How to block hijacking attacks on your Google account

Bot and phishing attacks can compromise your G Suite account, but there is an easy way to block the majority of these attempts, according to Google.

What attackers want when they hack email accounts Mark Risher, Google's director of product management for identity and account security, explains what hackers are looking for and how Google is ramping up account security.

Adding a recovery phone number to your Google account can block the majority of account hijacking attempts, according to two recent research papers from Google, New York University, and the University of California, San Diego.

Taking this simple step with your Google account blocked up to 100% of automated bot attacks, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during the research, Google found.

SEE: G Suite: Tips and tricks for business professionals (free PDF) (TechRepublic)

The papers examined 350,000 hijacking attempts on 1.2 million Google account users.

The recovery phone number is key for preventing account hijacking because it fits into Google's security layer, a Google blog post noted. If Google detects a suspicious sign-in attempt—such as one from a new location or device—it will ask the user for additional proof of identity. If the user has signed into their phone or set up a recovery phone number, Google can use the phone for two-factor authentication.

Sending out an SMS code to the recovery phone number blocked 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. Meanwhile, using on-device prompts helped prevent 100% of bots, 99% of phishing, and 90% of targeted attacks, Google found.

Without a recovery phone number set up, Google uses weaker knowledge-based questions to identify a user, such as your last sign-in location. While this is effective for preventing bot attacks, it is less so for preventing phishing and targeted attacks, as protection rates can drop to just 10%, Google found. This is because these attackers can trick users into revealing identifying information Google asks for, the post noted.

How to set up a recovery phone number for your Google account

Google does not require users to set up a recovery phone number, due to the added friction it can present for users. However, the security benefits in doing so are clear, according to the post.

Here's how to set up a recovery phone number for your Google account, according to Google:

1. Go to your Google Account.

2. On the left navigation panel, click Personal info.

3. On the Contact info section, click Add a recovery phone to help keep your account secure.

4. From here, you can:

  • Add a recovery phone.
  • Change your recovery phone: Next to your number, select Edit Edit.
  • Delete your recovery phone: Next to your number, select Delete Delete.

5. Follow the steps on the screen.

For more, check out 4 tips to keep your business safe online, according to Google on TechRepublic.

Also see

istock-1134696895.jpg
Image: iStockphoto/kentoh

By Alison DeNisco Rayome

Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.