How to Avoid Gmail Hacks

On March 19, 2016, Mr. John Podesta - Hillary Clinton's Campaign Chairman - received an email advising him that his Gmail account had been compromised.

The email looked like an official communication from Google. It even had a link available in the email to change his password. It was not. It was intentionally crafted to make Mr. Podesta believe that it was an official alert from Google.

And when Mr. Podesta clicked on the link, he was brought to a website designed to look like Google's password rotation site. What Mr. Podesta didn't realize was that the site wasn't Google's - he received a phish - and he inadvertently gave has account's password away to Ukrainian hackers.

The rest is history. Mr. Podesta's email was siphoned and uploaded to Wikileaks, a data breach that - in part - is alleged to be used by the Russian government to exert influence a United States election cycle.

Update 2017.05.31: Google announces new tools and features in Gmail to help prevent phishing attacks.

Update 2017.06.05: A good article on how to identify and avoid common phishing scams by Dave Albaugh

Okay, so maybe your concerns don't involve the Presidency of the United States but the confidentiality of your affairs are still important to you. You don't want your Gmail or Google Apps (G-Suite) email to be hacked. So what can you do?

1. Question Authority.

When it comes to the security of your Google account (really, any online account you may own), never act on impulse.

Emails like the one Mr. Podesta received are designed to get you to stop thinking and just take action - the intent is to disconnect your logical mind with an overriding emotion, like fear, and to get you to click on a hyperlink found within the email. Don't fall for it. 

There is a similar attack going around concerning Google Drive. You may receive an email that says somebody (you may or may not know) has shared a file with you on their Google Drive. If you clink on the link to access the file, you're brought to a login screen similar to Google's that captures your email address and password; your credential is then used to access your account and make changes to your email settings.

2. Use the Tools Yourself.

If you suspect that your account may have been compromised, Google has a tool that you can use to rotate your password and investigate the matter on your own. It's found at www.google.com/accounts.  

Open a browser and go there yourself. Rotate (change) your Google password on your own. And by the way, don't be a wuss: now's not the time to go convenient on your Google password. Woman-up and do what needs to be done: change your password to something unique and strong

In the case of Google Drive, access Google Drive directly on the web and go to the Shared With Me section of Drive. If somebody shared a file with you, it'll actually appear in this list. Check for it there.

3. Protect Yourself - Security Self-Service.

Take a few minutes to evaluate the Google Accounts site.

  • Do you need to recover a hacked Gmail account? You can do so yourself.
     
  • Are there devices and applications connected to your account? Don't recognize them? Just disconnect them. Clean this up. Only allow current devices and applications that you actually use to access this account.
     
  • Do you have a recovery cell phone number? If you do, is it your cell phone? If you don't have a recovery cell phone number, add it now.
     
  • Have you enabled two-factor authentication? Two-factor authentication requires not only what you know (your password) but what you have (your cell phone) in order for you to login to your account. If two-factor authentication is enabled, the hacker can't sign-in as your account unless they have your cell phone, which is highly unlikely.
     
  • Have you set your security alert settings? Get notified directly on a more secure channel when something is suspicious about your account - like, get a text message from Google to your recovery cell phone. That way, you won't need to fall for the phish.
     
  • Do you notice strange computers or devices acting on your account? This information is also available from the Gmail Security Details link in the bottom-right-corner of your Gmail screen.
     
  • Force a sign-off from all active sessions. That will force anyone who wants to use your account to re-authenticate: they'll have to know your new password to sign-in again.
     
  • Is your Gmail account being filtered? One of the ways these exploits work is to set up a filter in your Gmail account that deletes any inbound mail sent to you, so it'll look like that you're not receiving email. Check your Gmail Filters. If you see a filter that says any mail addressed to your email account should be deleted, remove that filter.
     
  • Is your account accessible by less secure apps? This setting should only be enabled (flipped on) if you're using a legacy (old) email program to retrieve your email. It's a less secure setting to receive your email, and some hacks try to flip this setting on so it's easier to get at your email. If you're not sure, turn it off.

4. Don't Just Give Away Access to Your Google Account.

Over time, you may have indiscriminately given access to your account to other applications. When dealing with a compromise situation, turn off all access to your account by removing those applications from your Connected Applications list; you can always add them back later.

apps_auth_screen.png

Second, think harder about that. When asked about connecting applications and granting them authority to look at your account, you're going to receive a screen that looks like this from Google.

Think very hard: is this something you really want? Do you know or trust the vendor (Twillio in this case)? Is this actually a good idea? Think critically: are you about to share critical account information with someone you don't know?

5. Ask for Help.

If you have a question about a suspicious email that you received, talk to your IT folks and/or a trusted IT professional before clicking on it. If you're on the Google Accounts site and need clarification about what it's telling you, ask someone. If you're being challenged to provide authentication for account access and you're not sure why, please ask a trusted professional.

Remember that Google Apps / G-Suite / Gmail isn't an insecure platform. It isn't Gmail that's hacked - it's the human that's hacked. In all of these cases, what's being exploited here are human weaknesses.

Humans will react emotionally to phishing emails instead of act rationally.

Humans will create weak passwords because it's more convenient than using stronger passwords.

Humans may not enable two-factor authentication because they don't know it's there, or, it's an inconvenience they'd rather not bother with.

Humans may not review what devices and applications are accessing their accounts because they don't know how to perform this check, or, they don't want to be bothered by it.

Humans will allow any application access to their account because it's convenient to do so.

Convenience is the enemy of security. If you're genuinely interested in protecting you, your family, your company, your clients, your patients - everyone - from security compromises and breaches, then take action. Follow some of these best practices. Stop making security convenient. Think before you click. Ask for help.

R