We have seen an alarming increase in the number of Google accounts compromised in the last 6 months. Often, if Google detects suspicious behavior, they will email us to let us know that they have suspended an account that they believe is compromised. Once your account is suspended, you will no longer be able to send or receive new email. If this happens, you should hear from us shortly after we receive the notification from Google and investigate.
But sometimes, Google’s algorithms do not detect the suspicious behavior, so here are 3 ways that you can keep an eye on your account. One quick note – it is always best to use Gmail within the web browser, but especially to check these areas below, it’s almost essential to use Gmail within a laptop/desktop web browser.
1. Check for sent messages – even in the trash
One of the most common reasons for hacking an email account is to send phishing attempts from that email address. So if someone has managed to access your account, there are usually emails bcc’ed to a wide distribution list, often including many of your contacts. So first, check your Sent Items.
If you don’t notice any sent items that look suspicious, use the search built into Gmail to search your deleted messages as well. You can use the following search string within Gmail search to find any emails you’ve sent, even in the Trash: *from:me in:all*
In this example, the attacker deleted the phishing attempt so that at first glance, the real owner of the email account wouldn’t know that they had even sent the email.
2. Check your filters
Once an account is compromised, the attacker would like to keep access to the account as long as possible, and the best way to do this is to remain anonymous. One way that they might do this is by using filters to cover their tracks. So in Gmail, go to your Settings
and click on the Filters and Blocked Addresses tab.
The filters I’ve set on this test account are often similar to what an attacker might set. The first filter looks for any emails they sent to non-existent email accounts, in which the server might reply with a subject such as “Undeliverable Mail”. The filter then marks those replies as read and deletes them. The second filter looks for any replies with the subject “Re: ” and then the subject of the phishing attempt email that I sent. So if a real person receives the phishing attempt, and replies to ask if the sender meant to send this, those replies concerning the phishing attempt are also automatically marked as read and deleted. This keeps the real owner of the email account from noticing anything suspicious in their inbox.
3. Check your login activity
Lastly, with Gmail, you can check to make sure that you do not see a login event to your account that doesn’t make sense. While logged into your Gmail account, open the Google Apps menu in the upper right near your profile picture, and select My Account.
This interface provides a dashboard of information about your Google account, not specific to any specific Google App like Gmail, and includes security information about your account. From here, click on Device Activity & Notifications,
And in the next page that opens, click on Review Events.
You will see a list of any security events related to your account in the past 28 days. In this list, Google displays a location based on the IP address that was used for that event.
While this location may be a bit generalized, if you show a sign-in event for Cancun, and you haven’t been to Cancun in a while, it would probably be a good idea to change your password.
So just in case Google doesn’t catch it, look for these 3 signs that your account might have been compromised. The sooner that an attack is discovered, the less damage that can be done.
For some more information on good password habits to make it harder for an attacker to compromise your account, see habit #2 in our post 5 Simple Habits to Prevent Data Disasters.