How Did Google Stop Phishing Attacks on Their Employees?

So, it’s no surprise to hear that a handful of years ago, scammers were relentless in their attack of Google, one of the biggest and most significant companies in the technical industry. More specifically, the scammers were targeting Google employees. Their attack of choice was phishing . Phishing is a ploy by con artists to trick targets into divulging their email addresses and passwords, and company information. When a target takes the bait, so to speak, the scammer has the log-in credentials needed to get access and continue to do more damage. They can even gain access to a network to steal data or money. How does phishing work?  Typically, it comes in as a work email from a company administrator telling you to update your password—but it’s actually from a con artist. Imagine the wealth of information that Google has in its network databases. It’s for that reason Google is such a juicy target for scammers. But you’re thinking, Google is a smart organization and would make sure to warn employees about wolves in sheep clothing, trying to trick employees. And you’re right. They had sent important messages plenty of times to employees warning them about emails, calls or texts that seemed to come from Google, but were actually sent by scammers. But those warnings are quickly forgotten. Not only that, but con artists are also quite good at what they do and come up with effective approaches that persuade employees that providing their passwords is very important. But surely, you’d assume that the bright people who work at Google are too smart to let themselves be scammed, right? Wrong. And it has nothing to do with intelligence. Even the brightest can fall victim. So, Google was experiencing ongoing troubles with employees being fooled, tricked, duped and hacked by scammers. Scammer’s were getting employees to somehow provide their login credentials, or at least the part the scammer needed. Google had tried to help its employees fight back against hackers by implementing a security process called two-factor authentication. In short, that simply means they added a second step to the login process for their employees. Think of it like this: needed for accessing your account. As it turns out, often that “one way” simply isn’t good enough. Because as you’ve heard many times before, hackers or scammers, through various means, often obtain consumer or employee credentials and login into those accounts. They steal them or guess them, and then log-in to our accounts. Having just one way, one factor, for accessing an account, could leave you open for trouble. So, security experts came up with a solution for websites and companies. They decided your basic credentials (username and password) alone wouldn’t be enough. They devised a way to require a second factor, to gain access to an account, after you enter your name and password. Let’s talk about two-factor authentication and learn how it works. After you start to log-in to a website on which two-factor authentication (2FA) has been set, you simple take an extra step. That second step (factor) is typically a one-time password (a code of  5-6 numbers) you receive via smart phone instantly via text message, or an app. The code you get is the second factor that helps complete the log-in process. That process works very well nearly all the time, and it does keep hackers out. Google used 2FA approach and and sent employees use one-time codes that were sent to employee phones. End of story? Not quite. Here’s why. As it turns out, using two-factor authentication with one-time codes sent as texts is not totally hacker proof, because, well hackers and scammers, never give up. And, sure enough, the crafty crooks and tricksters devised ways to fool Google employees into giving away the second factor, or the scammers somehow hijacked the entire login process. So, despite requiring two-factor authentication for all employees, the scammers still managed to have success. Google–determined to find a way to put an end to their phishing on employees’ email accounts—found a way to do it. In 2017, Google made a move that would bring successful employee phishing to a halt. In 2017, Google made a move that would bring successful employee phishing to a halt. What they did was take two-factor authentication to the next level, and with that move, they eliminated false logins to employee accounts. Google found the key to stopping scammers in their tracks. Literally. It was in early 2017 when Google made a move that stopped phishing attempts cold. They were understandably upset to know that their internal processes and the phone-text-based two-factor authentication hadn’t yet worked. That’s when they handed out 85,000 security keys—the actual brand was Yubikey —to their employees and required every employees to use their security key every time they logged into their email or Google accounts. A security key is a physical product, along the likes of a thumb-drive, just not as big. It is perhaps the strongest from of 2FA. The key plugs right into your device—whether you use a computer, smartphone or tablet. There are keys for each type of plug-in. The small, “electronic” security key became an essential and required part of Google process for employee’s logging into their work accounts. Unless a scammer acquired an employee’s physical security key, there was no way they could log in to that employees work accounts or email. And immediately after that, Google did not have any of its more than 85,000 employees successfully “phished” at work. It was an effective way to stop phishing attacks. From that point on, Google says, security keys are at the heart of all account access for any Google employee. A Google representative explained the impact of the changes: “We have had no reported or confirmed account takeovers since implementing security keys at Google.” Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.” For information on the different forms of two factor authentication, including security keys, read our recently revised article on the topic.