Sophos Cloud Optix
As has been widely reported, high profile users of Gmail – including US government officials, reporters and political activists – have had their email accounts hacked.
This wasn’t a sophisticated attack against Google’s systems, but rather a cleverly-crafted HTML email which pointed to a Gmail phishing page.
Victims would believe that they had been sent an attachment, click on the link, and be greeted by what appeared to be Gmail’s login screen. Before you knew it, your Gmail username and password could be in the hands of unauthorised parties.
So, what steps should you take to reduce the chances of your Gmail account being hacked?
- Set up Two step verification
- Check if your Gmail messages are being forwarded without your permission
- Where is your Gmail account being accessed from?
- Choose a unique, hard-to-crack password
- Secure your computer
- Why are you using Gmail anyway?
1. Set up Two step verification
The hackers who broke into high profile Gmail accounts grabbed usernames and passwords. So, an obvious thing to do would be to make Gmail require an extra piece of information before allowing anybody to access your account.
Google provides a facility called “two step verification” to Gmail users, which provides that extra layer of security. It requires you to be able to access your mobile phone when you sign into your email account – as they will be sending you a magic “verification” number via SMS.
The advantage of this approach – which is similar to that done by many online banks – is that even if cybercriminals manage to steal your username and password, they won’t know what your magic number is because they don’t have your phone.
Google has made two step verification easy to set up.
Once you’re set up, the next time you try to log into Gmail you’ll be asked for your magic number after entering your username and password. Your mobile phone should receive an SMS text message from Google containing your verification number.
Let’s just hope the bad guys don’t have access to your mobile phone too..
Here’s a video from Google where they explain two step verification in greater detail:
You can also learn more about two step verification on Google’s website.
By the way, note that two step verification doesn’t mean that your Gmail can’t ever be snooped on by remote hackers. They could, for instance, install spyware onto your computer which could monitor everything that appears on your screen. But it’s certainly a good additional level of security for your Gmail account, and one which will make life much more difficult for any cybercriminal who might be targeting you.
2. Check if your Gmail messages are being forwarded without your permission
Gmail gives you the ability to forward your emails to another email address. There are situations where this might be handy, of course, but it can also be used by hackers to secretly read the messages you receive.
Go into your Gmail account settings, and select the “Forwarding and POP/IMAP” tab.
If your emails are being forwarded to another address, then you will see something like the following:
That’s fine if you authorised for your emails to be forwarded to that email address, but a bad thing if you didn’t.
If your messages are not being forwarded you will see a screen more like this:
Hackers want to break into your account not just to see what email you’ve received up until their break-in. Ideally, they would like to have ongoing access to your email, even if you change your password or enable two step verification. That’s why it’s so important to check that no-one has sneakily asked for all of your email to be forwarded to them.
In a similar vein, you had best ensure that no-one has unexpectedly been authorised to read and send email from your account.
Check that no-one unexpected is listed under the “Grant access to your account” option (found under “Accounts and Import” in Gmail’s settings).
Even if you have granted permission for someone else to access your Gmail account, your security is now only as strong as that person’s account security.
3. Where is your Gmail account being accessed from?
At the bottom of each webpage on Gmail, you’ll see some small print which describes your last account activity. This is available to help you spy if someone has been accessing your account at unusual times of day (for instance, when you haven’t been using your computer) or from a different location.
Clicking on the “Details” option will take you to a webpage describing the type of access and the IP address of the computer which logged your email account. Although some of this data may appear nerdy, it can be a helpful heads-up – especially if you spot a computer from another country has been accessing your email.
4. Choose a unique, hard-to-crack password
As we’ve explained before, you should never use the same username and password on multiple websites. It’s like having a skeleton key which opens every door – if they grab your password in one place they can try it in many other places.
Also, you should ensure that your password is not a dictionary word, and is suitably complex that it’s hard to break with a dictionary attack.
Here’s a video which explains how to choose a strong password, which is easy to remember but still hard to crack:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Don’t delay, be sensible and make your passwords more secure today
And once you’ve chosen a safer password – keep it safe! That means, don’t share it with anyone else and be very careful that you’re typing it into the real Gmail login screen, not a phishing site.
