Keeping UK Charity Meetings and Webinars Safe from Online Harm

In February 2025, a Charity Excellence online presentation, hosted by another organisation, was attacked by multiple AI bots.  The day after, it was reported in the Sun.  We were probably attacked because the webinar was fairly high profile but bot attacks can also be random.  Following the attack, a number of charities contacted me to say that they had been the subject of similar attacks - all small like us.   Some AI bots can already circumvent security checks such as Google's ReCaptcha and the bots will become increasingly sophisticated as AI becomes ever more capable.

We are all vulnerable but, as with other AI risks, there are simple steps any charity can take to significantly reduce the risk.  Our 2 biggest AI risks are ignorance and inaction. This charity AI best practice safety guide responds to that to help charities keep webinars and online meetings safe, including using AI Assistants for meetings.

This guide is part of our Charity AI Ready programme. We would welcome constructive criticism to improve it - send it to ian@charityexcellence.co.uk.

The Risk of Online Harm to Charities

Online harms can be illegal, or harmful but legal.  For harm to individuals, examples include child sexual exploitation and abuse, terrorism, hate crime and hate speech, harassment, cyberbullying and online abuse.  There are also reputational and other harms to your charity and harms to people as a result of a data protection or cyber security breach.  Exacerbating factors include if vulnerable people, particularly children, are present, and/or the incident involves extreme or illegal comments or images.

Taking a Risk Based Approach to Meetings and Webinars

Applying all security measures to all meetings, there is an inevitable penalty in.

• Increased administration.
• Reduced effectiveness, and.
• A risk of security fatigue leading to essential security measures potentially being ignored.

Use the checklist below and any other factors relevant to your charity, to asses the overall risk to your charity.  Ensure that those running meetings are aware what the risk factors might be and know what steps they can take to increase security when appropriate to do so.

• Cause. We are all vulnerable, but some causes are more likely to be attacked.
  • Such as our Jewish, Muslim and LGBTQI+ communities, and women's groups but.
• Communications.  If you have a significant profile online or in the Media, you may be at higher risk.
• Contributors. The risk will be greater if there will be a large number of people present or participants may be vulnerable, such as young people or.
• Circulation.  If the meeting is open to anyone, particularly if it is being widely promoted.
• Content.  The impact of a risk that occurs will be greater if the meeting content is sensitive.
• Controls.  Not having adequate security is inherently dangerous but may also attract AI bots trained to seek out vulnerabilities.

It's not so much about detailed policies but creating and maintaining a safety culture.

Trustee Oversight and Management

• Choose a reputable platform like Zoom, Microsoft Teams, or Google Meet.
• Check and implement relevant security features, such as waiting rooms, end-to-end encryption, control of screen sharing and the ability to mute or remove participants.
• If you have not already done so, allocate responsibility to a named individual or committee for online safety.
• Ensure those running meetings are aware of and trained to use the security features and know what to do to keep meetings safe.
• For webinars, require registration for attendees.
• For meetings, use unique meeting IDs and avoid sharing them publicly. Send the link only to registered participants.

Spotting Suspicious Registrations/Attendees

• Check for unusual email addresses that you would not have expected, including e mails with random characters or misspellings of reputable domains - mickeymouse@googlle.com.
• Generally encourage attendees at your meetings and webinars to use real names, not nick names or handles.
• Look out for incomplete or vague registration details.
• Watch for unusual patterns of behaviour, such as a surge in registrations or attendees who register multiple times with the same name but different emails.

During the Online Meeting or Webinar

• Enable the waiting room to review and admit participants.
• Disable screen sharing and only enable it for hosts, co-hosts, and presenters.
• Disable annotations (if the platform allows), to prevent any unwanted markings or comments during the screen sharing.
• Consider locking the meeting once all expected participants have joined. This prevents anyone else from entering the meeting.
• Assign co-hosts to help monitor and manage participants including monitoring the chat.
• Watch for attendees not participating, such as no audio/video, or no interaction in chat.
• Be alert to disruptive behaviour, such as inappropriate comments or screen sharing.
• Monitor for unusual activity, like frequent disconnections and re-joining.

If the Meeting is Hacked

• Remove the participant using the host controls.
• Lock the meeting to prevent further breaches.
• Mute all participants to control the situation.
• Preserve Evidence, such as the time, date, participants, and the nature of the attack.
  • Preserve any logs, chat messages, or other relevant information that can help in the investigation. Ensure you comply with legal requirements while doing so.
  • Screenshot or copy imagery but.
  • Do not screenshot imagery if the content is extreme.
    • Such as imagery of child sexual abuse, as doing so may well constitute a criminal offence in its own right.

Afterwards.

• Report the incident to the platform's support team.
• Notify all legitimate participants about the breach and any actions taken.
• Review security settings and make any necessary adjustments for future meetings.
• Consider wider reporting
  • For personal data breaches, you need to consider ICO reporting.
  • For serious incidents you may have to inform your charity (or other) regulator and.
  • If the incident was potentially criminal, the Police and/or.
  • Safeguarding reporting if vulnerable people were involved.

General Best Practice

• Regularly update software to the latest versions.
• Educate participants about not sharing meeting links or passwords.
• Use strong, unique passwords for meetings.

Using AI Assistants in Meetings

AI Assistants can be really useful but ensure that these are set up and managed to minimise the potential risk.

• Select a well-known AI assistant such as Microsoft 365 Copilot.
• Check for security features and implement those relevant to your needs.
• Use strong, unique passwords for the AI assistant account.
• Enable two-factor authentication for added security.
• Review privacy settings and adjust them to limit data access and sharing.
• Regularly update the AI assistant software to the latest version to protect against vulnerabilities.
• Be cautious of sharing sensitive information during meetings
• Do not automatically share meeting minutes unless you are confident these contain no sensitive personal or other information, which everyone who may read the minutes is entitled and needs to have.
  • Consider redacting sensitive information before sharing minutes unless its inclusion is essential.

Regulatory Guidance - Meeting Online Safety

ICO: Personal data breaches: a guide.

Charity Commission E&W: How to report a serious incident in your charity.

DS&IT: Understanding and reporting online harms on your online platform.

Useful Resources

Teams - Security Settings to Safeguard Microsoft Teams.

Zoom - Changing security settings in a Zoom meeting.

Thank You!

My thanks to Helen Ducker of PATA, for her help in improving this guidance for everyone.

Find the Funding and Free Help Your Charity Needs

A registered charity ourselves, the CEF works for any non profit, not just charities.

• Funding Finder - with categories for Core Cost Funding and Small Charities & Community Groups.
• Help Finder – find anything for free, including companies that make financial donations and raffle prizes.
• Data Finder – for fundraising bids & research, impact reporting, planning and campaigning.

Plus, 100+downloadable funder lists, 60+ policies, 8 online health checks and the huge resource base.

Quick, simple and very effective.

Find Funding, Free Help & Resources - Everything Is Free.

Register Now!

This Guide to Charity Meeting Online Safety Is Not Professional Advice

This guide to charity meeting online safety for general interest only and does not constitute professional legal or financial advice.  I'm neither a lawyer, nor a qualified technology professional, so not able to provide this, and I cannot write guidance that covers every charity or eventuality.  I have included links to relevant regulatory guidance, which you must check to ensure that whatever you create reflects correctly your charity’s needs and your obligations.  In using this resource, you accept that I have no responsibility whatsoever from any harm, loss or other detriment that may arise from your use of my work.  If you need professional advice, you must seek this from someone else. To do so, register, then login and use the Help Finder directory to find pro bono support. Everything is free.

Ethics note: AI was partially used in researching this guide.