Introduction

Zoom bombing (also Zoombombing) is when someone joins your meeting uninvited and says, shows on video, or writes in chat inappropriate, threatening, racist/sexist messages. The following meeting types are susceptible: 

• Meetings where the join URL or meeting ID is posted online.
• Meetings where the meeting ID has been bombed before (it's a known target).
• Meetings open to the public but without meeting registration.
• Meetings without waiting rooms.
• Meetings without passcodes.
• Meetings where people not logged into Zoom or VT Zoom can join.

Zoom bombers are typically groups of bad actors who obtain and share meeting information and coordinate their attacks.

• Once your meeting has been disrupted, it's very difficult to remove every attacker and regain control. It's best to abandon the meeting. 
• Zoom bombers are rarely VT affiliates, so VT authorities like VTPD, HR, and Student Affairs cannot enforce consequences.
• Law enforcement can only act if physical threats were made. 

Zoom security settings can prevent Zoom bombing attacks! For the latest documentation on Zoom security, please visit the Zoom Support Center.

Contents

• Preventing Interruptions
  
  • Overview of Zoom Security Settings
  • Set Account Security Settings
  • Set Meeting Security Settings
  • Other Preventative Actions
• Managing Secure Meetings
  
  • Meeting Security Settings
  • Suspend Participant Activities
  • Prevent Participants from Turning on their Video
  • Mute Participants
  • Prevent Participants from Making Annotations
  • Run Secure Breakout Rooms
• Responding to Interruptions
  
  • Suspend Participant Activities
  • Report Participants to Zoom
  • Remove Participants
• Reporting Interruptions to Virginia Tech
  
  • Report Physical Threats
  • Report Inappropriate and Abusive Interruptions
  • Consequences for Zoom Bombers

Instructions

Preventing Interruptions

The following security features help you prevent unwanted interruptions in your Zoom meetings.

Overview of Zoom Security Settings

• Waiting Rooms
• Passcodes
• Authentication Profiles
• Meeting Registration
• Recording and Chat Logs
• Meeting ID

Waiting rooms

Waiting rooms let you look at who wants to join your meeting before you let them in. All meetings have waiting rooms set by default. 

• Participants joining the meeting are placed in a waiting room.
• Hosts admit participants one at a time or all at once.
• Hosts can put participants back in the waiting room.
• If waiting rooms are enabled, join before host will not work. 
• Webinars do not support Waiting Room. Use a webinar practice session as an alternative.

Passcodes

There are two ways to join a Zoom meeting - by entering the Join ID or using a meeting invitation URL. 

• Passcodes prevent someone from entering your Join ID and accessing your meeting without the passcode. 
• Passcodes are included in the meeting invitation URL. Do not share your invitation URL on the Internet. 

Authentication Profiles

Authentication profiles allow you to restrict the meeting to one of the following: 

• Anyone logged into Zoom
• Anyone logged into a U.S. instance of Zoom
• Anyone logged into Virginia Tech Zoom

Anyone logged into Virginia Tech Zoom is the most secure authentication profile. If you have a non-VT guest speaker, you can add them as an exception. See Adding authentication exceptions (users). 

Meeting Registration

You can require attendees register before the meeting.

• Filter attendees by name and email address. 
• Only meetings with registration have polling and registration (attendance) reports. See: Generating Meeting Reports for Registration and Polling

Recording and Chat logs

It is easier to investigate interruptions captured in Zoom cloud recordings and in meeting chat. 

• You can set your meetings to record and save chats by default. 

Meeting ID

Do not use your personal meeting ID for public or recurring events.

• Once meeting IDs are shared online, it's easier for an attacker to strike again.  
• Use random, Zoom generated meeting IDs instead.  

Top of page

Set Account Security Settings

• Account settings determine defaults for all meetings scheduled by a user. We suggest you enable the most secure default settings. 
• Meeting settings can override the defaults when scheduling individual meetings. 

You can override account settings when scheduling individual meetings.

Click here to learn to configure account settings. 

1. Go to the Virginia Tech Zoom Portal and click Sign in. 
2. Log in with your PID and password. You'll go to your Meetings by default. 
3. Click Settings. It will default to the Meetings tab in the Security section. 
   
