Zoom bombing: How to avoid unwanted guests
Zoom bombing is an unwanted person joining your meeting, eavesdropping or causing mischief, like posting obnoxious material to the screen or in the chat. It can occur if the meeting link was forwarded to others or posted on social media or a public website, and if your Zoom security settings are inadequate.
Zoom includes features to make your meeting secure but first we’ll talk about what to do if you are caught out.
What can you do during a Zoom bombing incident?
Meeting hosts and co-hosts have the ability to take the following action.
Suspend participant activities
Stop all users from chatting, sharing their screen, using the whiteboard etc. It will also lock the meeting so that new users cannot join. This is available from the meeting Security button on the Zoom toolbar. You will be given the option to report the incident to Zoom support – they may be able to assist in further investigation and take appropriate action.
Zoom toolbar with the security icon highlighted. The security option to Suspend participant activity is circled.
Remove the user
Rather than fumbling around in Zoom, trying to take down the unwanted material, find the unwanted user and remove them.
- From Zoom, open the Participants panel.
- Look for the user’s name (or screen name).
- Click the three dots next to their name and choose ‘Remove’.
As the meeting is now locked, they will be unable to re-join your meeting.
Zoom toolbar with participants icon highlighted. A panel showing all meeting participants is displayed with a remove user option next to someone’s name.
Resume the meeting
Once you have controlled the situation and the miscreant has gone, re-enable the security measures that you are comfortable with, like Enable participants to: Chat, Unmute themselves, and Start video.
Zoom toolbar with the Security icon highlighted. Participants security settings that are enabled are: chat, unmute themselves, and start video.
At this point, screen sharing will be disabled for everyone except hosts and co-hosts. If you have a guest presenter wanting to share their screen, make them a co-host by clicking the three dots next to their name in the Participants panel.
Prevent Zoom bombing
In advance of the meeting, make sure your Zoom settings restrict the likelihood of unwanted visitors.
Scenario one – your Zoom meeting is restricted to UoA staff and students
If you only expect University of Auckland staff or students to join the meeting, when scheduling a meeting, select Require authentication to join, then select University of Auckland from the dropdown menu. Users who are not signed into Zoom with University credentials will be unable to join.
As an added layer of security, use meeting passwords and avoid sharing passwords publicly.
Avoid using your Personal Meeting ID (PMI) for public meetings. Generate a unique meeting ID for each session to prevent unauthorised individuals from guessing your PMI or using your PMI from an earlier meeting link.
Limit screen sharing and whiteboard capabilities to hosts and co-hosts only. In the Zoom settings, adjust screen sharing options to Host Only. This prevents disruptive screen sharing incidents.
To allow a guest presenter to share their screen during the meeting, make them an alternative host or co-host. This can be done in advance when scheduling the meeting (under Advanced options), or, if Zoom can’t find the user, add them as a co-host once they have joined the meeting by clicking the three dots next to their name in the Participants panel.
Scenario two: Your Zoom meeting will have both UoA users and externals
In addition to the settings in scenario one, if you expect both University of Auckland staff or students and externals to join the meeting, when scheduling a meeting select Require authentication to join then select Sign in to Zoom from the dropdown menu. Users who are not signed into Zoom will be unable to join.
Enable the Waiting Room. This allows you to vet external participants before granting them access to your meeting. The Waiting Room requires a host or co-host to let people in to the meeting via the Participants panel in Zoom. Although participants can choose any screen name they like, this step reduces the likelihood of undesirables joining your meeting. You can let people in who you recognise.
To help reduce the number of people that you have to manage via the Waiting Room, add a trusted domain. For example, you may want University of Auckland staff or students to bypass the Waiting Room and go straight into the meeting, therefore:
- Go to your general Zoom settings: https://auckland.zoom.us/profile/setting
- Under Waiting Room options, click Edit Options
- Under Who should go in the Waiting Room, choose Users who are not in your account and not part of your whitelisted domains.
- Then, add *.auckland.zoom.us as a whitelisted domain.
General tips
Avoid sharing Zoom meeting links on public platforms or social media. Instead, send meeting invitations directly to trusted individuals via email or other secure communication channels.
During meetings (if practical), once all the intended participants have joined, lock the meeting to prevent any further entry. This option can be found in the Security button in Zoom.
Regularly update your Zoom application to the latest version. New updates often include security enhancements and bug fixes that strengthens your protection against potential vulnerabilities. Do this by checking for updates via the drop-down under your profile picture.
Depending on your meeting requirements, familiarise yourself with Zoom’s security features, such as disabling file transfers, chat functions, or private messaging. We have provided additional instructions on changing your security settings within Zoom.
Avoid clicking on suspicious links or downloading attachments from unverified sources, as they may contain malware or phishing attempts that compromise your security.
It is important to be proactive and implement security measures to reduce the risk of Zoom bombing. In the event of an intrusion, swift action will help mitigate the disruption and restore a secure virtual meeting environment. Prevention is key.