7 ways to protect your G-Suite accounts from Phishing attacks


Published May 17,2018 10 months ago Posted By Justinas Danis

Reading Time: 3 minutes

The phishing scam in G-suite is a common cyber threat. As an administrator you don’t want your data goes in hand of unscrupulous sources you don’t know. Online phishing scam sends links to users and redirects them to unauthorized sites where they are tricked into sharing their personal information.

Google has always been there in protecting our G-suite accounts from phishing in numerous ways from using machine learning to customizing detection algorithms to beef up securities for previously unseen attacks. Google blocks external as many times as required, and continues to offer tailored features that empowers IT professionals to build internal defenses as stronger as they can.

Here are seven Google recommended methods you can do in G suite to protect your data.

2 Step verification:

It’s a great way to prevent hackers getting into your personal G-suite account, even if they decode your password. The admin has the ability to enable 2 Step Verification that will ask the person to provide additional information as a proof of identification when they sign-in. This may require your phone number or send voice call. G suit also provide special security key authentication. Using these security keys make it stronger and reduce the chance of credential piracy. This user managed security keys work only with authorized sites and can be managed control and monitor from within the admin port.

Password alert:

The password alert chrome extension keeps checking each page that the users visit to ensure if the page is receiving fake Google sign-ups. The admin is notified upon getting any G-suite credentials logins other than authenticated Google sign-in pages. Admins can enable the password alert chrome extension following this path: Device management > App Management > Password Alert (Be sure to check “Force installation” under both “User Settings” and “Public session settings.”)

For even faster and better notifications, users can enable password alert auditing. The notifications are sent in form of email or SMS and recommend password change when the G-suite credentials are accessed on non-trusted websites.

Allow access to trusted apps:

G-suite offers a feature called OAuth apps Whitelisting which gives users to specify Apps to access to their G-suite data. With this feature users can grant access to only the whitelisted apps and prevent chances of accidentally granting access of non-trusted apps.  Apps can be whitelisted from within the admin console under G Suit Permissions.

DMARC policy for your organization:

Organizations often face the damage in reputation caused by phishing attacks. G-suite follows DMARC policy that allows domain users to set how Gmail and other email providers to control other unauthenticated emails coming from other domains.

Disable IMAP and POP where’s not needed:

Gmail clients such as Android, iOS and web are known for using Safe Browsing to run anti-phishing security that checks and disable suspicious third party links and attachments and display ‘Warning’ signs to users to prevent them from clicking the link. Even better, admins can diable IMAP and POP to ensure most G-suite users will only enjoy the pre-installed anti-phishing security.

Pay extra attention to the external reply warnings

Gmail clients are designed to send warning signs to the G-suite users on responding to the emails coming from unknown source of domains. This helps organizations to receive fraud emails from malicious impersonators. However, one can easily avoid such phishing tricks if they pay extra attention to the external reply warnings.

Separating work profile apps:

By separating work profile apps from the ones used for personal reasons, you empower your anti-phishing security. By doing this, you’re keeping your official data secured. On the other hand, you can use whitelist applications to control access to unwanted apps.