On March 19, 2016, Mr. John Podesta - Hillary Clinton's Campaign Chairman - received an email advising him that his Gmail account had been compromised.

The email looked like an official communication from Google. It even had a link available in the email to change his password. It was not. It was intentionally crafted to make Mr. Podesta believe that it was an official alert from Google.

And when Mr. Podesta clicked on the link, he was brought to a website designed to look like Google's password rotation site. What Mr. Podesta didn't realize was that the site wasn't Google's - he received a phish - and he inadvertently gave has account's password away to Ukrainian hackers.

The rest is history. Mr. Podesta's email was siphoned and uploaded to Wikileaks, a data breach that - in part - is alleged to be used by the Russian government to exert influence a United States election cycle.

Update 2017.05.31: Google announces new tools and features in Gmail to help prevent phishing attacks.

Update 2017.06.05: A good article on how to identify and avoid common phishing scams by Dave Albaugh

Okay, so maybe your concerns don't involve the Presidency of the United States but the confidentiality of your affairs are still important to you. You don't want your Gmail or Google Apps (G-Suite) email to be hacked. So what can you do?

1. Question Authority.

When it comes to the security of your Google account (really, any online account you may own), never act on impulse.

Emails like the one Mr. Podesta received are designed to get you to stop thinking and just take action - the intent is to disconnect your logical mind with an overriding emotion, like fear, and to get you to click on a hyperlink found within the email. Don't fall for it. 

There is a similar attack going around concerning Google Drive. You may receive an email that says somebody (you may or may not know) has shared a file with you on their Google Drive. If you clink on the link to access the file, you're brought to a login screen similar to Google's that captures your email address and password; your credential is then used to access your account and make changes to your email settings.

2. Use the Tools Yourself.

If you suspect that your account may have been compromised, Google has a tool that you can use to rotate your password and investigate the matter on your own. It's found at www.google.com/accounts.  

Open a browser and go there yourself. Rotate (change) your Google password on your own. And by the way, don't be a wuss: now's not the time to go convenient on your Google password. Woman-up and do what needs to be done: change your password to something unique and strong. 

In the case of Google Drive, access Google Drive directly on the web and go to the Shared With Me section of Drive. If somebody shared a file with you, it'll actually appear in this list. Check for it there.

3. Protect Yourself - Security Self-Service.

Take a few minutes to evaluate the Google Accounts site.

• Do you need to recover a hacked Gmail account? You can do so yourself.
  

• Are there devices and applications connected to your account? Don't recognize them? Just disconnect them. Clean this up. Only allow current devices and applications that you actually use to access this account.
  

• Do you have a recovery cell phone number? If you do, is it your cell phone? If you don't have a recovery cell phone number, add it now.
  

• Have you enabled two-factor authentication? Two-factor authentication requires not only what you know (your password) but what you have (your cell phone) in order for you to login to your account. If two-factor authentication is enabled, the hacker can't sign-in as your account unless they have your cell phone, which is highly unlikely.
  

• Have you set your security alert settings? Get notified directly on a more secure channel when something is suspicious about your account - like, get a text message from Google to your recovery cell phone. That way, you won't need to fall for the phish.
  

• Do you notice strange computers or devices acting on your account? This information is also available from the Gmail Security Details link in the bottom-right-corner of your Gmail screen.
  

• Force a sign-off from all active sessions. That will force anyone who wants to use your account to re-authenticate: they'll have to know your new password to sign-in again.
  

• Is your Gmail account being filtered? One of the ways these exploits work is to set up a filter in your Gmail account that deletes any inbound mail sent to you, so it'll look like that you're not receiving email. Check your Gmail Filters. If you see a filter that says any mail addressed to your email account should be deleted, remove that filter.
  

• Is your account accessible by less secure apps? This setting should only be enabled (flipped on) if you're using a legacy (old) email program to retrieve your email. It's a less secure setting to receive your email, and some hacks try to flip this setting on so it's easier to get at your email. If you're not sure, turn it off.

4. Don't Just Give Away Access to Your Google Account.

Over time, you may have indiscriminately given access to your account to other applications. When dealing with a compromise situation, turn off all access to your account by removing those applications from your Connected Applications list; you can always add them back later.

Second, think harder about that. When asked about connecting applications and granting them authority to look at your account, you're going to receive a screen that looks like this from Google.

Think very hard: is this something you really want? Do you know or trust the vendor (Twillio in this case)? Is this actually a good idea? Think critically: are you about to share critical account information with someone you don't know?

5. Ask for Help.

If you have a question about a suspicious email that you received, talk to your IT folks and/or a trusted IT professional before clicking on it. If you're on the Google Accounts site and need clarification about what it's telling you, ask someone. If you're being challenged to provide authentication for account access and you're not sure why, please ask a trusted professional.

