Tag Archives: Safety & Security

Introducing the security center for G Suite—security analytics and best practices from Google

We want to make it easy for you to manage your organization’s data security. A big part of this is making sure you and your admins can access a bird’s eye view of your security—and, more importantly, that you can take action based on timely insights.

Today, we’re introducing the security center for G Suite, a tool that brings together security analytics, actionable insights and best practice recommendations from Google to empower you to protect your organization, data and users.

With the security center, key executives and admins can do things like:

1. See a snapshot of important security metrics in one place. 

Get insights into suspicious device activity, visibility into how spam and malware are targeting users within your organization and metrics to demonstrate security effectiveness—all in a unified dashboard.

Security Center GA - 1

2. Stay ahead of potential threats. 

Admins can now examine security analytics to flag threats. For example, your team can have visibility into which users are being targeted by phishing so that you can head off potential attacks, or when Google Drive files trigger DLP rules, you have a heads up to avoid risking data exfiltration.

Security Center - 2

3. Reduce risk by adopting security health recommendations.

Security health analyzes your existing security posture and gives you customized advice to secure your users and data. These recommendations cover issues ranging from how your data is stored, to how your files are shared, as well as recommendations on mobility and communications settings.  

Security Center GA - 3

Get started

More than 3.5 million organizations rely on G Suite to collaborate securely. If you’re a G Suite Enterprise customer, you’ll be able to access the security center within the Admin console automatically in the next few days. These instructions can help admins get started and here are some security best practices to keep in mind.

If you’re new to G Suite, learn more about about how you can collaborate, store and communicate securely.

Source: Google Cloud


Introducing the security center for G Suite—security analytics and best practices from Google

We want to make it easy for you to manage your organization’s data security. A big part of this is making sure you and your admins can access a bird’s eye view of your security—and, more importantly, that you can take action based on timely insights.

Today, we’re introducing the security center for G Suite, a tool that brings together security analytics, actionable insights and best practice recommendations from Google to empower you to protect your organization, data and users.

With the security center, key executives and admins can do things like:

1. See a snapshot of important security metrics in one place. 

Get insights into suspicious device activity, visibility into how spam and malware are targeting users within your organization and metrics to demonstrate security effectiveness—all in a unified dashboard.

Security Center GA - 1

2. Stay ahead of potential threats. 

Admins can now examine security analytics to flag threats. For example, your team can have visibility into which users are being targeted by phishing so that you can head off potential attacks, or when Google Drive files trigger DLP rules, you have a heads up to avoid risking data exfiltration.

Security Center - 2

3. Reduce risk by adopting security health recommendations.

Security health analyzes your existing security posture and gives you customized advice to secure your users and data. These recommendations cover issues ranging from how your data is stored, to how your files are shared, as well as recommendations on mobility and communications settings.  

Security Center GA - 3

Get started

More than 3.5 million organizations rely on G Suite to collaborate securely. If you’re a G Suite Enterprise customer, you’ll be able to access the security center within the Admin console automatically in the next few days. These instructions can help admins get started and here are some security best practices to keep in mind.

If you’re new to G Suite, learn more about about how you can collaborate, store and communicate securely.

Reflecting on a year’s worth of Chrome security improvements

In the next few weeks, you’ll probably be spending lots of time online buying gifts for your friends, family and “extended family” (your dog, duh). And as always, you want to do so securely. Picking the perfect present is hard enough; you shouldn’t have to worry about staying safe while you’re shopping.

Security has always been a top priority for Chrome, and this year we made a bunch of improvements to help keep your information even safer, and encourage sites across the web to become more secure as well. We’re giving you a rundown of those upgrades today, so that you can concentrate on buying the warmest new slippers for your dad or the perfect new holiday sweater for your dog in the next few weeks.


