Phishing is an online scam, in which attackers send emails to trick individuals into sharing personal and sensitive information. The email may be sent to potential victims with a link to view a Google Doc, or visit a website company’s website where you are asked to fill in your information.
Google this week identified seven measures that administrators can take to protect G Suite accounts from phishing campaigns.
Here are seven recommended ways I.T administrators can better protect their employee G Suite account against Phishing.
- 2-step verification
G Suite, admins have the ability to enforce 2-step verification. This will limit the risk of successful phishing attacks by asking employees for additional proof of identity- through phone prompts, voice calls, mobile apps notification and much more. Also, admins can choose to enforce the use of security keys to help reduce the risk of stolen credentials being used to compromise an account.
- Deploy Password Alert extension for Chrome
Admins can also enable the Password Alert Chrome extension. This will check each page that users visit to see if that page is impersonating Google’s sign-in page and notifies admins if users enter their G Suite credentials anywhere other than the Google sign-in page.
This feature can be enabled from the Google Admin Console (Device management > App Management > Password Alert)—just sign in and get started. You should check “Force installation” under both “User Settings” and “Public session settings.”
- Allow only trusted apps to access your data with OAuth apps whitelisting
The OAuth apps whitelisting feature can be used to specify which apps can access your users’ G Suite data. This prevents phishing and malicious apps from tricking users into accidentally granting unauthorized access.
- Publish a DMARC policy for your organization
To guide against phishing attacks and impersonators, G Suite follows the DMARC standard– this empowers domain owners to decide how Gmail and other participating email providers handle unauthenticated emails coming from your domain. By defining a policy and turning on DKIM email signing, you can ensure that emails that claim to be from your organization, are actually from you.
- Disable POP and IMAP access for those who don’t need it
The Gmail clients (Android, iOS, Web) leverage Google Safe Browsing to incorporate anti-phishing security measures such as disabling suspicious links and attachments and displaying warnings to users to deter them from clicking on suspicious links.
By disabling the POP and IMAP, admins can ensure that all G Suite users will only use Gmail clients and benefit from the built-in phishing protections that they provide. POP and IMAP access can be disabled by admins at the organizational unit level.
- Encourage your team to pay attention to external reply warnings
By default, Gmail clients (Android, Web) warn G Suite users if they’re responding to emails sent from outside their domain by someone they don’t regularly interact with, or from someone not in their contacts. This helps businesses protect against forged emails, from malicious actors or just plain old user-error like sending an email to the wrong contact. Educate your employees to look for these warnings and be careful before responding to unrecognized senders. Unintended external reply warnings are controlled by the Admin console control in the “Advanced Gmail” setting.
- Enforce the use of Android work profile
Work profiles allow you to separate your organization’s apps from personal apps. By using integrated device management within G Suite to enforce the use of work profiles, you can whitelist applications that access corporate data and block installation of apps from unknown sources. You now have complete control over which apps have access to your corporate data.
These security steps can help you become more resistant to phishing attacks. Learn more at gsuite.google.com/security