While Google is working hard to keep Google Workspace users away from the threat of phishing, there are also some things you (or your account administrator) can do. This way, with a strong internal defense and the help you get from Google specialists, attackers won’t stand a chance against your business! Phishing is the attempt to obtain sensitive information such as email addresses, usernames, passwords, credit card details and others , often for malicious reasons, by disguising as a trustworthy source. We see most of these delivered by email, many times by a trustworthy sender as their account has been compromised and the trap email sent to you from them. Read more about how Phishing in Google Workspace works here

#1: 2-step Verification

Also known as 2SV by specialists, this is the best way of preventing unwanted access to accounts even when the password was compromised. Google Workspace offers this setting and you only have to enforce it by asking users a second form of identification (phone or email verification, mobile app notifications) Google Workspace also supports hardware authenticators such as USB key authentication. By using special security keys, you reduce the risk posed by stolen credentials. The key only works with authorized sites and can be managed and monitored from the Admin console.

     #2: Password Alert

Password Alert is a Chrome extension that checks pages for fake Google sign-in pages. When such a page is found, the admin is notified if the user entered their credentials.

 The extension can be deployed by the admin from the Google Admin Console on all your devices. For this, you should follow this path: Device management > App Management > Password Alert (make sure to check “Force installation” under both “User Settings” and “Public session settings.”) Even better, an account administrator has the possibility to enforce a password change policy when such an event is registered. You can also send email alerts.

#3: Trusted Apps

Google Workspace implements a feature called OAuth apps whitelisting that allows admins to specify the apps that can ask for your user’s credentials. This prevents malicious apps from infiltrating your security system by taking advantage of employees’ negligence.

#4: Disable POP and IMAP where it’s not needed

Gmail clients are considered secure on all mobile platforms because they use Google Safe Browsing and support anti-phishing security measures. This way, any link or attachment considered suspicious is disabled before it reaches the user. By disabling POP and IMAP on devices that don’t require them, admins make sure users won’t be using other email clients. These services can be disabled at an organizational level, but keep in mind that all third party email clients (besides Gmail) will stop working.

#5: External Reply Warnings

Gmail clients are set to warn Google Workspace users on emails that look suspicious. These are usually new email interactions, emails that are not connected with their domain, or email addresses that they don’t usually interact with.

To set such a warning, you should visit the Advanced Gmail setting in the Admin Console. While the warning is the only setting your admin can enforce, you can educate your employees to pay attention to the warning message. By avoiding forged or malicious emails, you protect your business and your data.

#6: Publish a DMARC policy for your company

Such a policy will strengthen your domain reputation and will help avoid damage from phishing attacks. By turning on DKIM email signing, you basically make sure that emails that come from your domain are actually from you. Your business partners can trust your links and attachment completely.

#7: Android Work Profiles

By enforcing work profiles on your employees’ devices, you separate the apps used for work from the ones used for personal activities. This also means that you separate the company data from the personal data on each mobile device affiliated with your organization. You can also block installation of certain apps on the work profile to protect malicious software from accessing confidential information.