The program was a Trojan/malware, not actually Zoom:
By doing so, the hacker was able to install a malicious software program that gave them access to the fund's email system which they used to send off fake invoices.
It didn’t, the user did. I assume the fake link led to a page saying “you have to update your zoom” and downloaded malware. The kind of thing new macOS versions try to avoid with the new gatekeeper. Maybe the guy used windows?
By doing so, the hacker was able to install a malicious software program that gave them access to the fund's email system which they used to send off fake invoices.