Google Confirms Gmail Update—How To Keep Your Email Account
This is the warning that really matters.
Update: Republished on April 25 with new threat to Microsoft accounts and further advice on new attack techniques and how users ensure accounts are secure.
A Warning for 3 Billion Users
Google has confirmed a new Gmail update, but with a warning for its 3 billion users. Take heed because this is how you keep your email account.
If you fail to follow this advice, you could find yourself losing access to your account and all your content. If you do lose your Gmail account, you will have a limited window to get it back. There are no guarantees, though, and the damage that can be done in the interim is huge.
The Latest Attack on Gmail Users
Google is rightly frustrated with the latest attack on a Gmail user, which has somehow become a major threat despite it happening to a small number of users. The danger is that the advice is drowned out by the noise as countless articles delve into how a fake email was sent in such a way that it appeared to come from Google itself.
The optics of millions of users checking their autosent Google emails is painful. So first, let's get back to basics.
No Fake Emails from Google
No, you are not about to receive a flood of fake emails from no-reply@google.com or any other authenticated Google email address. Such attacks are targeted and very rare. That’s why they generate so many headlines in the first place.
You will receive a flood of malicious phishing emails though, despite Google’s assurance that its defenses now filter out 99% of these. And you do need to change your account settings to ensure you add a passkey and that you don’t rely on SMS two-factor authentication.
This is being phased out, but you should move faster and change today. More importantly, these sophisticated attacks on Gmail users that pretend to be from Google all rely on two false premises.
Two False Premises
The first premise is that attackers can easily obtain your login credentials by phishing or exploiting a vulnerability in the app itself. However, this is not always the case. In many instances, attackers need to trick you into revealing your login credentials, either through email or SMS.
Don't Fall for It
Never enter your password credentials into a webpage unless you’ve accessed a main sign-in page using usual channels. Whatever the lure. Do not use SMS 2FA on your account, instead set up an authenticator app as a minimum.
The Growing Sophistication of Criminal Phishing Tools
Attackers are becoming increasingly sophisticated in their tools and techniques. This is evident in the latest phishing kit dubbed SessionShark, which can steal valid user session tokens to defeat two-factor authentication on Office 365 accounts.
SlashNext has warned of this new attack, stating that it’s an adversary-in-the-middle (AiTM) phishing kit with advanced features to evade detection by major threat intelligence feeds and anti-phishing systems.
Don't Be Fooled
Phrases like ‘for educational purposes’ or ‘ethical hacking perspective’ in the ad copy are a wink and nod to buyers that this is a hacking tool, not a classroom demo. Do never paste text strings or URLs or codes from one app into another or a sign-in dialog box if asked.
Protect Your Account
Set up passkeys and never enter your password credentials into a webpage unless you’ve accessed a main sign-in page using usual channels. Never use SMS 2FA on your account, instead set up an authenticator app as a minimum.
These simple measures and sensible precautions mean you get to keep your Gmail account and your Microsoft email account where they should be — with you.