   
   
   
4. Keep Require that all meetings are secured with one security option enabled. This ensures cannot accidentally override security settings and hold an insecure meeting. 
5. Enable Waiting Room and click Edit Options. Under Who should go in the waiting room? (instead of joining the meeting directly) choose:
   
   • Everyone (most secure) if you want all participants to first go to the waiting room. 
   • Users not in your account if you only want non-VT people to go in the waiting room. VT people will be prompted to log in.
   • Users who are not in your account and not part of the allowed domains if you only want non-VT people and people not in domains you list to go to the waiting room.
6. There are six (6) passcode settings:
   
   • Enable Require a passcode when scheduling new meetings
   • Enable Require a passcode when scheduling new meetings
   • Enable Require a passcode for instant meetings
   • Enable Require a passcode for Personal Meeting ID (PMI) and All meetings using PMI.
   • Enable Require passcode for participants joining by phone
   • Only enable Embed passcode in invite link for one-click join if you will never post your meeting invitation link publicly. If you post it publicly, require registration and send the passcode to registrants separately. 
7. Enable Only authenticated users can join meetings. When you schedule meetings, you can choose from the three authentication options:  
   
   • Need to be signed into Zoom: Anyone signed into any Zoom account can join. 
   • Need to be signed into Zoom.us: Anyone signed into a U.S. Zoom account can join. 
   • Need to be signed into Virginia Tech Zoom: Only those signed into Virginia Tech Zoom can join.  
     
     • You can add individual non-VT email addresses as exceptions. See Adding authentication exceptions (users). 
     • Regarding phone users, choose the setting that aligns with your typical Zoom attendees.
8. Enable Only authenticated users can join meetings from Web client. 
9. Most Zoom bombing attacks originate in the U.S., but you can choose to enable Approve or block entry to users from specific regions/countries.
10. These are the most secure account settings:
    
    

Top of page

Set Meeting Security Settings 

• When you schedule a new meeting, it will have your account setting by default. 
• You can change settings for individual meetings. 
• The Zoom web portal at https://virginiatech.zoom.us has more scheduling settings than the Zoom client. 

Follow the instructions below to update your meeting's security settings:

• In the Zoom Portal
• In the Zoom Client

In the Zoom Portal

To schedule a meeting:

1. Log into the Virginia Tech Zoom web portal.
2. Click Meetings, then click Schedule a Meeting. 
3. Enter the Topic, Description, date and time, and recurrences. 
4. Meeting settings related to security start with Registration. 

We suggest these settings: 

1. Registration - Requiring registration means participants must register to be able to join the meeting once it starts. Hosts can screen participants or have Zoom approve them automatically. 
   
   • If your meeting includes members of the public, check Required next to Registration. 
2. Meeting ID - Check Generate Automatically. Randomly generated passwords are harder to guess. 
3. Security - You must choose at least one Security option. We recommend you choose more than one.
   
   • Meeting Passcode - Require a passcode. Passcodes are included in the invitation URL. Participants joining by URL need not enter a passcode. Only participants joining by Meeting ID enter passcodes. 
   • Waiting Room - Participants join a waiting room before entering the meeting. The host then admits them to the meeting. 
   • Only authenticated users can join. Choose the most secure profile that will meet your needs:
     
     • Need to be signed into Virginia Tech (most secure!): participants must be Virginia Tech affiliates signed into VT Zoom. 
     • Need to be signed into Zoom.us: participants must be signed into a US Zoom account to join the meeting.
     • Need to be signed into Virginia Tech Zoom: Only those signed into Virginia Tech Zoom can join.  
       
       • You can add individual non-VT email addresses as exceptions. See Adding authentication exceptions (users). 
       • Regarding phone users, choose the setting that aligns with your typical Zoom attendees.
4. Video - Turn on host video and turn off participant video. You can allow participants to share video during the meeting. 
5. Audio - Choose how participants can join. Restrict where participants can dial in from. 
6. Meeting Options
   
   • Allow participants to join anytime - Uncheck this to prevent participants from joining before you. 
   • Must participants upon entry - Check.
   • Automatically record meeting - It's easier to investigate interruptions if the meeting was recorded. 
   • Approve or block entry to users from specific regions/countries - Check to choose which countries to either allow or exclude. Save. 
7. Choose a Purpose (required).
8. Save
9. These are the most secure meeting settings: 
   
   

In the Zoom client

The Zoom client has fewer meeting scheduling than the Zoom web portal. To schedule a meeting, click Schedule on the Home screen. 

We suggest: 

• Meeting ID - Set to Generate Automatically. Randomly generated meeting IDs are harder to guess.
• Passcode - Set your own passcode or use Zoom's 
• Video - Turn on host video but turn off participant's video. They can turn on video after they join. 
  
  
  
  

Top of page

Other preventative actions

• Update Zoom client
• Don't share invitation URLs online
• Pay attention to security emails

Update Zoom client

Older Zoom client versions might not have updated security settings. In the Zoom client, click your icon then Check for Updates. 

Don't share invitation URLs online

Do not share meeting IDs or passcodes via social media. If you must share meeting information on the Internet:

1. Require registration.
2. Require a passcode. Don't share the invitation URL or passcode. 
3. Use authentication profiles to require attendees be signed into Zoom. 
   
   • Any free Zoom account will work. Most bad actors never sign into Zoom. 
4. Have a backup plan.
   
   • Set up a secondary location or meeting you can move to if you're interrupted.
   • Only give known attendees information on the backup session. 

Pay attention to security emails 

Virginia Tech notifies hosts if their Zoom meeting information is exposed online. 

