected deepfake fraud losses in the US could reach $40 billion by 2027, up from roughly $12 billion in 2023, a compound annual growth rate above 30 percent.
• Identity Theft Resource Center 2024 Trends in Identity Report (January 2025): Synthetic identity fraud (often the layer underneath deepfake impersonation) flagged as one of the fastest-growing categories of 2024, particularly in enterprise account takeover and executive impersonation cases.
• Group-IB Threat Intelligence 2024 and SentinelOne writeups: Documented multiple "deepfake-as-a-service" kits sold on underground forums through 2024, lowering the technical bar so that operators with no machine-learning expertise can stage video-call attacks for a few hundred dollars per target.

One number to remember: $25 million lost by a single firm in a single afternoon. That was the public Arup figure. The next case will not have a single firm's name attached, but it will almost certainly involve a Slack or Teams account compromised weeks earlier and a video call that looked completely normal.

Install SafeBrowz to block lookalike Zoom and Teams links

The first defense layer is making sure the fake meeting link never opens in the first place. A real Zoom URL starts with zoom.us or your company's specific zoom subdomain. A real Teams URL starts with teams.microsoft.com. Anything else (zoom-meet.us, zoorn.us, zoom-conf.com, teams-microsoft-365.com, microsoft-teams-meeting.org, meet-google.us) is a lookalike.

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that scans every URL you click against a 550+ brand database, real-time threat intelligence APIs, and an AI content layer for brand-new lookalikes that no blocklist has caught yet. Zoom, Microsoft Teams, Google Meet, Webex, and the other major video conferencing brands are in the database. When a Slack ping arrives with a "Join now" link to zoom-meet.us, the extension intercepts the click and shows a red interstitial before the fake Zoom room loads. The four-minute deepfake call never happens.

This is the cheap, fast layer. It runs in the browser, costs nothing, and works on every link you click in Slack, Teams, email, or anywhere else.

Verify any urgent wire transfer through a second channel

The URL layer catches most lookalike links. But "most" still leaves a gap. A sophisticated attacker can compromise a real account inside your firm and send a perfectly valid real Zoom link to a real room they control, with deepfake video tiles inside it. The URL layer cannot help once you are in a real Zoom room with synthetic faces.

The second layer is procedural. For any urgent wire transfer request, regardless of who asked or how convincing the video was, hang up or close the meeting and call back the requester on a phone number you already have saved in your contacts. Not a number from the chat. Not a number from the email signature. The phone number you would have used last week before any of this started.

This is the single highest-value control. Every documented deepfake CEO fraud case in 2024 would have been stopped by a 30-second callback on a known phone number. The Arup employee. The Hong Kong wire-transfer chain. The WPP attempt (which actually was stopped, partly by a callback-style verification). The reason callbacks work is that the deepfake attacker controls the inbound channel but not your contacts list. They cannot intercept a call you initiate to a saved number.

Build the callback into your firm's wire transfer policy. Any wire over $25,000, regardless of who requested it, requires the executor to call back the requester on a phone number from the company directory. Document it. Train on it. Make it boring and routine. Boring is the whole goal. A callback that takes 90 seconds is the difference between $0 lost and $580,000 wired to Singapore.

The 3-minute callback rule

For any urgent money request that arrives through any channel (Slack, Teams, email, video call, WhatsApp, text, phone) the rule is: pause for three minutes, call back on a saved number, only then proceed.

Three minutes feels artificial when the "CFO" on the video tile is telling you the seller will walk if the deposit does not land by end of day. That artificial-feeling pause is the entire defense. Real urgent business does not actually require less than three minutes of verification. A real CFO, told that the executor was pausing to call back and confirm, would say "good, of course, call me." A deepfake CFO would either disconnect, pressure you to keep moving, or both. The pressure to skip the callback is the single clearest red flag of the entire attack.

The 3-minute rule pairs naturally with the standard advice for related attack patterns. For executive-impersonation wire transfer fraud broadly, see whaling and CEO wire transfer scams. For the LinkedIn reconnaissance that almost always precedes a deepfake attack, see spear phishing and LinkedIn profiling.

Red flags during a video call

If you are already on a video call and starting to wonder whether the faces are real, these signals are worth knowing. None of them are perfect on their own. Two or three together is a strong signal.