More protection from dangerous and deceptive sites


For years, Google Safe Browsing has scanned the web looking for potential dangers—like sites with malware or phishing schemes that try to steal your personal information—and warned users to steer clear. This year, we announced that Safe Browsing protects more than 3 billion devices, and in Chrome specifically, shows 260 million warnings before users can visit dangerous sites every month.
chromeprotects_a.png

We’re constantly working to improve Safe Browsing and we made really encouraging progress this year, particularly with mobile devices. Safe Browsing powers the warnings we now show in Gmail’s Android and iOS mobile apps after a user clicks a link to a phishing site. We brought Safe Browsing to Android WebView (which Android apps sometimes use to open web content) in Android Oreo, so even web browsing inside other apps is safer. We also brought the new mobile-optimized Safe Browsing protocol to Chrome, which cuts 80 percent of the data used by Safe Browsing and helps Chrome stay lean.


In case you do download a nastygram, this year we’ve also redesigned and upgraded the Chrome Cleanup Tool with technology from IT company ESET. Chrome will alert you if we detect unwanted software, to remove the software and get you back in good hands.


Making the web safer, for everyone


Our security work helps protect Chrome users, but we’ve also pursued projects to help secure the web as a whole. Last year, we announced that we would mark sites that are not encrypted (i.e., served over HTTP) as “not secure” in Chrome. Since then, we’ve seen a marked increase in HTTPS usage on the web, especially with some of the web’s top sites:
saferweb.png

If you’re researching gifts at a coffee shop or airport, you might be connecting to unfamiliar Wi-Fi which could be risky if the sites you’re visiting are not using the secure HTTPS protocol. With HTTPS, you can rest assured that the person sitting next to you can’t see or meddle with everything you’re doing on the Wi-Fi network. HTTPS ensures your connection is encrypted and your data is safe from eavesdroppers regardless of which Wi-Fi network you’re on.


An even stronger sandbox


Chrome has never relied on just one protection to secure your data. We use a layered approach with many different safeguards, including a sandbox—a feature that isolates different tabs in your browser so that if there’s a problem with one, it won’t affect the others. In the past year, we’ve added an additional sandbox layer to Chrome on Android and improved Chrome’s sandboxing on Windows and Android WebView.


So, if you’ve entered your credit card to purchase doggy nail polish in one Chrome tab, and you’ve inadvertently loaded a misbehaving or malicious site in another tab the sandbox will isolate that bad tab, and your credit card details will be protected.


Improving our browser warnings to keep you even safer


It should always be easy to know if you might be in danger online, and what you can do to get back to safety. Chrome communicates these risks in a variety of different ways, from a green lock for a secure HTTPS connection, to a red triangle warning if an attacker might be trying to steal your information.


By applying insights from new research that we published this year, we were able to improve or remove 25 percent of all HTTPS warnings Chrome users see. These improvements mean fewer false alarms, so you see warnings only when you really need them.
chrome.png

Unfortunately, our research didn’t help users avoid dog-grooming dangers. This is a very challenging problem that requires further analysis.


A history of strong security


Security has been a core pillar of Chrome since the very beginning. We’re always tracking our own progress, but outside perspectives are a key component of strong protections too.


The security research community has been key to strengthening Chrome security. We are extremely appreciative of their work—their reports help keep our users safer. We’ve given $4.2 million to researchers through our Vulnerability Reward Program since it launched in 2010.
paidresearch.png

Of course, we’re also happy when aren’t able to find security issues. At Pwn2Own 2017, an industry event where security professionals come together to hack browsers, Chrome remained standing while other browsers were successfully exploited.


Zooming out, we worked with two top-tier security firms to independently assess Chrome’s overall security across the range of areas that are important to keep users safe. Their whitepapers found, for example, that Chrome warns users about more phishing than other major browsers, Chrome patches security vulnerabilities faster than other major browsers, and “security restrictions are best enforced in Google Chrome.” We won’t rest on these laurels, and we will never stop improving Chrome’s security protections.

Combined.png

So, whether you’re shopping for a new computer, concert tickets, or some perfume for your pooch, rest assured: Chrome will secure your data with the best protections on the planet.

Source: Google Chrome


Reflecting on a year’s worth of Chrome security improvements

In the next few weeks, you’ll probably be spending lots of time online buying gifts for your friends, family and “extended family” (your dog, duh). And as always, you want to do so securely. Picking the perfect present is hard enough; you shouldn’t have to worry about staying safe while you’re shopping.

