Phishing on GSuite

Recently. more and more Google accounts are getting targeted by hackers trying to gain access to your account through an attack known as Phishing.

As educators – you have a duty to safeguard the sensitive information which you have access to and this post will cover a couple simple steps you can do to ensure this is done!

What is Phishing?

According to Google, Phishing is:

phishing-from-google

And according to Microsoft – Phishing email messages are “designed to steal money” by either “installing malicious software” or “stealing personal information” from you.

Usually, they come in the form of an email which looks genuine but is in fact carefully crafted to only appear genuine at the surface level but is a means to obtain your details, namely your username and password.

It’s a far more subtle and believable version of the old classic – “Nigerian Prince” email scams asking for your bank details.

Please Go Secure

The first trick to protect yourself is that whenever you open any link, anywhere, which asks you to sign into Google you must always remember the mnemonic Please Go Secure.

This will remind you of 3 things to check every single time. Padlock. Google. Spelling.

Padlock

If you are asked to sign in to Google – then genuine Google sites will always have a padlock in the URL box at the top. Below is what it looks like on all standard browsers:

chrome-sign-in
Google Chrome
firefox-sign-in
Mozilla Firefox
edge-sign-in
Microsoft Edge
ie-sign-in
Microsoft Internet Explorer
opera-sign-in
Opera

As can be seen, most browsers have a green padlock but they all have at the very least a padlock. This lets you know that the site’s certificate (like a stamp of trustworthiness) is legitimate.

Google

Next, make sure that Google is in the URL! The only time you will ever need to sign into Google is if the URL actually contains part of a Google domain. No matter how real the page looks, no matter how Google it appears, if it doesn’t have google in the url then it is not Google.

secure2.PNG

This page does not have google in the url – therefore it is not Google. Do not put your username or password in here. No matter how real it looks.

Spelling

By far the easiest way people are caught out with phishing is that the URL is made to look like a genuine URL, but in reality there is a very simple spelling mistake that the hacker is hoping you don’t notice.

Always, always, always check the spelling.

For example, gooogle is not google.

acccount is not account.

tw1tter is not twitter.

If a word is misspelled, do not sign in.

Please Go Secure. P is for Padlock. G is for Google. S is for Spelling.

Check these 3 things quickly every time you need to sign in to Google and you will be protecting yourself and your colleagues and students a great deal.

2 Step Verification

The biggest thing you can do to protect yourself from being hacked is to add an extra layer of security on your account. This means that if a hacker does get your password – it is useless to them without that second layer… your phone.

2 step verification means that when you enter your username and password into Google, a 6 digit code will either be sent to you as a text message or in the Google Authenticator app. Unfortunately your Google Admin can not turn this on for you so you must turn this on yourself!

This is, as I mentioned, by far the biggest thing you can do to protect your account and it only takes a couple minutes to set up.

1.) Go to https://accounts.google.com

2.) On the first column, look for Security Check-up

secure8

3.) Enter a recovery phone number and email address, if you have one. Click Done.

secure7

4.) Check the devices currently signed in to your account. Click Looks Good below if it all looks okay, or Something Looks Wrong if any of them don’t seem right.

secure5

5.) Check all the account permissions. This lists all apps which have access to your account and what level of access they have. Anything which is no longer relevant or doesn’t look quite right, click Remove. When satisfied, click Done.

secure6

6.) Finally, the most important step, set up 2 step verification so that when you log in to a new place Google will text you a code to prove it is in fact you who is logging in. If this is set up on your account, this will protect you from phishing attacks as an attacker can not log into your account without your phone.

secure4

 

So, to recap, the best way for you to combat an increase in phishing attacks to Google accounts is to remember the mnemonic whenever you put your username and password in – Please Go Secure – and to set up 2 step verification on your account.

And if you ever receive any suspicious emails you suspect might be phishing attacks – alert Google or your System Administrator.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s