If you use Gmail for your emails, listen up! Google has confirmed that fraudulent attacks against these popular email accounts have spiked.
Worse still, hackers are now enjoying a 37% rate of successful intrusions — that's higher than last year. Yikes.
That increased success comes from hackers being able to steal passwords and break into accounts, and they're able to do this easily with the use of infostealer malware. This is a form of malicious software that's created to sneak through computer systems and steal sensitive information like login details, financial information, and more.
So, how are they using it to hack into your email?
This malware hides in plain sight with the use of phishing, which is when hackers deceive you into revealing personal information like usernames, passwords, and credit card details. For example, a fraudster may send an email disguised to appear as if it's coming from a big company like Google.
In the email, it may say your account is locked and demand information such as your username and password to "unlock" it, when in reality, they're attempting to take this information and break into your account.
That's not all, though.
Google has also revealed that there's been a massive rise in cookie and authentication token theft. This is where attackers steal data from your internet browsing session to gain unauthorised access to your accounts, and it can also be achieved through the use of infostealer malware.
If you're wondering why Gmail is being targeted, it could be due to its widespread popularity. Gmail has 1.8 billion users worldwide, making it the world's largest email service.To protect yourself, Google is urging you to upgrade the security on your accounts by using three of its security features.
Passkeys are a passwordless sign-in method for users
|GOOGLE PRESS OFFICE
The first is passkeys, which are a passwordless sign-in method for users.
Unlike passwords that can be forgotten or stolen, passkeys are digital credentials that can only be unlocked with your fingerprint, face scan, or a unique PIN and are tied to your device. These are more resistant to phishing and can be easily applied, saving you time between logins.
Google also advises users to secure their accounts even after they've logged in with the use of Device Bound Session Credentials (DBSC). This is available in your Chrome or Windows browser and prevents cookie and authentication token theft. To activate, you'll need to enable it in your Google Workspace, which is Google’s suite of cloud-based productivity and collaboration tools — like Gmail, Drive, Docs, Sheets, and Meet.
- Sign in to the Google Admin console using your admin account
- Navigate to: Security → Access and Data Control → Google Session Control
- Locate the Device Bound Session Credentials (DBSC) setting and select Enable
- Click Save
DBSC is new for Google and is currently in public beta mode, which means it's actively being tested and updated while available to the public. It could undergo additional updates as time moves forward.
LATEST DEVELOPMENTS
The final feature to implement is a Shared Signals Framework (SSF), which is designed to enable platforms to exchange crucial security signals in near real-time.
Google is in the process of implementing an SSF Receiver to ingest CAEP signals (status changes), allowing it to respond promptly if the detected changes are found to be security threats.
By adopting SSF, organisations like Google can enhance their ability to detect, respond to, and mitigate security threats, leading to a more secure digital environment. As a user, there is nothing you need to do yet, while this third security feature is still being integrated into Google's system.
More From GB News