One thing that will remain true is that no matter how strong the technology policies you have in place, your system is only as secure as its weakest link. And with more information linked to our email addresses, it’s no surprise that this becomes a prime target for potential thieves as it is a one-stop location for everything about a person. In many regards, email has become a single point of failure for an institution’s security. Suppose a malicious user obtains access to an email account. In that case, they can access all the data in the mailbox, get into connected accounts via tokens or password reset, and send convincing emails to other people.
Google has made significant improvements in an administrator’s ability to train users and protect them from sources that appear to be trusted but are, in reality, elaborate phishing attempts designed to trick users into compromising their accounts. Within the Safety section of Gmail’s settings, administrators can display a banner when a potentially malicious message comes into their inbox.
- Go to Apps > Google Workspace > Settings for Gmail > Safety.
- Scroll to the Spoofing and authentication section.
- Click on Protect against spoofing of employee names.
- Select the Protect against spoofing of employee names checkbox.
- By default, the action is Keep email in inbox and show warning. Change this to Move email to spam or Quarantine if necessary.
- When selecting Quarantine, Choose a quarantine from the drop-down.
Additionally, there are options to protect against attachments and scripts from Unknown Senders, Identify links hidden behind shortened URLs, and scan images for possible hidden content. All this is a first line of defense against users granting access to their managed Google Workspace account.
But having settings configured is only that, a first line of defense. Teaching users to recognize the signs of malicious messages is another and potentially more effective defense against these would-be thieves. By training users on what to look for, we protect their managed and personal accounts and provide them with the tools to better educate students on the dangers of the internet. With this in mind, Google has created a Phishing Test to see how well users can identify malicious messages and teach them in areas where they may fall short.
Another vulnerability that users are susceptible to is reusing passwords on other sites. Their password for their managed account should never be used on any other site, especially if they have used their Google Workspace email address as a point of contact. When you hear that a bunch of passwords were exposed in a hack, it was not due to a vulnerability exposed on Google's site but on one of these third-party sites. Google never stores or transmits your password in clear text.
Aside from encouraging users not to reuse their passwords, Google has developed a Chrome Extension, Password Alert, that prompts users to change their password if it detects that they have entered their Google Workspace password on a page outside of Google's login pages. In addition to this Password Alert extension, an App Engine server can be configured to track offenses. Configuring and deploying the Password Alert server helps mitigate exposure that is the result of human nature and helps Admins identify individuals who may need some additional training.
Remember, secure passwords and 2 Factor Authentication (2FA) are powerful tools in our arsenal. They give you the control to prevent unauthorized access to your accounts.
We're here to help
If you need help with securing email, we have a support stack for that. With the Gmail Security, learn how to control who students can send emails to and receive emails from (internally and externally) using a Walled Garden approach, and maintain safe and effective communication by regulating the content within those emails.
If you currently have hours on a support subscription, you are one step closer to Support Stacks and you can connect with the support team by Emailing support@amplifiedit.cdw.com. To purchase a support contract, please complete this form, and an account manager will contact you.
See also, Preventing student-to-student emails
Document Version | Date | Description of Change |
1.0 | 3/18/2024 | Update Support link page away from AIT legacy site |
1.1 | 7/9/2024 | Rewrote text, updated image, reverified. |
1.2 | 7/31/2024 | Updated email address |
1.3 | 8/16/2024 | Added content block |
1.4 | 11/5/2024 | reverified to reset calendar - too many to verify in summer |