It should go without saying, but this list would be unfinished without it. You need to properly secure your computer with up-to-date anti-virus software, security patches and so forth. If you don’t, you’re risking hackers planting malicious code on your computer which could spy upon you and, of course, your email.
You always want to be certain that your computer is in a decent state of health before you log into a sensitive online account, such as your email or bank account. That’s one of the reasons why I would always be very nervous about using a computer in a cybercafe or hotel lobby. You simply don’t know what state the computer is in, and who might have been using it before.
6. Why are you using Gmail anyway?
Okay, I don’t really mean that. But I do mean, why are you storing sensitive information in your Gmail account?
The news headlines claim that senior US political and military officials were being targeted by the hackers. Surely if they had confidential or sensitive data they shouldn’t have that in their webmail account? Shouldn’t that be on secure government and military systems instead?
Always think about the data you might be putting on your web email account – because if it’s only protected by a username and password that may actually be less security than your regular work email system provides.
A great list!
My Gmail account(s) were for personal things or stupid stuff, not anything important. Then I kept creating new gmail accounts, the first only to capture a recovery through that one or a Yahoo account. The yoohoo account password was stolen too, and that also was personal. After 7 hours u just have to give up trying. Cross recovery of id verification for access to personal emails is just a bust and waste of time, if passwords were taken, so folks don’t waste your time. FYI
Tips for senior citizens to prevent email hacking on a not-for-profit project: https://stop.hacking.email/
A very well written article. I am glad that you mentioned a very important but often neglected point that is number 3. “Where is your Gmail account being accessed from?”. Almost every email service provider provides this information every time you log on to your email account but users often don’t pay attention to it. In my opinion if you properly keep track of this then it make compromise detection a very easy step.
a house computer where several people have access. It does not help I have privacy through google. whenever i type in gmail.com here comes all my emails
Am I supposed to go out and buy a cell phone just so I can access Gmail?
No, you can receive it by a voice call as well. If you look at the picture at that step it does mention SMS or voice call.
In the screenshot for step one, it shows that you can set up a mobile or landline number.
My 2 step is set up but now I receive constant phone calls every ten minutes as someone is trying to access my account. Its driving me nuts.
Hopefully it isn't the "constant phone calls" part. Change your password to something more secure (I suggest using Lastpass/Keepass to create and store the password).
I had a [assword storage site and IT got hacked. This whole cyber thing is nuts and now half my mail isn’t getting through (on another server) Switching to Gmail has been a nightmare. I’ve been on the other server for about 15 years. That’s a lot to switch. Any help?
Re 6 – you might not mean it but it was my first response when I heard the non-news item. If they're witless enough to put sensitive information in a google email account and then fall for phishing email then they probably shouldn't be in office, and certainly shouldn't be in office and allowed to use anything more complicated than a calculator.
Great, thank you. Re #6 – yes, exactly what I thought when I first read about this. Surely anyone who has sensitive information would also have an account with their employer or client? And any organisation which does not require employees or contractors to handle sensitive information only through its own system, and doesn't employ a red-hot IT team to help protect the integrity of that system, needs its corporate head examined. I'm a uni lecturer, and its university policy that students only use their uni email accounts for official communications, and we return any students' emails that aren't and tell them to resend. This isn't technology, this is having procedures and following them. If first-year undergrads can do it …
Anyone describing themselves as "a 'uni' lecturer" shouldn't be employed by a university. At least, not any proper university.
Most universities don't employ "red-hot IT teams". They don't pay enough and are too "head-in-the-clouds" to be bothered. "Red-hot" (presumably this is intended to mean competent, in university terms) IT people work in the private sector where the expertise, expectation, salary and potential for substantial technical challenges are much higher.
(N.B. I'm not referring to academics who specialise in security, but to the usual, run-of-the-mill IT departments, in university-like organisations, who do not work in the same realm as people who really understand security).
Given the above, there are plenty of reasons to use systems provided by commercial organisations with *real* IT expertise in preference to the in-house set-ups, which wouldn't even metaphorically register at the low end of the metaphorical radar that large, commercial enterprises inhabit.
‘Uni’ is a long standing and accepted term in much of the native English speaking world, including in the place where the English language developed.
