On Friday, Google published the results of a year-long study on wide-scale and targeted account hijacking attacks. The study corroborated the firm’s belief that taking a few simple steps can protect users from most attacks. But one step, in particular, stands out: Add a recovery phone number to your Google account.
“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100 percent of automated bots, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks that occurred during our investigation,” a Google Security Blog post notes.
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
Google teamed up with researchers from New York University and the University of California, San Diego on the year-long study on wide-scale attacks and targeted attacks. And it found that basic account hygiene goes a long way toward thwarting those attacks.
“We provide an automatic, proactive layer of security to better protect all our users against account hijacking,” Google explains. “If we detect a suspicious sign-in attempt (say, from a new location or device), we’ll ask for additional proof that it’s really you. This proof might be confirming you have access to a trusted phone or answering a question where only you know the correct response.”
That additional proof can include a 2-step verification prompt on your phone or even an SMS text message. Both are quite effective, according to Google: SMS codes helped prevent 100 percent of automated bots, 96 percent of bulk phishing attacks, and 76 percent of targeted attacks. But on-device prompts were even better, as they stopped 100 percent of automated bots, 99 percent of bulk phishing attacks and 90 percent of targeted attacks.
Users without recovery phone numbers have to fall back on weaker knowledge-based challenges, like recalling your last sign-in location. While this kind of thing can be effective in some cases, that effectiveness drops to as low as 10 percent in phishing attacks.
Ultimately, Google’s advice is sound: Take a bit of time to make sure your Google account (and other online accounts) are secure. They have a great post about the five best steps you can take. Again, the first step, regarding creating a recovery phone number, is the single most effective one.
dontbe evil
<p>google and security in the same title … ROTFL</p>
Stooks
<p>So basically you should be using 2 Factor……old news and all of your services should have this. Ask John Podesta how important that is.</p>
Bats
<p>This is old advice. I did this a few years ago, when Google incentived users to add the phone number in exchange for additional Gbs Google Drive space.</p>