Who's Actually in Your Meeting? Why You Need to Take Teams, Webex, and Zoom Security Seriously

27 Jun 2026 · Awareness · 7 min

We’ve all gotten used to video conferencing. A few clicks and you’re on a call with colleagues, clients, or senior management. Precisely because it’s become so commonplace, we often forget something important: a meeting link is a digital door. And a door that isn’t properly locked can be opened by anyone who finds the key. In this post, I’ll explore why it’s so important to properly configure your meeting environments in Microsoft Teams, Cisco Webex, and Zoom, using a well-known blunder and a Teams setting that poses more risk than many people realize.

The Journalist Who Just Happened to Join a Secret EU Meeting

In November 2020, Dutch tech journalist Daniel Verlaan of RTL Nieuws managed to gain access to a confidential video conference of EU defense ministers. No sophisticated hack, no malware. The then-Minister of Defense had posted a photo on Twitter in which the login credentials were accidentally visible. Five of the six digits of the PIN were legible, and the last digit could be guessed with a few attempts. The embarrassing detail: after entering the correct PIN, there was no additional security. The journalist was immediately granted access, waved to the surprised ministers, and was politely asked to leave. It was funny to watch, but the message is serious. A high-level meeting turned out to be protected only by a code that appeared in a photo. This incident shows exactly where things go wrong: we treat a meeting as a private space, when in reality it’s an online door accessible to anyone with the right link or code.

The Teams Setting You Should Be Aware Of

In Microsoft Teams, there’s a setting that allows people who aren’t signed in to your corporate environment (anonymous participants) to still join—or even start—a meeting. The catch: such a person can enter their own display name. Literally anything they want. That sounds harmless—until you consider what someone with malicious intent could do with it. An outsider could present themselves as “Jan de Vries (CFO)” or as your CEO’s name. In a busy call with cameras turned off, this isn’t easily noticed. And anyone who finds the link—or figures out a valid link through clever guessing (brute force)—can, in theory, end up in that meeting. The core of the problem: without the proper settings, the system doesn’t verify who someone really is. The name displayed on screen is nothing more than a text field.

What risks does this pose?

The consequences range from annoying to downright dangerous:

Eavesdropping and information theft. An uninvited guest can quietly eavesdrop on sensitive conversations about strategy, customers, mergers, or incidents—often without anyone noticing.
Impersonation of executives. By posing as the CEO or CFO, someone can issue instructions that no one questions. Think of a command like “transfer this payment today.” This is exactly the pattern behind CEO fraud and BEC (Business Email Compromise), but happening live during a call.
Social engineering. A fake participant eavesdropping on the call learns your internal jargon, names, and ongoing projects. That knowledge makes a later phishing or fraud attempt much more credible.
Data breach and reputational damage. If confidential information is leaked by an eavesdropping outsider, you not only have a security problem but also a legal obligation to report it and reputational damage.
Disruption. In the mildest case, you’ll have unwanted guests disrupting the meeting—so-called “meeting bombing,” which was common on Zoom during the pandemic. So this isn’t just a theoretical edge case. It strikes at the heart of trust: are you really sure who you’re talking to?

Can you detect it?

This is the question I consider most important, and the honest answer is: partially. The platforms do offer tools. In Teams, you can view an attendance report afterward, and there are audit logs in Microsoft Purview that record meeting activity. Webex and Zoom have similar admin and activity logs. In many cases, these allow you to see that there was a participant who didn’t belong there. But there’s a major problem with this detection:

Anonymous participants are difficult to identify. Someone without an account often appears only with a self-chosen name and limited information. You can see that someone was there, but not always who.
Detection usually happens after the fact. You only discover it when you specifically check the logs. At the time, a quiet guest listening in with the correct name hardly stands out.
It requires active monitoring. Logs are only valuable if someone actually reviews them and knows what to look for.

In other words: detection is possible, but relies heavily on prevention. Prevention is truly better than cure in this case.

