Technology has made events more measurable, agile and personalised. Online registration, apps, QR codes, check-in, networking, streaming, automation, AI and analytics make it possible to create smoother experiences. However, every new digital layer also opens up a new surface of risk.
For this reason, digital security in events can no longer be understood simply as “having a secure platform” or “complying with the privacy policy”. It requires a complete architecture: what data is collected, where it travels, who has access, what permissions each supplier has, how identities are validated, how anomalies are detected and what happens if something fails.
From generic cybersecurity to operational digital security
The first technical decision is to stop seeing the event as an isolated activity. An event is a temporary but complex system: attendee database, forms, emails, landing page, payment gateways, app, badges, QR codes, CRM, streaming tools, audiovisual suppliers, exhibitors, sponsors, onsite staff and mobile devices.
Digital security must start with a map of assets and flows. It is not enough to know which tools are being used; it is necessary to document what information passes through each one. For example: personal data in the registration process, agenda preferences in the app, 1-to-1 meetings, access logs, interactions with sponsors, session recordings, post-event forms and marketing consents.
A useful framework is to separate measures into five phases: identify, protect, detect, respond and recover. This is the logic behind the NIST Cybersecurity Framework, designed as a common language for managing cybersecurity risks in organisations of different sizes and sectors. In events, this translates into a risk inventory, preventive controls, monitoring, an incident protocol and post-event learning.
Quishing: the QR code is not the problem, the flow is
Quishing is phishing carried out through QR codes. In events, it is especially relevant because QR codes appear on badges, tickets, signage, stands, surveys, networking tools, content downloads, payments or room access points. The UK’s National Cyber Security Centre warns that QR codes are increasingly used in phishing attacks because they conceal links, can bypass tools that do not analyse images and are often scanned from personal mobile phones with less corporate protection.
Microsoft has also documented QR-code phishing campaigns that use redirects, well-known brands, minimalist emails and codes embedded in attachments to reduce detection signals.
From a technical perspective, digital security is not about “using fewer QR codes”, but about designing them better. A secure QR code for check-in should not contain personal data in plain text. Ideally, it should contain an opaque identifier or signed token, validated on the server side, with expiry, traceability and revocation capability. If the QR code is reused for VIP areas, restricted sessions or staff badges, the backend must check permissions by role, time slot and area, not simply whether the code “exists”.
It is also advisable to avoid generic shortened URLs. The destination URL should use an official domain, HTTPS, a valid certificate and recognisable paths. At web level, measures such as HSTS, protection against open redirects, strict parameter validation, rate limiting and detection of anomalous scans reduce the risk of abuse. In physical signage, control is more manual but equally important: review before opening, removal of overlaid stickers, inventory of printed QR codes and use of designs that make discreet replacements more difficult.
This is where an access control software solution fits in, as check-in is a critical area: it validates tickets, prevents access fraud and makes it possible to know who attended and when.
Deepfakes: visual verification is no longer enough
Deepfakes introduce a different challenge: identity manipulation. In events, the risk may arise in a video call with a supposed sponsor, an urgent instruction attributed to a senior executive, a fake speaker sending materials, a request to change bank details or a manipulated promotional video.
Interpol warns that AI, language models, cryptocurrencies and fraud-as-a-service models are making criminal campaigns more sophisticated, professional and accessible to actors without advanced technical skills. In addition, cases such as the fraud suffered by Arup through a deepfake video call show that visual verification can no longer be the only criterion of trust in sensitive corporate processes.
Digital security against deepfakes must rely on processes, not only on detection tools. For critical changes — payments, bank accounts, contracts, executive agendas, speaker substitutions or publication of official content — there should be out-of-band verification. In other words, the instruction should be confirmed through a different and previously registered channel, such as a call to a validated number, approval in a corporate tool or double internal authorisation.
It is also advisable to create a chain of custody for content. Speaker videos, institutional pieces, logos, sponsor creatives and sensitive materials should be received through official channels, with version control, a responsible person, delivery date and final validation. In high-profile events, watermarks, digital signatures, provenance metadata or closed repositories can be added to prevent manipulated versions from circulating.
AI, transparency and the AI Act
When AI is used in events — chatbots, virtual assistants, automatic summaries, matchmaking, agenda recommendations or content generation — the risk is not only technical. It also relates to transparency, oversight and compliance. In the article on AI for events: 8 practical applications, we already explained that AI depends on a good data foundation, supervision and context; the same principle must be applied to security.
Digital security requires informing attendees when they are interacting with an automated system, what data is being used, which decisions are suggested by AI and what human supervision exists. Article 50 of the AI Act includes transparency obligations for certain AI systems, including informing people when they are interacting with AI and disclosing image, audio or video content generated or artificially manipulated when it constitutes a deepfake. According to the AI Act implementation timeline, the Article 50 transparency rules are scheduled for 2 August 2026.
In practical terms, this affects events that use avatars, AI-generated videos, synthetic dubbing, attendee-support chatbots, behavioural analysis or automated recommendations. Transparency should not be hidden in lengthy legal terms; it should appear at the point of interaction.
Technical compliance: GDPR, logs, permissions and suppliers
The compliance side must be translated into concrete controls. The Spanish Data Protection Agency reminds organisations that Article 32 of the GDPR requires technical and organisational measures appropriate to the risk, taking into account the state of the art, costs, nature, scope, context, purpose of processing and risks to people’s rights and freedoms. The European Data Protection Board also emphasises protecting the confidentiality, integrity and availability of information through measures such as access control, backups, traceability, encryption, audits, permission reviews and impact assessments where there is high risk.
In events, this means applying digital security across the entire data life cycle. In registration, minimisation: only ask for the data that is necessary. In the platform, role-based permissions: not all internal users need access to the whole database. In networking, visibility control: the attendee must know what information they are sharing. In sponsorship, specific consent: leads should not be transferred without a clear legal basis. In the post-event phase, limited retention: data should not remain indefinitely “just in case”.
Suppliers must also be reviewed. Any email, streaming, CRM, badge-printing, app, AI or analytics platform may act as a data processor. The organiser must check contracts, sub-processors, server location, security measures, breach support, data deletion and international transfers.
It is also important to assess the maturity of the technology provider. Eventscase’s Information Security Policy sets out our approach to managing the confidentiality, integrity and availability of information, as well as our ISO/IEC 27001:2022 certification.
Technical checklist by phase
Before the event, digital security should include an inventory of tools, a risk matrix, supplier review, role-based permissions, official domains, retention policies and load or access testing.
During the event, it is advisable to monitor login attempts, repeated QR scans, access from unusual locations, permission changes, incidents, duplicate tickets, signage substitutions and urgent requests from suppliers or sponsors.
After the event, digital security should be closed with a log audit, deletion or anonymisation of unnecessary data, consent review, incident analysis, revocation of temporary access, secure download of reports and documentation of lessons learned.
Conclusion
Digital security in events cannot be solved with a single tool. It is a combination of technical architecture, processes, training, compliance and operational judgement. Quishing, deepfakes and AI force organisers to think beyond basic privacy: they must protect identities, QR codes, content, access, suppliers and critical decisions.
The good news is that many measures can be applied without slowing down the experience: QR codes with secure tokens, official domains, role-based permissions, out-of-band verification, logs, encryption, limited retention and clear protocols. Security should not be an uncomfortable layer added at the end, but a natural part of event design.
For more information, you can read these posts on Data Security for Virtual & Hybrid Events and Data Protection at Virtual Events, which address risks related to privacy, digital platforms, registration and information protection.