• Slightly off lip-sync. Deepfake video has improved a lot, but real-time face-swap models still drift by 30 to 80 milliseconds on hard consonants. If something feels off about the timing of speech, trust that feeling.
• Limited side profile. Most deepfake models render the face cleanly from straight on but struggle when the head turns more than about 30 degrees off-center. Ask the person to turn their head and look at something on their right or left.
• Hand in front of the face. Real-time deepfakes break or flicker when a hand passes in front of the face. Ask the person to wave hello, scratch their nose, or hold up a finger.
• Reflective surfaces and glasses. Reflections on glasses and shiny earrings are still hard for deepfake models. If the glasses look weirdly matte or the lighting on them does not match the room, take it seriously.
• No spontaneous off-script behavior. Deepfakes work best with scripted speech. Ask an off-script question that only the real person would know the answer to. "How is your daughter's volleyball season?" works better than "What is our company's name?"
• The call cannot be moved. If you suggest hanging up and reconnecting on a different platform, or moving to a phone call on a saved number, and the person pushes back hard, that pressure to stay in the channel they control is itself the strongest red flag.
• Pressure to keep moving. Real CFOs and CEOs take callbacks. Deepfake attackers cannot afford the time. If the urgency feels engineered to prevent a callback, it almost certainly is.

What to do if you fell for it

If you read this and recognize a moment from the last few weeks at your firm, here is the playbook for the first 24 hours.

• Call your firm's bank immediately. Tell them you have a fraudulent wire and you need a recall request opened right now. Speed matters. The first 4 to 8 hours are the only realistic window for any recovery.
• Freeze the source account. Lock down further wires from the account the fraudulent wire originated from until your IT team has confirmed which credentials are compromised.
• Reset all collaboration platform credentials. Force password resets and sign-out of all sessions on Slack, Microsoft Teams, Google Workspace, and any other shared platform. Revoke OAuth tokens for all third-party apps, since the original foothold was probably an OAuth consent prompt.
• Engage your cyber insurance carrier. Most enterprise cyber policies require notification within a short window (often 24 to 72 hours) of any known incident. Late notification can void coverage.
• Report to the FBI Internet Crime Complaint Center at ic3.gov. The FBI can sometimes initiate a Financial Fraud Kill Chain process with correspondent banks if the report lands within 72 hours. This has recovered funds in past BEC cases. File the report the same day.
• Engage external incident response. If your firm does not have an internal DFIR team, retain an external firm (Mandiant, CrowdStrike Services, Unit 42, Kroll, or similar) to do a full forensic review of the compromised account. Understanding which other data the attacker accessed is essential.
• Brief the board and legal. Document everything in writing. The board needs to know within 24 hours. Legal needs to assess any disclosure obligations under SEC rules (for public companies), GDPR notifications, or state-level data breach laws.

How to report a deepfake fraud attempt

Even if no money moved, report the attempt. Each report strengthens the public record and helps the next firm.

• FBI IC3 at ic3.gov. File a full report. Include the fake Zoom or Teams URL, the timestamps, the deepfake video samples if you saved them, the compromised account, and the wire details if any.
• FTC at reportfraud.ftc.gov. Adds to the Consumer Sentinel Network database queried by law enforcement.
• Your local FBI field office. For losses over a few hundred thousand dollars, a direct call to the local FBI field office cyber squad can sometimes get faster traction than an online IC3 report alone.
• CISA at cisa.gov/report. If your firm is in a critical infrastructure sector (energy, water, finance, defense, healthcare).
• APWG at reportphishing@apwg.org. If the initial compromise was an OAuth phishing email, forward the original email. Adds the URL to the global anti-phishing blocklist.
• Microsoft and Zoom abuse teams. Report the lookalike meeting URL to abuse@zoom.us and to Microsoft via the Teams admin reporting flow. Both vendors actively take down lookalike conferencing rooms.

