Google is sounding the alarm for Gmail’s 2.5 billion users. The company says attackers are ramping up phishing campaigns and credential theft attempts, and most people are far too vulnerable because they rarely change their passwords. As Phone Arena relayed, if you haven’t updated your Gmail password this year, now’s the time.
Greatly increased ‘successful intrusions’
How to stay safe
In a recent security advisory, Google noted that stolen or compromised passwords are behind a huge portion of successful account takeovers: 37%, to be exact. That stat is bad enough, but it’s compounded by the fact that 64% of users don’t regularly update their passwords. It’s easy math: billions of accounts, a mountain of weak credentials, and an increasingly aggressive wave of phishing attacks means hackers are getting more hits than ever.
And these aren’t your run-of-the-mill “Nigerian prince” emails. Attackers are impersonating Google Support in both emails and phone calls, tricking people into clicking fake sign-in links or sharing two-factor authentication (2FA) codes over the phone. If you’re not paying close attention, you could hand over your password and 2FA credentials without realizing it. Once that happens, attackers can sidestep protections and lock you out of your own account.
Google says the fix starts with the basics: change your password now, and keep changing it periodically. But the company also wants users to move beyond passwords altogether. Passkeys — login credentials based on biometrics like your fingerprint or face unlock, or even a device PIN — are significantly harder to phish. Yet adoption is low: only about a third of US consumers use them.
If you don’t already have a passkey on your account, Google recommends setting one up immediately. Another tip: If you’re on a device that supports passkeys, but you see a password prompt instead, that’s a red flag. Don’t sign in.
Beyond passkeys, Google also suggests ditching SMS-based 2FA in favor of an authenticator app. SMS codes can be intercepted or socially engineered out of you, while authenticator apps generate one-time codes that attackers can’t easily steal.
The overall theme is that you shouldn’t wait for a “security alert” email or call to remind you to update your password security. If you’re still relying on a password you’ve been using for years — or worse, one you’ve reused across multiple sites — change it now and then set up a passkey and an authenticator app. Hackers are counting on complacency. Don’t make it easy for them.
Source link
