The Warning That Really Matters: How to Keep Your Email Account Secure
As a Gmail user, you’re likely aware of the recent update and warning from Google regarding a new Gmail attack. But amidst the noise of fake emails and phishing scams, it’s easy to overlook the crucial advice that can keep your account safe. In this post, we’ll dive into the key points and trends, and provide actionable insights to ensure your email account remains secure.
The Basics: No Flood of Fake Emails
First, let’s set the record straight: you won’t receive a flood of fake emails from [email protected] or any other authenticated Google email address. These targeted attacks are rare, which is why they generate so many headlines. However, you will receive malicious phishing emails, despite Google’s assurance that its defenses now filter out 99% of these.
The Real Danger: Sophisticated Attacks
The real danger lies in sophisticated attacks that pretend to be from Google. These attacks rely on two false premises: that Google’s support staff may reach out to you by email, phone, or message; and that if you ever receive an email or message relating to an account issue, Google may ask for your account credentials. The truth is, Google will not call you to reset your password or troubleshoot account issues.
The Importance of Passkeys and 2FA
To keep your account secure, it’s essential to set up a passkey and a stronger form of 2FA than SMS. This is because SMS 2FA is being phased out, and you should move faster and change today. Additionally, remember that any proactive support contact from Google (or Microsoft, Apple, Samsung, or any other big tech company) is a scam. If you have any doubt, hang up the call or ignore the emails and reach out to the company using normal, publicly available channels.
New Threats: OAuth Phishing and SessionShark
A new report from Volexity warns of a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The hackers lure victims by impersonating officials from various European nations, and then ask them to return a Microsoft-generated OAuth code. This is an OAuth phishing lure, leveraging trusted app login workflows, and is yet another illustration as to why you must never share codes or browser URLs in dialog boxes opened via links.
Additionally, email specialist SlashNext has warned of another phishing kit built to defeat 2FA, dubbed SessionShark. This adversary-in-the-middle (AiTM) phishing kit can steal valid user session tokens to defeat two-factor authentication on Office 365 accounts.
Actionable Insights
To keep your email account secure:
- Set up a passkey and a stronger form of 2FA than SMS.
- Never share codes or browser URLs in dialog boxes opened via links.
- Be cautious of any proactive support contact from Google (or other big tech companies).
- Remember that Google will not call you to reset your password or troubleshoot account issues.
- Keep your account settings up to date and change your settings today.
Conclusion
In conclusion, the warning that really matters is the importance of keeping your email account secure. By following the advice outlined above, you can protect yourself from sophisticated attacks and keep your account safe. Remember, it’s always better to be proactive and take control of your online security.