You need to take an anti-pomposity pill and then another that clears the head enough to realise there is a big wide world out there that doesn’t always agree with you.
Do I trust Google with my mobile phone number? Hmmm….
Great article, Graham! Very helpful. I also shared it with my friends on Facebook and Twitter.
I have now implemented 2-step verification, which I didn’t even know existed. My forwarding was not fiddled with. My password is pretty decent. I saw no suspicious access activity on my account. I run Ubuntu Linux, which helps with the malware issue. Happy camper 🙂 Thanks for writing this!
Running Linux +5.
Giving Google more personal information to use for its own ends -20.
We use GMail for Business. It's a great solution for a non-profit where paid staff are often roaming the world and using different machines to access mail and schedules.
So there's sometimes very good reason to use GMail or similar.
Which leads me to say great post. I shall be forwarding it on to colleagues…and making my next step, 'Configure this Domain' to switch on 2-step for all accounts!
Trevor
Thanks for sharing! It's very important information.
Is this only a Gmail problem?? I am not giving my cell phone number to anyone outside my family except one or two very close friends. Cell numbers are constantly misused and sold to third parties. I don't trust ANYBODY! If this is a problem on Gmail only I think it's time to get another e-mail address, especially because I constantly get error messages lately and Gmail is very slow lately.
Would have been more helpful if you had EXPLICITLY described how to get to account settings!!! Who could believe that account settings is behind a gear!!!!!!!!!!!!!!!
You tech guys assume TOO MUCH knowledge.
Most computer pages and instructions are NIGHTMARES!!!!!!!!!!
A simple solution – Just stop using computers 😉
I agree!!!!!!!!!!!!!
Y Mail and G mail are great tools for travelers and they would be really difficult to replace. I have been on Y for 13 years and G since it started between the 2 you are secure if you use cautions and adding the Cell really adds security if you use it. I keeps years of mail so I have it were I am
My email is constantly being logged on on from America (I am in Australia)
Who should I contact to stop this from happening?
I keep changing my password but every few weeks it keeps happening.
Thanks for your help,
Neha
Thank you very much for this article. I found it educational and helpful. Now I don't think I have been hacked I think someone maybe just used my e-mail address when signing up for a site.
My Gmail got hacked and they deleted about 2 months worth of mail. How do I noticefy to Gmail so they can give me a backup copy? Thanks
yes,I accept it.Thanks for good suggestions.It will help us in username and passward security.
was in china. never knew such a corrupted place Computers and e-mail are all hacked.Passwords are all stolen. Property stolen. You are in more trouble if you go to police to complain. Now back in US, but do not know how to clean all the damage they have created– I am changing passwords, running norton for spywares. What else I can do?
OK I now have two-step verication set up. Now when I try to access my gmail account I get a message that the server refuses to allow me to access my mail and gives me a popup with my login name and password already filled in. There is no place to enter the "Magic" number provided at the beginning of this fiasco! Now what?
Ive had similar problems elsewhere with no phone no to call for help.
Changing passwords is a joke. Do you know how many free-download programs there are to decipher those ***** in your password?
Isn't it time all the sites giving 'changing passwords' as a solution got their act together?
I'm being cyber stalked as well as hacked, so my friend HJK will be along soon to read this.
great information..thanks
i want to know: while working on networking computers, somebody is accessing my gmail account. i work on linux. can u help me out to stop this kind of sharing of my gmail or any other account with somebody else while working on networking systems.
I just freaking keeeeeeep changing my passwords twice or thrice a week. But still my parents know what i am upto. i am not a dork. but yet, i do not know how my activities are getting leaked to ma mum. so yeah can you PULEEEEZ advice???
From facebook which I am NOT on – I am receiving vulgar msg's and pictures. Who can this be reported to? I want it stopped.
Get a yubikey from yubico.com and secure your gmail with a OTP (One Time Password) similar to the feature used by your phone.
my two gmail accounts were hacked twice even with the stupid verification process. I quit gmail!Its not safe at all
I agree i just got hacked 5 mins ago!!!!
Under #3, it says:
"At the bottom of each webpage on Gmail, you'll see some small print which describes your last account activity."
What does "each webpage on Gmail" mean? If I go to gmail.com I am redirected to mail.google.com, and I cannot find any page these with this info.
