7 Tips to Fight Gmail Phishing Attacks
Popular email platforms like Gmail are prime phishing targets. Admins can adopt these steps to keep attackers at bay.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blteb19ecca434219ff/64f0d821da11c4448771042d/gmail-phishing-intro.jpg?width=700&auto=webp&quality=80&disable=upscale)
Phishing is not a new threat to the enterprise, but it is becoming subtler and more complex as threat actors adopt new strategies to trick their chosen victims.
"Phishing attacks are much more focused, more targeted," explains Mark Risher, director of product management for Google Sign-In, Abuse, and API. "It's no longer about broad-based, opportunistic attacks … now, the phisher is doing his or her homework."
Today's attackers know their victims and learn enough about their circumstances to add credible details to their attacks. Everyone in the consumer space is a potential target, says Risher, who says phishers cast a "fairly wide net" to achieve their goals.
"We have definitely seen a rise in sophistication of phishing attacks over the past few years and a shift toward 'quality' over 'quantity,'" says Amy Baker, vice president of marketing at Wombat Security. Broad-based attacks are still happening, but spearphishing and BEC are on the rise.
"Cybercriminals are increasingly using social media channels to mine for data and lay the groundwork for high-value attacks," Baker continues. "In these situations, we see multi-faceted approaches that incorporate social engineering techniques outside of email that ultimately make an email communication more believable."
Hackers want to take advantage of users' familiarity with Gmail, and other products from high-visibility organizations like Amazon and Facebook. If they can't get a phishing email through corporate safeguards, they know users have fewer barriers on their personal accounts.
"If an employee makes a personal mistake while on a corporate network, that's a win for an attacker," says Baker.
Aaron Higbee, cofounder and CTO at PhishMe, says many pieces of traditional phishing advice still hold true: watch for misleading URLs and don't click on suspicious documents.
However, Gmail users can take precautions by adjusting permissions - one of the tips Google shares in a blog post on the subject.
Here are ways to reduce the risk of phishing attacks specific to Gmail users.
G Suite admins can enforce 2-step verification (2SV), one of the most effective ways to prevent unauthorized account access, explain Nicolas Kardas, product manager for Gmail Security, and Sam Lugani, who works with security product marketing for G Suite.
Employers can decrease the risk of a successful phishing attack by mandating everyone provide additional proof of identity when they sign in. Verification codes can be sent via mobile app alert, text, or voice call.
"It's well-established that passwords are necessary but not sufficient in protecting accounts," says Risher. A password should not be sufficient to make considerable changes on enterprise systems, and there should be several authentication checks to ensure hackers can't get access to data.
Administrators can also enforce authentication at the hardware level with security keys, which cut the risk of stolen credentials being used to compromise an account. Each security key sends an encrypted signature and only works with authorized websites. Admins can deploy and monitor keys directly from the admin console.
Google Safe Browsing is used among Android, iOS, and Web Gmail clients to prevent phishing. It disables suspicious links and attachments, and shows warnings to stop users from clicking potentially malicious content.
POP and IMAP, particularly in the enterprise, are legacy protocols that provide flexibility but come at a cost, says Risher. He says Google is allocating more resources to go beyond just getting messages and warn users about suspicious circumstances and dangerous links. G Suite admins can completely disable POP and IMAP, or use them on a case-by-case basis. Risher explains this is part of a broader initiative to apply as much security as possible without administrators needing to get involved.
"By choosing to disable POP and IMAP, admins can ensure that all G Suite users will only use Gmail clients and benefit from the built-in phishing protections that they provide," say Kardas and Lugani. Both can be disabled at the organizational unit level, but it's worth noting that doing this will disable all third-party email clients, including native mobile mail clients.
"As the G Suite administrator for a business, you need to lock down which applications any one of your users can grant permissions to, and regularly audit and renew that," says Phishme's Higbee.
If an application has access to a user's Gmail and basic account information, it can read and manipulate all the email inside the Gmail account. This is fine if you trust the app, he says, but anyone could be victimized by enabling or granting permissions to a malicious app that has access to their Gmail.
"What [admins] should do first and foremost is see what [the app] is asking for" as they try to gauge whether it's safe for employees to use, Higbee says. While administrators are generally left to their own devices to verify applications, knowing the information it requires can make a big difference in the approval process.