• Do not ignore these emails.
• Work with TLOS to secure your meeting. Either Schedule an Appointment with a TLOS Consultant or go to the 4Help Portal, log in, and click Get Help. 

Top of page

Managing Secure Meetings

Some meeting controls are only available after the meeting begins. 

Meeting security settings

At the bottom of the Zoom client, click Security. These are the most secure in-meeting settings:

• After everyone has joined, click Lock Meeting to prevent unwanted participants. 
• If the meeting is unlocked, you can Enable Waiting Room to hold new participants. 
• You can choose to Hide Profile Pictures of participants. 
• Under Allow participants to, uncheck any boxes to prevent participants from doing those actions. 

Top of page

Prevent participants from turning on their video

After the meeting starts, click Participants. Hover over a participant and click More then Stop Video. Repeat for all participants (or have the co-host do so).

Top of page

Mute participants

After the meeting starts, click Participants. You can: 

• Click Mute All.
• Click the more icon [...] at the bottom right and uncheck Allow Participants to Unmute Themselves. 

Top of page

Prevent participants from making annotations

1. While screen sharing, click More in the controls.
2. Click Disable participants annotation.
   
   

Top of page

Run secure breakout rooms

Screen sharing cannot be disabled for breakout rooms, so participants can always turn on their audio and video. To prevent and mitigate interruptions, use breakout room monitors: 

• Host and co-hosts can respond to interruptions.
• Participant monitors can click the Ask for Help (question mark) icon in the breakout room, prompting the host to join the breakout room.

Pre-assign participants to breakout rooms whenever possible and notify host and co-hosts of their role. 

Top of page

Responding to Interruptions

Zoom bombers often coordinate their attacks and repeatedly enter and disrupt meetings. If your meeting has been interrupted, consider immediately ending the meeting. If the community has a safe backup meeting location, move the meeting or event there. Only share the new meeting information with legitimate participants.

If you do not want to end the meeting, you can:

Suspend participant activities

Click Security then Suspend Participant Activities to mute all video and audio, stop screen sharing, end all breakout rooms, and pause recording.

Top of page

Report Participants to Zoom

1. Click Manage Participants.
2. The participants window will open to the right of your meeting. 
3. In the new window, hover over the participant's name and click More.
4. Click Report...
   
   
   
   
5. In the Report popup, add any other interrupters and let Zoom know What happened? Add a screenshot if you have one and click Submit. 
   
   
   
   

Top of Page

Remove participants

After reporting them, hover over More again and click Remove. You can remove someone without reporting them, but reporting them helps Zoom prevent future disruptions. 

To allow them to rejoin, see: Allowing Removed Participants or Panelists to Rejoin. 

Top of page

Reporting Interruptions to Virginia Tech

Report Physical Threats

1. If someone threatens physical harm during your meeting, call 911 and ask for the Virginia Tech Police Department (VTPD).
2. An officer will collect your information.
3. VTPD will coordinate with IT Security and other groups to investigate the threat.
4. Be prepared to receive an email notification from 4Help that an Incident has been created in your name.
   
   1. 4Help Incidents are the best way for IT Security and other IT groups to coordinate their efforts. 
5. You will be asked: 
   
   1. Do you consent to having this information sent to the FBI?
   2. Who was the host of the Zoom meeting (if it wasn't you)?
   3. What is the meeting ID?
   4. What was the date and time of the interruption?
   5. Was the meeting recorded? In the cloud or on a computer?
   6. What was the nature of the attack?
   7. What was the attacker's name?
   8. Do you have screenshots or a chat log of the attack? If so, please attach them.
   9. Do you have a police report? If so, please attach it.
6. IT Security and/or VTPD will follow up with you. 

Top of page

Report Inappropriate and Abusive Interruptions

1. Call 4Help at (540) 231-4357.
2. Tell the agent that you're reporting a Zoom Bombing. 
3. You will be asked: 
   
   1. Do you consent to having this information sent to the FBI?
   2. Who was the host of the Zoom meeting (if it wasn't you)?
   3. What is the meeting ID?
   4. What was the date and time of the interruption?
   5. Was the meeting recorded? In the cloud or on a computer?
   6. What was the nature of the attack?
   7. What was the attacker's name?
   8. Do you have screenshots or a chat log of the attack? If so, please attach them.
   9. Do you have a police report? If so, please attach it.
4. IT Security and/or VTPD will follow up with you. 

Top of page

Consequences for Zoom Bombers

• Law enforcement can only act if physical threats were made. However, it is often difficult to determine the attacker's location and identity. 
• Zoom bombers are almost never VT affiliates, so VT authorities like VTPD, HR, and Student Affairs cannot enforce consequences.
• Any VT students involved are referred to the Office of Student Conduct.
• Zoom can call VTPD for a police report. If warranted, Zoom can block the attacker's IP address. 
• VTPD reports certain types of Zoom bombing attacks to the FBI. 

Top of page