Security has always been a top priority for Chrome, and this year we made a bunch of improvements to help keep your information even safer, and encourage sites across the web to become more secure as well. We’re giving you a rundown of those upgrades today, so that you can concentrate on buying the warmest new slippers for your dad or the perfect new holiday sweater for your dog in the next few weeks.


More protection from dangerous and deceptive sites


For years, Google Safe Browsing has scanned the web looking for potential dangers—like sites with malware or phishing schemes that try to steal your personal information—and warned users to steer clear. This year, we announced that Safe Browsing protects more than 3 billion devices, and in Chrome specifically, shows 260 million warnings before users can visit dangerous sites every month.
chromeprotects_a (2).png

We’re constantly working to improve Safe Browsing and we made really encouraging progress this year, particularly with mobile devices. Safe Browsing powers the warnings we now show in Gmail’s Android and iOS mobile apps after a user clicks a link to a phishing site. We brought Safe Browsing to Android WebView (which Android apps sometimes use to open web content) in Android Oreo, so even web browsing inside other apps is safer. We also brought the new mobile-optimized Safe Browsing protocol to Chrome, which cuts 80 percent of the data used by Safe Browsing and helps Chrome stay lean.


In case you do download a nastygram, this year we’ve also redesigned and upgraded the Chrome Cleanup Tool with technology from IT company ESET. Chrome will alert you if we detect unwanted software, to remove the software and get you back in good hands.


Making the web safer, for everyone


Our security work helps protect Chrome users, but we’ve also pursued projects to help secure the web as a whole. Last year, we announced that we would mark sites that are not encrypted (i.e., served over HTTP) as “not secure” in Chrome. Since then, we’ve seen a marked increase in HTTPS usage on the web, especially with some of the web’s top sites:
saferweb (2).png

If you’re researching gifts at a coffee shop or airport, you might be connecting to unfamiliar Wi-Fi which could be risky if the sites you’re visiting are not using the secure HTTPS protocol. With HTTPS, you can rest assured that the person sitting next to you can’t see or meddle with everything you’re doing on the Wi-Fi network. HTTPS ensures your connection is encrypted and your data is safe from eavesdroppers regardless of which Wi-Fi network you’re on.


An even stronger sandbox


Chrome has never relied on just one protection to secure your data. We use a layered approach with many different safeguards, including a sandbox—a feature that isolates different tabs in your browser so that if there’s a problem with one, it won’t affect the others. In the past year, we’ve added an additional sandbox layer to Chrome on Android and improved Chrome’s sandboxing on Windows and Android WebView.


So, if you’ve entered your credit card to purchase doggy nail polish in one Chrome tab, and you’ve inadvertently loaded a misbehaving or malicious site in another tab the sandbox will isolate that bad tab, and your credit card details will be protected.


Improving our browser warnings to keep you even safer


It should always be easy to know if you might be in danger online, and what you can do to get back to safety. Chrome communicates these risks in a variety of different ways, from a green lock for a secure HTTPS connection, to a red triangle warning if an attacker might be trying to steal your information.


By applying insights from new research that we published this year, we were able to improve or remove 25 percent of all HTTPS warnings Chrome users see. These improvements mean fewer false alarms, so you see warnings only when you really need them.
browser warnings_chrome.png

Some of Chrome’s HTTPS warnings (on the left) are actually caused by reasons unrelated to security—in this case, the user's clock was set to the wrong time. We’ve made the warnings more precise (on the right) to better explain what’s going on and how to fix it.

Unfortunately, our research didn’t help users avoid dog-grooming dangers. This is a very challenging problem that requires further analysis.


A history of strong security


Security has been a core pillar of Chrome since the very beginning. We’re always tracking our own progress, but outside perspectives are a key component of strong protections too.


The security research community has been key to strengthening Chrome security. We are extremely appreciative of their work—their reports help keep our users safer. We’ve given $4.2 million to researchers through our Vulnerability Reward Program since it launched in 2010.
paidresearch (2).png

Of course, we’re also happy when aren’t able to find security issues. At Pwn2Own 2017, an industry event where security professionals come together to hack browsers, Chrome remained standing while other browsers were successfully exploited.