Kardas and Lugani advise admins to use OAuth apps whitelisting to dictate which applications can access users' G Suite data. This restricts users so they can only provide data to approved apps, and prevents malicious apps from tricking users into sharing their data. Admins can whitelist applications by going to the admin console under G Suite API Permissions.
If you're worried about where employees are sharing their G Suite logins, deploy Password Alert. This Chrome extension checks each website employees visit to see whether it's impersonating Google's sign-in page. If users log in with G Suite credentials anywhere outside Google's legitimate page, they receive an alert.
Administrators can enforce Password Alert from their admin panel by accessing Device management > App management > Password Alert, and by checking "Force installation" under "User Settings" and "Public Session Settings." They can also turn on password alert auditing, send email alerts, and mandate password changes if credentials are used on a non-trusted site.
"What they're really banking on is humans following the bad practice of having their Gmail password be the same as other passwords," says Higbee of phishers. "They'll try to scare users into thinking there's a problem with their account - that they have to click a link to repair access or they're going to lose it."
He advises security leaders to tell their employees to use different passwords for Gmail and other accounts, review their recovery options and ensure account recovery is set up, and use two-step verification.
By default, Gmail clients Android and Web tell G Suite users if they're responding to emails potentially sent by someone they don't normally interact with. The safeguard helps businesses protect against false emails and basic errors like emailing the wrong contact. Employees should be taught to look for these warnings and heed caution when responding to unauthorized senders.
On a broader level, teaching employees about security is key in preventing phishing attacks.
"We still see too many organizations shying away from ongoing education," says Baker. "Cybercriminals are attacking on a daily, if not hourly, basis. Cybersecurity should be a top-of-mind pursuit for all employees, not just IT staff."
Once- or twice-a-year discussions and occasional emails are not enough to educate employees on security, she continues. If admins want to change users' behavior, they have to provide the tools for them to learn and improve over time. Employees should also be given a way to report suspicious emails to infosec response teams, she adds.
Work profiles disconnect sensitive corporate data from users' personal information by separating business applications from personal applications. Admins can use G Suite's integrated device management to enforce the use of work profiles, whitelist applications that can access corporate information, and block users from installing apps from unknown sources.
Work profiles disconnect sensitive corporate data from users' personal information by separating business applications from personal applications. Admins can use G Suite's integrated device management to enforce the use of work profiles, whitelist applications that can access corporate information, and block users from installing apps from unknown sources.
Phishing is not a new threat to the enterprise, but it is becoming subtler and more complex as threat actors adopt new strategies to trick their chosen victims.
"Phishing attacks are much more focused, more targeted," explains Mark Risher, director of product management for Google Sign-In, Abuse, and API. "It's no longer about broad-based, opportunistic attacks … now, the phisher is doing his or her homework."
Today's attackers know their victims and learn enough about their circumstances to add credible details to their attacks. Everyone in the consumer space is a potential target, says Risher, who says phishers cast a "fairly wide net" to achieve their goals.
"We have definitely seen a rise in sophistication of phishing attacks over the past few years and a shift toward 'quality' over 'quantity,'" says Amy Baker, vice president of marketing at Wombat Security. Broad-based attacks are still happening, but spearphishing and BEC are on the rise.
"Cybercriminals are increasingly using social media channels to mine for data and lay the groundwork for high-value attacks," Baker continues. "In these situations, we see multi-faceted approaches that incorporate social engineering techniques outside of email that ultimately make an email communication more believable."
Hackers want to take advantage of users' familiarity with Gmail, and other products from high-visibility organizations like Amazon and Facebook. If they can't get a phishing email through corporate safeguards, they know users have fewer barriers on their personal accounts.
"If an employee makes a personal mistake while on a corporate network, that's a win for an attacker," says Baker.
Aaron Higbee, cofounder and CTO at PhishMe, says many pieces of traditional phishing advice still hold true: watch for misleading URLs and don't click on suspicious documents.
However, Gmail users can take precautions by adjusting permissions - one of the tips Google shares in a blog post on the subject.
Here are ways to reduce the risk of phishing attacks specific to Gmail users.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024