Remember that Google Apps / G-Suite / Gmail isn't an insecure platform. It isn't Gmail that's hacked - it's the human that's hacked. In all of these cases, what's being exploited here are human weaknesses.

Humans will react emotionally to phishing emails instead of act rationally.

Humans will create weak passwords because it's more convenient than using stronger passwords.

Humans may not enable two-factor authentication because they don't know it's there, or, it's an inconvenience they'd rather not bother with.

Humans may not review what devices and applications are accessing their accounts because they don't know how to perform this check, or, they don't want to be bothered by it.

Humans will allow any application access to their account because it's convenient to do so.

Convenience is the enemy of security. If you're genuinely interested in protecting you, your family, your company, your clients, your patients - everyone - from security compromises and breaches, then take action. Follow some of these best practices. Stop making security convenient. Think before you click. Ask for help.

R

Around March 2016, I picked up a new phone. The Nextbit Robin.  I'd never owned an Android phone before but the Robin had some pretty compelling specs as compared to the iPhone 6s:

• 2ghz hexa-core Snapdragon 808

• 2680mAh fixed battery

• 3gb RAM and 32gb storage

• 13mp/5mp back/front camera

• WiFi, GPS, Bluetooth, NFC, 4G

Plus, hey: the form factor and color options were pretty cool and retro. I got to admit that it's a pretty phone.

Robin started as a Kickstarter campaign and some of the overall concepts of the phone intrigued me, primarily the idea of a phone entirely focused on cloud-based storage model. Part of the phone's offerings in a 100gb cloud-based storage that the o/s sync's against to store things like photos, videos, and music that wouldn't be stored on the physical unit.

With local device encryption and Android Mobile Device Management Policies implemented through Google Apps, I felt I could make the phone reasonably secure.

Like I said: I'd never owned an Android phone before and I was interested in the phone from a technical-curiosity perspective, but I must admit: I recently purchased an Apple iPhone 7. It arrives tomorrow and I intend never to go back to Android. I had really thought Android was on-par now with iOS, but after my experience with it, I now feel that just isn't the case.

I didn't have the best experience.  In using it for six months:

• The Robin's o/s performance and hardware seemed to degrade.

• Battery life seemed to be eroded very quickly and it retains less than a five hour charge now - I have to charge it twice a day;

• I literally can't make a telephone call from the unit and have people hear me unless I turn on the speaker phone - even after reboots - I can't even figure out what happened there;

• Voice recognition is far inferior to Apple - it's like I have to fight with the narration to get my ideas down on the device;

• Application integration in Android seems tedious - so many permissions and allowances just to get anything accomplished;

• Vendor support for Android and Android Pay seemed unrealistically non-existent - my bank didn't support it as they supported iOS' ApplePay;

• Android updates took over 45 minutes to be applied to the unit; its cloud-based sync offered no superior functionality to Apple's sync services;

• I'd lose text messages - stuff never arrived to me or my messages never left the device;

• The chassis flexed and bent too easily, creating a warped line on the phone so that it didn't sit evenly with a table within a month.

Through my experience with it, I had to spend an inordinate amount of time troubleshooting the phone, restarting it, resetting its image, fiddling with settings. I spent a lot of time fighting with this phone. Likely, my problems were more related to Android than Nextbit's product itself. Inasmuch, I couldn't recommend this phone (perhaps any Android phone) to anyone who simply wants a working, secure appliance that takes minimal effort to work. If they want a hobby or to play around with a phone, this wasn't a bad unit - it was fairly fast - but it was so distracting that it compromised my ability to get work done; missing text messages was bad but the inability to complete a phone call was the last straw.

Perhaps you had a different experience with the Nextbit - I hope so. I really liked some of the ideas presented in the Kickstarter. However, I just can't say I'm an Android person, and my Nextbit experience was enough to solidify my ideas and satiate my curiosity: I'm going back to Apple.

Google Apps has four compelling metrics for the small business owner.
    
1. Its cost is extremely low as compared to a solution that you’d manage on your own. It scales to your needs, where you can add and remove users/cost at your own discretion.

2. Every Google Apps user gets 30gb of email and file storage in Google Apps – an     extraordinary amount of space for the cost.
    
3. Google Apps enjoys “six-nines” up-time: Google is online .999999% of the time during the year. That means that the service goes down for, at most, two hours out of every year. That’s better than “five-nines” up-time which is an enterprise computing standard. Google Apps is extraordinarily reliable.

4. Control. We can control the security and the user experience with Google Apps from one centralized point, protecting your employees, your customer, and your company’s intellectual property.

A Google Apps for Work Reseller and Partner since 2008, Mickler & Associates, Inc. is uniquely qualified to assist small and large companies moving to Google Apps for Work. We've helped hundreds of companies and more than 2,200 users all across the US and Canada.

Want to know more? Just ask! Heck, we don't charge anyone for the privilege to learn how we can help their business. Thanks again for your time.