Zooming out, we worked with two top-tier security firms to independently assess Chrome’s overall security across the range of areas that are important to keep users safe. Their whitepapers found, for example, that Chrome warns users about more phishing than other major browsers, Chrome patches security vulnerabilities faster than other major browsers, and “security restrictions are best enforced in Google Chrome.” We won’t rest on these laurels, and we will never stop improving Chrome’s security protections.

Combined (2).png

So, whether you’re shopping for a new computer, concert tickets, or some perfume for your pooch, rest assured: Chrome will secure your data with the best protections on the planet.

Our efforts to help protect journalists online

Safety and security online is important for all of our users, but especially for journalists in the field conducting difficult—sometimes dangerous—reporting.


Journalists are susceptible to a number of risks. Reporters covering oppressive regimes or working in regions where freedom of the press is limited have been targeted by government-backed attackers. Newsrooms have fallen victim to phishing attempts by malicious hackers trying to steal their account passwords. Entire news sites have been taken down by DDoS (Distributed Denial of Service) attacks. And journalists’ data is increasingly at risk from cyber attacks.


Despite this elevated risk, according to a recent study of more than 2,700 newsroom managers and journalists from 130 countries, at least half of those surveyed don’t use any tools or methods to protect their data and information online. Given the importance of journalism to open societies everywhere, we want to ensure that newsrooms and journalists are equipped with the tools and training they need to be successful—and safe—while doing their work. In the past, we’ve written about how anyone can protect their Google accounts and minimize security risks while using our products. But to address online safety for journalists, we’ve worked with the Jigsaw team and engineers from across the company to offer a few resources:

  • Project Shield helps protect news sites from DDoS attacks for free.
  • Digital Attack Map, a data visualization of DDoS attacks around the globe, can help journalists better understand the threat these attacks pose.
  • Password Alert helps protect and defend against password phishing attempts.
  • We offer trainings on safety and security, specifically focused on journalists. You can check out a recent webinar to help journalists understand whether they’re at at risk, and what to do about it.

We also offer the Advanced Protection program for journalists who are at heightened risk. You should look into this program if you answer “yes” to any of these questions:

  • Do you work in a hostile climate?
  • Do you feel that your sources need stronger protections against potential adversaries?
  • Do you get messages about government-backed attacks on Gmail?
  • Do you see suspicious activities around your account? (e.g., password recovery attempts not initiated by you)
  • Would your work be viewed as controversial by some people?

We encourage you to share these resources with your colleagues and friends, and talk to your IT department about what they’re doing to protect your newsroom’s data. It may be worth holding a security risk assessment training with your newsroom using the assets above, or request a training on safety and security for journalists (provided by the Google News Lab) at newslabsupport@google.com.

Our efforts to help protect journalists online

Safety and security online is important for all of our users, but especially for journalists in the field conducting difficult—sometimes dangerous—reporting.


Journalists are susceptible to a number of risks. Reporters covering oppressive regimes or working in regions where freedom of the press is limited have been targeted by government-backed attackers. Newsrooms have fallen victim to phishing attempts by malicious hackers trying to steal their account passwords. Entire news sites have been taken down by DDoS (Distributed Denial of Service) attacks. And journalists’ data is increasingly at risk from cyber attacks.


Despite this elevated risk, according to a recent study of more than 2,700 newsroom managers and journalists from 130 countries, at least half of those surveyed don’t use any tools or methods to protect their data and information online. Given the importance of journalism to open societies everywhere, we want to ensure that newsrooms and journalists are equipped with the tools and training they need to be successful—and safe—while doing their work. In the past, we’ve written about how anyone can protect their Google accounts and minimize security risks while using our products. But to address online safety for journalists, we’ve worked with the Jigsaw team and engineers from across the company to offer a few resources:

  • Project Shield helps protect news sites from DDoS attacks for free.
  • Digital Attack Map, a data visualization of DDoS attacks around the globe, can help journalists better understand the threat these attacks pose.
  • Password Alert helps protect and defend against password phishing attempts.
  • We offer trainings on safety and security, specifically focused on journalists. You can check out a recent webinar to help journalists understand whether they’re at at risk, and what to do about it.

