Gmail accounts often contain vital, sensitive information including confidential documents and personal photos. They also often serve as a way to recover passwords for accounts like your banking login. That’s why email accounts are a common target for cybercriminals. Access to your Gmail account could be used to steal your money or your identity.
You can secure your Gmail account against common cyber attacks by enabling optional security measures like two-factor authentication, setting a strong password and more. Read on to learn how to reduce the risk to your Gmail account.
1. Set a Unique, Strong Password
A unique, strong password is your first defense against cyber attacks on your Gmail account. A strong password is at least 16 characters long with a mix of upper and lowercase letters, numbers and symbols. It should not use dictionary words or personal data like your birthday.
Each of your accounts should have a unique, strong password. This is because of an attack called credential stuffing in which a cybercriminal uses a compromised password to attempt to log in to other accounts the same user has. This often works because reusing passwords is common.
When you have chosen a strong password for your account, visit your Google account settings. Under “Security,” you will find a section called “How you sign in to Google.” There, click “Password” to reset your password to a stronger one.
Use a Password Manager
It can be hard to remember the passwords for all your accounts if you’re using long and unique passwords for each of them. We recommend using a password manager to make it easy. A password manager is a tool to streamline the login process and increase security by generating, securely storing and autofilling strong passwords for each of your accounts. When using a password manager, you will only have to remember one password – your master password.
2. Enable Multi-Factor Authentication (MFA) on Your Gmail Account
MFA means adding one or more methods of identity verification to your account in addition to your password. This protects your account because if a cybercriminal does get access to your password, they won’t be able to log in without the second method of verification. Google offers several MFA options for your Gmail account:
| MFA method | How to use it | How to enable it |
|---|---|---|
| Google prompts | This method uses the Google apps you already have to provide MFA. You can use it if you are logged into your Google account on your device. When you try to log in, Google will prompt you to verify your login attempt by clicking a notification on your phone. | Sign in to the Google account associated with your Gmail on your Android phone. Or, on your iPhone, download a Google app (such as Gmail) and log in. Then, go to the security settings on your account and select “Google Prompts” under “2-Step Verification”. |
| Security keys | A hardware security key is a physical device that can authenticate you. You either plug it into your device or tap it. | Buy a security key that is compatible with your devices and with Google. Under your Google account security settings, select “Security Keys” under “How you sign in to Google.” Follow the prompts to set up your key. |
| TOTP codes | Temporary 6-digit codes are called Time-Based One-Time Passwords (TOTP) that you will enter when you log in to your account. Google has its own app called Google Authenticator, which you can use with your Gmail account. You can also integrate the codes with your password manager if it has TOTP code integration. | Under your Google account security settings, scroll to “How you sign in to Google” and select “Authenticator.” Follow the prompts to set up the TOTP code in either your password manager or in an authenticator app on your phone. |
| Backup codes | These are codes that you can use as a backup in case the other verification methods are unavailable to you (for example, if you lose your phone). If you’ve enabled this feature, you can ask to use a backup code during the login process. Each code can only be used one time. | In order to use backup codes, you have to download them from your Gmail account. You can find them in your security settings under “How you sign in to Google.” It’s necessary to store them in a secure place. A password manager can store your backup codes for you. |
| Phone number | You can use your phone number as a second method of authentication on your account. Google will send a code to your phone via voice or text. Then you enter the code to log in to your account. This method is less secure than other methods because of SIM swapping, in which a cybercriminal uses social engineering techniques to switch your phone number to a different SIM card and intercept your text messages and calls. However, it’s better than using no MFA at all. | In your Google account security settings, scroll to “How you sign in to Google” and select “Set recovery phone number.” Follow the prompts to set it up. |
3. Update Your Software
When companies, including Google, release software updates, these updates often include patches that fix known security vulnerabilities. When updates come out for Gmail or any of your other Google applications, be sure to download the update right away so you remain protected.
4. Turn Off Third-Party Access to Data
Companies, including Google, have been working on giving users more control over third-party access to our data. While the integration of third-party applications with Google is extremely useful, it does increase vulnerability because a cybercriminal might be able to access your Google data through that application.
You can view all third-party applications that have access to your data through Google. Go to your security settings in your accounts and scroll down to “Your connections to third-party apps & services.” Here, you can view and manage your connections.
We recommend deleting any connections that you aren’t actively using – those can make your account more vulnerable.
You can also view any connected devices under “Your devices.” We recommend reviewing this on a regular basis and deleting any devices you don’t recognize.
5. Watch Out for Phishing
Phishing is a cyber attack in which a bad actor sends a victim a message pretending to be someone else in order to trick the victim into sharing sensitive information. For example, a cybercriminal could send you an email pretending to be your bank and request your login information. Often, phishing attacks include some sense of urgency – such as “your bank account will be locked if you don’t verify your login information” – in order to make the victim panic and act without thinking.
Phishing attacks are very common on Gmail. While Google does scan all your messages for malware, sometimes cyber attacks still get through. In order to prevent phishing, it’s important to verify who is contacting you. For example, your bank will share what email address they would use for official communications on their website. You can also call your bank using the official number listed on their website in order to verify they sent the message.
If you receive a phishing email on your Gmail account, it’s important to report it to help Google prevent more attacks. To report an email as a phishing attempt, open the message and click the three dots on the far right of the action icons. Then, click “report phishing.”
6. Set Recovery Accounts
A recovery account will help you regain access to your Gmail account in the event that you have been locked out – either because you forgot your password or because your account has been hacked.
You can set a recovery email address and phone number in your Google account settings. Go to “Security” and scroll to “How you sign in to Google.”
Securing Your Gmail Is Vital
You should take the above steps in order to secure your Gmail account from cybercriminals. This can help prevent identity theft and other consequences which can result in stress, loss of time and a negative financial impact.
The most important of these steps is to create a unique, secure password. In order to set a secure password today that you don’t even have to remember, start a free 30-day trial of Keeper Password Manager. Keeper makes it easy to secure all your online accounts.