Last updated 2026-05-30

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1, Local detection: 60+ URL patterns and 550+ brand-specific signatures run directly in your browser. This is the layer that catches zoom-meet.us, zoorn.us, teams-microsoft-365.com, meet-google.us, and other lookalike video-conferencing domains at click time, before the fake meeting room loads. Zoom, Microsoft Teams, Google Meet, Webex, GoToMeeting, and the other major conferencing brands are baked into the extension itself.
• Layer 2, API checks: Google Safe Browsing, PhishTank, and URLhaus cross-references run server-side. Catches known malicious meeting URLs the moment they are reported anywhere in the world, including the throwaway lookalike domains that get burned and rebuilt every few hours.
• Layer 3, AI deep scan (Premium): Content analysis flags brand-new lookalike Zoom and Teams pages that no blocklist has seen yet. The fake Microsoft 365 OAuth consent screen that went live two hours ago and is being used as the foothold for next month's deepfake CEO attack. The new "Slack workspace migration" page. Works in over 100 languages.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

FAQ

Can you really fake a CEO on a live Zoom call in 2026?

Yes. Real-time face-swap and voice-cloning models have been good enough since late 2023 to render convincing executive impersonations on short video calls. The Arup loss in February 2024 (around $25 million) and the WPP CEO attempt in May 2024 are public confirmations. Sixty seconds of clean face video and ninety seconds of clean voice are enough source material to train a real-time deepfake. Most public-facing executives have far more than that on YouTube, LinkedIn, and conference recordings. The hard part is no longer the deepfake itself. The hard part is getting a foothold on the target firm's collaboration platform first.

How did the Arup deepfake attack actually work?

According to reporting by the South China Morning Post in February 2024 and confirmations by Arup to the Financial Times and CNN, a Hong Kong-based finance employee at Arup received a phishing email claiming to be from the firm's UK-based CFO. The employee was initially skeptical. Then the supposed CFO invited the employee to a video conference. On the call, the employee saw and heard the CFO and other senior staff, all on camera, all speaking. The employee proceeded to make 15 transactions totaling roughly HK$200 million (about $25 million USD). Every "person" on the video call other than the employee was a deepfake. Hong Kong Police later said this was one of the largest deepfake-enabled fraud cases they had investigated.

Would a callback have stopped the Arup attack?

Yes, almost certainly. The employee in the Arup case had already flagged the initial email as suspicious before joining the video call. A simple 60-second callback to the actual UK CFO on a phone number from the company directory would have established that the CFO was not in any such meeting. The reason callbacks work is that the deepfake attacker controls the inbound channel they offered (the Zoom link, the Teams meeting) but not your contact list. They cannot intercept an outbound call to a number you already have saved. Every documented deepfake CEO fraud case in 2024 would have been stopped by a 30-second callback on a known phone number.

What is the WPP deepfake CEO attempt?

In May 2024, WPP CEO Mark Read was the target of a deepfake impersonation attempt that was caught before any money or data was lost. Attackers cloned a public image of Read, set up a fake WhatsApp account using that image, and arranged a Microsoft Teams meeting with another senior WPP executive. On the call the attackers played a YouTube clip of Read's voice and used a separate chat window to type messages impersonating him. The target executive became suspicious during the call (the "CEO" was asking for personal information in a way the real Read never did) and the attempt failed. WPP confirmed the incident to The Guardian and the Financial Times. Mark Read sent a company-wide memo afterwards warning about executive deepfake impersonation.

How fast are deepfake attacks growing?

Fast. The Pindrop Voice Intelligence Q4 2024 report found deepfake voice attacks against banks rose roughly 350 percent year over year. Deloitte projected US deepfake fraud losses could reach $40 billion by 2027, up from about $12 billion in 2023, a compound annual growth rate above 30 percent. The FBI Internet Crime Report 2024 (April 2025) recorded approximately $2.9 billion in Business Email Compromise losses for the year, with a meaningful and growing share involving deepfake video and voice components. Group-IB and SentinelOne both documented deepfake-as-a-service kits sold on underground forums through 2024 that lower the technical bar for staging these attacks.

Can SafeBrowz detect a deepfake video inside a Zoom call?

No. SafeBrowz is a URL safety scanner. It stops the fake meeting room from loading by blocking lookalike Zoom, Teams, and Google Meet URLs (zoom-meet.us, zoorn.us, teams-microsoft-365.com, meet-google.us) before you click into the call. It also blocks the OAuth consent phishing pages that attackers use to get the initial foothold on the firm's collaboration platform weeks earlier. SafeBrowz does not analyze video frames inside a live Zoom call. For that, you need the procedural defenses: the callback on a saved number, the 3-minute rule, and the in-call red flags listed above (off lip-sync, limited side profile, resistance to off-script questions, pressure to keep moving).