We also offer the Advanced Protection program for journalists who are at heightened risk. You should look into this program if you answer “yes” to any of these questions:

  • Do you work in a hostile climate?
  • Do you feel that your sources need stronger protections against potential adversaries?
  • Do you get messages about government-backed attacks on Gmail?
  • Do you see suspicious activities around your account? (e.g., password recovery attempts not initiated by you)
  • Would your work be viewed as controversial by some people?

We encourage you to share these resources with your colleagues and friends, and talk to your IT department about what they’re doing to protect your newsroom’s data. It may be worth holding a security risk assessment training with your newsroom using the assets above, or request a training on safety and security for journalists (provided by the Google News Lab) at newslabsupport@google.com.

Say “yes” to HTTPS: Chrome secures the web, one site at a time

Editor’s note: October is Cybersecurity Awareness Month, and we're celebrating with a series of security announcements this week. See our earlier posts on new security protections tailored for you, our new Advanced Protection Program, and our progress fighting phishing.

Security has always been one of Chrome’s core principles—we constantly work to build the most secure web browser to protect our users. Two recent studies concluded that Chrome was the most secure web browser in multiple aspects of security, with high rates of catching dangerous and deceptive sites, lightning-fast patching of vulnerabilities, and multiple layers of defenses.

About a year ago, we announced that we would begin marking all sites that are not encrypted with HTTPS as “not secure” in Chrome. We wanted to help people understand when the site they're on is not secure, and at the same time, provide motivation to that site's owner to improve the security of their site. We knew this would take some time, and so we started by only marking pages without encryption that collect passwords and credit cards. In the next phase, we began showing the “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.

http search

It’s only been a year, but HTTPS usage has already made some incredible progress. You can see all of this in our public Transparency Report:


  • 64 percent of Chrome traffic on Android is now protected, up from 42 percent a year ago.

  • Over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on Chrome OS a year ago

  • 71 of the top 100 sites on the web use HTTPS by default, up from 37 a year ago

percentage of page loads over HTTPS in Chrome by platform
Percent of page loads over HTTPS in Chrome by platform

We’re also excited to see HTTPS usage increasing around the world. For example, we’ve seen HTTPS usage surge recently in Japan; large sites like Rakuten, Cookpad, Ameblo, and Yahoo Japan all made major headway towards HTTPS in 2017. Because of this, we’ve seen HTTPS in Japan surge from 31 percent to 55 percent in the last year, measured via Chrome on Windows. We see similar upward trends in other regions—HTTPS is up from 50 percent to 66 percent in Brazil, and 59 percent to 73 percent in the U.S.!


Ongoing efforts to bring encryption to everyone


To help site owners migrate (or originally create!) their sites on HTTPS, we want to make sure the process is as simple and cheap as possible. Let’s Encrypt is a free and automated certificate authority that makes securing your website cheap and easy. Google Chrome remains a Platinum sponsor of Let’s Encrypt in 2017, and has committed to continue that support next year.


Google also recently announced managed SSL for Google App Engine, and has started securing entire top-level Google domains like .foo and .dev by default with HSTS. These advances help make HTTPS automatic and painless, to make sure we’re moving towards a web that’s secure by default.


HTTPS is easier and cheaper than ever before, and it enables both the best performance the web offers and powerful new features that are too sensitive for HTTP. There’s never been a better time to migrate! Developers, check out our set-up guides to get started.

Source: Google Chrome


Say “yes” to HTTPS: Chrome secures the web, one site at a time

Editor’s note: October is Cybersecurity Awareness Month, and we're celebrating with a series of security announcements this week. See our earlier posts on new security protections tailored for you, our new Advanced Protection Program, and our progress fighting phishing.

Security has always been one of Chrome’s core principles—we constantly work to build the most secure web browser to protect our users. Two recent studies concluded that Chrome was the most secure web browser in multiple aspects of security, with high rates of catching dangerous and deceptive sites, lightning-fast patching of vulnerabilities, and multiple layers of defenses.

About a year ago, we announced that we would begin marking all sites that are not encrypted with HTTPS as “not secure” in Chrome. We wanted to help people understand when the site they're on is not secure, and at the same time, provide motivation to that site's owner to improve the security of their site. We knew this would take some time, and so we started by only marking pages without encryption that collect passwords and credit cards. In the next phase, we began showing the “not secure” warning in two additional situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.

http search

It’s only been a year, but HTTPS usage has already made some incredible progress. You can see all of this in our public Transparency Report:


  • 64 percent of Chrome traffic on Android is now protected, up from 42 percent a year ago.