Practical steps you can take

Without getting too deep into the technical details, here are a few measures that make the biggest difference:

Disable anonymous access wherever possible, or at the very least, don’t let anonymous participants start a meeting on their own.
Use the lobby (waiting room) so that an organizer can approve participants before they enter.
Limit sensitive meetings to verified, logged-in users within your own organization.
Never share meeting links or codes publicly, and be mindful of what’s visible in screenshots or photos. That’s exactly where things went wrong for the EU.
Periodically review attendance and audit logs, especially for meetings with sensitive content.
Raise awareness among your colleagues: the name displayed on screen is not proof of identity.

In Conclusion

For most organizations, video calls have become just as important as physical meeting rooms. Yet we often pay far less attention to security in that digital space. The EU blunder and the Teams setting demonstrate how little it takes to gain unauthorized access. The question “Who is actually in this meeting?” therefore deserves a real answer, not just a name on the screen.

And that’s where AI comes into play

So far, this story has been about someone typing in a fake name. With the rise of AI, the problem becomes much more insidious. With deepfake technology and voice cloning, someone can now impersonate another person not only by name, but also through video and audio. An attacker no longer needs access to your systems. Sufficient publicly available video and audio footage of an executive—for example, from webinars, interviews, or recorded presentations—is enough to create a convincing replica. The best-known example is the British engineering firm Arup. In early 2024, a finance employee at the Hong Kong office was invited to a video call. The call included the CFO and several familiar colleagues, who asked him to carry out a confidential transaction. The employee had been justifiably suspicious after receiving a previous email, but let his guard down when he saw and heard the familiar faces and voices on the call. He then transferred approximately $25 million in fifteen transactions. It wasn’t until later that it became clear that everyone on that call, except for himself, was an AI-generated deepfake. The faces and voices were replicated using publicly available material from the real employees. This makes the earlier risk even more acute. An open or poorly secured meeting environment combined with AI impersonation is a dangerous combination. Whereas in the past you might have thought, “I saw and spoke to him myself, so it must be true,” that very assumption is shifting. Video and audio are no longer proof of identity. This makes detection even more difficult. With a bit of attention, you might still spot a fake name, but a well-made deepfake is hard to recognize in real time, especially under time pressure. Subtle clues such as faltering lip-sync, strange lighting, or images that are just a bit too smooth can help, but you can’t rely on them as the technology improves. The most important defense, therefore, does not lie in the meeting itself, but in the processes surrounding it. Always confirm important requests—especially payments—through a second, independent channel, such as a phone call to a known number. Implement strict four-eyes procedures for large transactions. And make colleagues aware that a familiar face or a trusted voice on a call is no longer a guarantee that it is actually that person.

Conclusion

Whether it’s a journalist gaining access via a photo, an outsider entering a fake name, or an AI mimicking an entire executive team: the common thread is always the same. We’re too quick to trust what we see and hear during a call. Robust settings, healthy skepticism, and solid verification processes together form the best defense.

Sources

Dutch journalist gatecrashes EU defense video conference, BBC / IMI: https://imi.org.ua/en/news/dutch-journalist-gatecrashes-eu-defence-video-conference-bbc-i36339
Watch: Dutch journalist logs in to secret EU defense video conference, Gulf News: https://gulfnews.com/world/europe/watch-dutch-journalist-logs-in-to-secret-eu-defence-video-conference-1.75412939
Dutch tech reporter gatecrashes secret EU defense video conference, Security Affairs: https://securityaffairs.com/111250/security/reporter-gatecrashes-eu-defence-conference.html
Arup revealed as victim of a $25 million deepfake scam involving a Hong Kong employee, CNN Business: https://www.cnn.com/2024/05/16/tech/arup-deepfake-scam-loss-hong-kong-intl-hnk
A deepfake ‘CFO’ tricked British design firm Arup in a $25 million fraud, Fortune: https://fortune.com/europe/2024/05/17/arup-deepfake-fraud-scam-victim-hong-kong-25-million-cfo/

Found this useful? Leave kudos: