Zoombombing is when an unauthorized person crashes an online meeting and begins either sharing their screen (usually showing pornography or some other offensive content) or posting objectionable content via the chat. It has become a significant problem as schools, universities, and companies transition to working remotely during quarantine. Zoom is working diligently to address the problem, and has released several security updates in the last few weeks already.
Unfortunately, zoombombing remains a problem as the fixes continue to roll out. Fortunately, there are steps you can take to protect yourself and your meeting participants.
1. Use random-generated meeting IDs instead of your personal meeting ID
Your personal meeting ID is a static ID that is always available. Because it is always available, it’s easy for zoombombers to discover. If all your meetings use your personal ID, then any meeting you hold can be subject to an unexpected intrusion of offensive content.
One way to address this is to use a randomly generated ID instead. It’s very simple to do: when you are scheduling your meeting, simply click Generate Automatically next to the Meeting ID setting.
To ensure you don’t forget, we recommend setting that as a default using the Settings menu on the left-hand side of the screen. Under Schedule Meeting, simply turn off Use Personal Meeting ID (PMI) when scheduling a meeting.
One final tip: Do not share your PMI or any meeting invitation on social media.
2. Password protect your meetings
As we all know from our phones and other devices, not using a password is an open invitation to bad internet actors, whether simple trolls or more malignant attackers. Your online meetings are no different.
It’s easy to set a password, and Zoom automatically generates one for each new meeting. When you schedule your meeting, make sure to click Require meeting password. The automatically generated password appears next to the setting and is automatically included in the meeting invitation text that you can send to participants.
As with randomly generated meeting IDs, you can also set this as a default. In Settings, under Schedule Meeting, you’ll see four password settings. To be absolutely safe, turn them all on.
3. Use waiting rooms for attendees to filter unwanted attendees
Zoom contains a nice feature called a waiting room where meeting participants gather until the host starts the meeting and approves individual attendees to enter. While this may not be efficient for sessions where there are a hundred or more attendees, it can be very useful for general meetings or smaller classes.
To turn this on when you schedule a meeting, select Enable waiting room under Meeting Options.
To set this as a default meeting setting, go to the Settings menu. Under In Meeting (Advanced), turn on Waiting room.
If you choose not to enable waiting rooms, or are hosting a meeting too large to effectively use the waiting room, consider disabling Join before host, either when you schedule a meeting or by default in the overall meeting settings. That way you can at least ensure a malicious actor doesn’t get into your meeting before you do and can’t start sharing offensive content when you’re not even there yet to stop them.
4. Control who can share their screen
The most obvious way to shut down screen-share zoombombing is to restrict screen sharing to only the host. If no one but you can share screen, then no one can hijack your presentation on-screen.
Screen sharing is managed through Settings or during the meeting itself. You have several options:
- Turn off screen sharing entirely.
- Set Who can share? to Host Only.
Don’t worry, as host you can manually pass sharing to any participant during the meeting as needed. Setting this to Host Only merely ensures that you are in control of the sharing at all times and that random bad actors cannot hijack the screen share at any time they choose.
- If you have enabled sharing for all participants, set Who can start sharing when someone else is sharing? to Host Only.
Again, you can manually pass sharing to participants during the meeting whenever you want. This setting simply ensures you have control over who shares and when.
5. Mute all participants who aren’t the host
Zoombombers don’t necessarily limit themselves to disrupting your meeting visually or via chat. They may break in verbally as well. One way you can control that is by muting all participants by default.
To mute participants when you set up a meeting, select Mute participants upon entry under Meeting Options. As host, you can always unmute one or more participants during the meeting.
To mute participants by default, go to Settings. Under Schedule Meeting, turn on Mute participants upon entry.
On a related note, we recommend setting both Host video and Participants video to off by default, both in settings and/or for any individual meeting you schedule. As host, you can simply turn your camera on after you’ve started the meeting and are fully prepared to be viewed. While this may not prevent zoombombing, as participants can turn their cameras on themselves during the meeting, many participants may not have cameras. Particularly if your participants are students, they can feel embarrassed by the lack. Making on-camera a choice relieves this embarrassment and promotes equity.
6. Lock the meeting
Just as you would shut the door for an in-person meeting, lock the meeting controls entry after the meeting has started. Once a meeting is locked, no one can join—even if they have the correct credentials. If you’re going to lock the meeting, consider waiting until about 5 minutes past start time to ensure most of your participants have arrived.
You can only lock a meeting once it’s started; there are no default or meeting schedule settings you can make to do this by default. To lock a meeting, open the Participants list from your meeting controls and click Lock Meeting.
7. Kick out unknown attendees if meeting is already going
If, after trying all the above tips, you still see bad meeting behavior (it might even be from an invited participant!), you can kick the offender out of the meeting. To remove a participant from the meeting, right-click their name in the participant list and choose the appropriate option.
If you want to make sure that participant cannot come back into the meeting after being kicked out, make sure you go to Settings and turn off Allow removed participants to rejoin under In Meeting (Basic).
Bonus Tip 1: Don’t allow on-screen annotation as a default.
One final way a malicious actor can disrupt your meeting is by scrawling obscene annotations on-screen as you share. While allowing participants to annotate the screen can be useful to promote interaction, you have no control over what they write in annotations. We recommend turning off annotations by default in Settings under In Meeting (Basic). You can always turn them back on during the session after you’ve locked the meeting and know that everyone there is a legitimate participant.
Bonus Tip 2: Don’t store any important meeting recordings or chats in the cloud
While paid Zoom accounts do enjoy private, secure cloud storage, if you are using Zoom for free make sure any cloud services you where upload recordings also have security and privacy settings. Otherwise, your recordings (which may be very private) are open for all to see.