  • Over 75 percent of Chrome traffic on both ChromeOS and Mac is now protected, up from 60 percent on Mac and 67 percent on Chrome OS a year ago

  • 71 of the top 100 sites on the web use HTTPS by default, up from 37 a year ago

percentage of page loads over HTTPS in Chrome by platform
Percent of page loads over HTTPS in Chrome by platform

We’re also excited to see HTTPS usage increasing around the world. For example, we’ve seen HTTPS usage surge recently in Japan; large sites like Rakuten, Cookpad, Ameblo, and Yahoo Japan all made major headway towards HTTPS in 2017. Because of this, we’ve seen HTTPS in Japan surge from 31 percent to 55 percent in the last year, measured via Chrome on Windows. We see similar upward trends in other regions—HTTPS is up from 50 percent to 66 percent in Brazil, and 59 percent to 73 percent in the U.S.!


Ongoing efforts to bring encryption to everyone


To help site owners migrate (or originally create!) their sites on HTTPS, we want to make sure the process is as simple and cheap as possible. Let’s Encrypt is a free and automated certificate authority that makes securing your website cheap and easy. Google Chrome remains a Platinum sponsor of Let’s Encrypt in 2017, and has committed to continue that support next year.


Google also recently announced managed SSL for Google App Engine, and has started securing entire top-level Google domains like .foo and .dev by default with HSTS. These advances help make HTTPS automatic and painless, to make sure we’re moving towards a web that’s secure by default.


HTTPS is easier and cheaper than ever before, and it enables both the best performance the web offers and powerful new features that are too sensitive for HTTP. There’s never been a better time to migrate! Developers, check out our set-up guides to get started.

Fighting phishing with smarter protections

Editor’s note: October is Cybersecurity Awareness Month, and we're celebrating with a series of security announcements this week. This is the third post; read the first and second ones.

Online security is top of mind for everyone these days, and we’re more focused than ever on protecting you and your data on Google, in the cloud, on your devices, and across the web.


One of our biggest focuses is phishing, attacks that trick people into revealing personal information like their usernames and passwords. You may remember phishing scams as spammy emails from “princes” asking for money via wire-transfer. But things have changed a lot since then. Today’s attacks are often very targeted—this is called “spear-phishing”—more sophisticated, and may even seem to be from someone you know.


Even for savvy users, today’s phishing attacks can be hard to spot. That’s why we’ve invested in automated security systems that can analyze an internet’s-worth of phishing attacks, detect subtle clues to uncover them, and help us protect our users in Gmail, as well as in other Google products, and across the web.


Our investments have enables us to significantly decrease the volume of phishing emails that users and customers ever see. With our automated protections, account security (like security keys) and warnings, Gmail is the most secure email service today.


Here is a look at some of the systems that have helped us secure users over time, and enabled us to add brand new protections in the last year.

More data helps protect your data


The best protections against large-scale phishing operations are even larger-scale defenses. Safe Browsing and Gmail spam filters are effective because they have such broad visibility across the web. By automatically scanning billions of emails, webpages, and apps for threats, they enable us to see the clearest, most up-to-date picture of the phishing landscape.


We’ve trained our security systems to block known issues for years. But, new, sophisticated phishing emails may come from people’s actual contacts (yes, attackers are able to do this), or include familiar company logos or sign-in pages. Here’s one example:

Screenshot 2017-10-11 at 2.45.09 PM.png

Attacks like this can be really difficult for people to spot. But new insights from our automated defenses have enabled us to immediately detect, thwart and protect Gmail users from subtler threats like these as well.

Smarter protections for Gmail users, and beyond

Since the beginning of the year, we’ve added brand new protections that have reduced the volume of spam in people’s inboxes even further.