Please explain.
Best regards,
Zot
Scroll down to the bottom of the page showing your list of messages. You should see a link there.
The feature is described in greater detail here: http://support.google.com/mail/bin/answer.py?hl=e…
i use gmail only on android phone and there is no area to select to use password to logon. the gmail is always open and i have had delays of three days before i get the gmail. i know the account security has been comprimised but i think there should be an avenue to keep the gmail locked and then logon when new mail is received.
A version of the secret email is to create a (Gmail, or any other) with the longest randomly generated name permitted – i.e. ernwr24o4tgi94jnbrgn44m4aqaaz98n@gmail, with as strong a password as you feel is necessary; then, only use it for contacting your major banks, brokers etc. This is likely immune to spoofing, which guesses emails via other sources. It has no semblance to names, etc. that can be guessed, and if you don’t link it to other addresses it should be solid. Still, the 2-step process would make it better anyway.
Help me im only 13 and my gmail acount was hacked by my best mate!! (he knoes my username and password becouse he seted it up for me) it happend like five minutes ago!!!! Tomoz at school im gonna confront him!!!!!! I really dunno what to do. The dodgy thing is he said to me that he can hack face book and itunes!!!!! HEEEEEEEEEEEEELLLLLLLLLLLLLLLLLLLLPPPPPPPPPPPPPPPPPPPPPP MMMMMMMMMMMMMMMMMMMMMMMMMEEEEEEEEEEEEEEEEEEEEEEEEEE!!!!!! PLZ
My 2 teenagers use gmail and they’ve received notices that someone outside of the US is trying to log in to their account. They’ve changed their password each time, but there has to be a better solution. They don’t have a work email account, so that’s not an option. I’ve made sure their iphones and Macs are secure, but they use ipads all day at school and the security settings are the factory defaults. Since it started at the beginning of the school year, could the problem be with the school? Their email is connected to their NetClassroom account and they get lots of push notifications from IT and teachers to install apps. The school says the wi-fi access is limited to approved school sites, but the kids have figured a way around it. Suggestions anyone?
Solid article and entertaining chain. My gmail was recently hacked. I was astounded.
Why does my introduction page for gmail come up twice? Is someone following what I’m doing on my computer or what? Really, really, creepy!
About the #3, I used to be blocked when I use phone to sign in my Gmail, they said my account is signed in in Africa when I’m in the US, so I think it may be mistaken sometimes.
Before changing password, we should sign out all other session in case of someone remember the log in in their web browser.
Thank you for the list.
And I think we shouldn’t use the same email address to sign up every account, different email address with different password is better.
I’ve been hacked a few times in past few days. I set up an account left no recover number and no recovery email and it still got hit. I set up a 2 step verification and the text me the same code Google sent me. What do i do?
HI,
I know this is and old article, however is still available online and probably many people are visiting this page to get an advice on this subject.
While many tips posted there are still valuable and nowadays is common sense to adhere to them, I will have to disagree with number 6, where author is saying: “that (gmail or similar) may actually be less security than your regular work email system provides.”…
Regular work email is quite often hosted on company own email server, that will never have the level of care and security implemented, that will match the level of care and attention that is dedicated by platform like gmail.
Unless you are computer geek or some security “freak” that have deep knowledge, skills and means of creating “super duper” secure mail server, then you are more vulnerable to be hacked on company server then gmail.
This days platform like Gmail has additional multilevel solutions implemented that are helping to defend the platform from being hacked. This is something an average company will never have, and not to the level that company like Google can.
You do not hear on Google being hacked… yo may hear often that someone’s email was “hacked” but this is happening not because Gmail platform is less secure. This is happening because the weakest link in security is always a user, a user who is using weak password, or is using unsecured public network to access theirs account, or using public computers to sign in to their email accounts. etc.
If you know password to the email account, no matter how secure and sophisticated the platform is – you or the attacker will gain access to it… and that is the bottom line… therefore keep your password safe, and do not use public WiFI or computers to access your personal or work email account. Educate yourself regarding good practice that should be applied when using and working with computers and services they offer.
Being aware of how things works and of risks that are imposed, and how to avoid them seems like good way of staying out of the trouble and being hacked.