How to Combat Password Phishing for Google Drive Access

Interested in learning more? Check out our Introduction to Google Drive Security

One of the most common methods for gaining access to a Google Apps account is via phishing for a user’s username and password. Phishing often occurs by tricking users into giving away their login credentials, either by responding to an email directly or by redirecting them to a webpage that looks similar to the standard Google Apps sign-in page.

Oftentimes, phishing is combined with email spoofing techniques to make the email appear to originate from a trusted source. Needless to say, if attackers are able to log in to a user’s account, they will have access to any Google Drive content owned by or shared with the compromised user account, representing a major security breach.

Password Phishing in Google Drive Mitigation Strategies

There are two primary methods for mitigating the risk of password phishing: enforcement of 2-step verification and user education.

Enforcement of 2-step verification for all users is the best way to prevent unauthorized access to Google for Work accounts. The 2-step verification process requires a third piece of information (in the form of a temporary access code) when attempting to sign in from an unrecognized device. The access codes can be generated in batches ahead of time, sent via SMS to the user on demand, or generated by a mobile device application.

Google Apps admins can either enable 2-step verification and allow users to adopt it organically, or enforce it as a requirement. While it is not always possible to enforce 2-step verification across an entire organization, we strongly recommend at least enforcing 2-step verification for users with access to sensitive information.

We also recommend training, which should include information about email phishing techniques and warning signs. Users should be instructed to report any suspicious emails to the IT department and not to enter confidential information after clicking a link embedded in an email. This advice is universal and applies to securing all forms of data, including email accounts, bank accounts, etc., and may already be included in existing IT security training at your organization. Lastly, the training curriculum should include thorough coverage of the merits of 2-step verification, as well as detailed information on how to enable it.

Compromised Accounts: Damage Control and Assessment

If a user’s account has been compromised, there are a number of steps an administrator can take immediately to secure the account. Using the Google Apps admin console, the user’s Google password and sign-in cookies should be reset as soon as possible.

Additionally, connected applications (such as the Google Drive desktop app) can be viewed in the user’s profile in the Google Apps Admin console. Access to any connected applications should be revoked, which will force the user to reauthorize them with the new password. If a mobile device has been compromised, and that device is under management, its access should be revoked and an account wipe performed.

Once the account has been secured, action should be taken to ascertain the extent of the data breach. Using the “Reports” functionality in the Google Apps Admin console, administrators can view a report of account logins, including date, time, and IP address. Additionally, reports can be generated showing file preview, view, print, and download events for the specific user. Based on which documents were accessed, an accurate assessment of the extent of data loss can be formulated.