Skip navigation
Research Report

3 tactics to prevent Zoombombing as you turn on remote learning

As many students wrap up spring break during the coronavirus pandemic, they are turning on their laptops to return to class; and despite the new classroom environment, faculty and students may encounter a familiar foe in a new form – the virtual class clown.

“Zoombombing” is a new form of internet trolling whereby invited or uninvited participants on a web meeting platform disrupt virtual classrooms with inappropriate and graphic images, videos, and chats.

Zoombombing is not specific to the Zoom application and can occur on many web meeting platforms; but the name “Zoombombing” has gained traction given that Zoom experienced wide-scale adoption as many organizations went remote. EAB is a long-time user of Zoom for virtual meetings, and similar to other experienced subscribers and new adopters, we continue to learn how to optimize our virtual interactions as we’ve scaled up our use. Incidents of Zoombombing have already occurred in the corporate world and are starting to appear in the virtual classroom. While CIOs anxiously monitor their incoming IT Support for unanticipated risks and issues, Zoombombing is among the first they can proactively mitigate to protect academic spaces and the institutional brand and prevent students from receiving harmful and disruptive messages.

EAB talked to CIOs at higher education institutions as they began remote learning and identified 3 tactics to prevent Zoombombing.

1. Require authentication to access to web meeting links

Zoombombing most frequently occurs when uninvited participants gain access to a public web meeting link and may then wreak havoc on the meeting. Therefore IT leaders recommend faculty publish their course links behind an authenticated application, such as their LMS, to reduce risks that public audiences can access links. Access can be further protected by multi-factor authentication (MFA) or requiring institution credentials (Single Sign-on) to log into the web meeting.

If MFA or authenticated login is unavailable, Zoom representatives suggest requiring a password to join web meetings, and delivering the web meeting link and password to students through separate channels (e.g., email, LMS post, direct messages, etc.). Finally, faculty should generate random meeting IDs for their meetings, rather than using their personal meeting IDs for all classes; if a personal meeting ID link becomes public, it’s an open invitation for party crashers.

2. Strategically use web meeting’s meeting management settings

IT leaders have conducted numerous training sessions with faculty to help them adjust to online course delivery, and faculty maintain some autonomy to determine how to best use the tools at their disposal to teach. However, IT leaders can determine the configuration of enterprise-wide advanced settings to enforce security measures and help faculty manage the participants.

In particular, the University of South Carolina’s instance of Zoom will place participants in a Waiting Room if they do not login with their USC credentials. Participants in the Waiting Room are instructed to login to Zoom with their USC credentials or wait to be admitted by the meeting host. IT leaders can also educate faculty about the participant management settings at their disposal, such as locking entrance to the room after it has begun, limiting participants’ ability to screenshare, chat, or speak, and putting participants on hold.

3. Guide instructors to use sanctioned and secure web meeting tools

While faculty may increasingly express a preference for Zoom’s intuitive interface, many IT leaders are still deciding which applications will be optimal for online learning at their institutions and are starting to outline what tools should be used based on the purpose. Many CIOs aim to avoid Zoombombing by mandating faculty use remote learning technologies embedded in their LMS system (e.g., Blackboard Collaborate, Canvas, etc.) or the Microsoft Teams platform.

Because these platforms require authentication to use, they are less susceptible to Zoombombing attacks. Furthermore, IT leaders may not face the same escalating cost of providing more vendor licenses for their web meeting application. CIOs should understand that faculty may be drawn to Zoom, Blue Jeans, or other commonly advertised web meeting applications on their own; therefore, setting up firm guardrails around how web meeting applications should be used and exercising advanced configuration options are steps in the right direction.