  • We now show a warning within Gmail’s Android and iOS apps if a user clicks a link to a phishing site that’s been flagged by Safe Browsing. These supplement the warnings we’ve shown on the web since last year.

safelinks.png

  • We’ve built new systems that detect suspicious email attachments and submit them for further inspection by Safe Browsing. This protects all Gmail users, including G Suite customers, from malware that may be hidden in attachments.
  • We’ve also updated our machine learning models to specifically identify pages that look like common log-in pages and messages that contain spear-phishing signals.

Safe Browsing helps protect more than 3 billion devices from phishing, across Google and beyond. It hunts and flags malicious extensions in the Chrome Web Store, helps block malicious ads, helps power Google Play Protect, and more. And of course, Safe Browsing continues to show millions of red warnings about websites it considers dangerous or insecure in multiple browsers—Chrome, Firefox, Safari—and across many different platforms, including iOS and Android.

pastedImage0 (5).png

Layers of phishing protection


Phishing is a complex problem, and there isn’t a single, silver-bullet solution. That’s why we’ve provided additional protections for users for many years.

pasted image 0 (5).png
  • Since 2012, we’ve warned our users if their accounts are being targeted by government-backed attackers. We send thousands of these warnings each year, and we’ve continued to improve them so they are helpful to people. The warnings look like this.
  • This summer, we began to warn people before they linked their Google account to an unverified third-party app.
  • We first offered two-step verification in 2011, and later strengthened it in 2014 with Security Key, the most secure version of this type of protection. These features add extra protection to your account because attackers need more than just your username and password to sign in.

We’ll never stop working to keep your account secure with industry-leading protections. More are coming soon, so stay tuned.

Google’s strongest security, for those who need it most

Editor’s note: October is Cybersecurity Awareness Month, and we're celebrating with a series of security announcements this week.


When operating at the scale of Google, we usually strive to build products that serve the needs of billions of people. Today we’re introducing a different kind of product—one that we specifically tailored to protect the online security of a much smaller set of users.


We took this unusual step because there is an overlooked minority of our users that are at particularly high risk of targeted online attacks. For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety. Sometimes even the most careful and security-minded users are successfully attacked through phishing scams, especially if those phishing scams were individually targeted at the user in question.


To address this need, we’re introducing the Advanced Protection Program. Advanced Protection provides Google’s strongest security, designed for those who are at an elevated risk of attack and are willing to trade off a bit of convenience for more protection of their personal Google Accounts.


Once you enroll in Advanced Protection, we’ll continually update the security of your account to meet emerging threats—meaning Advanced Protection will always use the strongest defenses that Google has to offer.


At the start, the program focuses on three core defenses.


The strongest defense against phishing: Advanced Protection requires the use of Security Keys to sign into your account. Security Keys are small USB or wireless devices and have long been considered the most secure version of 2-Step Verification, and the best protection against phishing. They use public-key cryptography and digital signatures to prove to Google that it’s really you. An attacker who doesn’t have your Security Key is automatically blocked, even if they have your password.


Protecting your most sensitive data from accidental sharing: Sometimes people inadvertently grant malicious applications access to their Google data. Advanced Protection prevents this by automatically limiting full access to your Gmail and Drive to specific apps. For now, these will only be Google apps, but we expect to expand these in the future.

Blocking fraudulent account access: Another common way hackers try to access your account is by impersonating you and pretending they have been locked out. For Advanced Protection users, extra steps will be put in place to prevent this during the the account recovery process—including additional reviews and requests for more details about why you've lost access to your account.
advanced protection

We've been testing Advanced Protection for the last several weeks and learning from people like Andrew Ford Lyons, a Technologist at Internews, an international nonprofit organization that has supported the development of thousands of media outlets worldwide. “Journalists, human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues can quickly find themselves targeted by well-resourced and highly capable adversaries," says Andrew. "For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step.” The testers’ feedback was hugely helpful; we’re very appreciative of the time they spent with the product.


Anyone with a personal Google Account can enroll in Advanced Protection.Today, you’ll need Chrome to sign up for Advanced Protection because it supports the U2F standard for Security Keys. We expect other browsers to incorporate this soon.


For now, Advanced Protection is only available for consumer Google Accounts. To provide comparable protections on G Suite Accounts, G Suite admins can look into Security Key Enforcement and OAuth apps whitelisting.


Sign up for Advanced Protection at g.co/advancedprotection.