Tag Archives: safety and security

Spot the scam, stop the scammers

According to the Federal Trade Commission (FTC), people reported $1.9 billion lost to scams in 2019. Every minute, more than $3,600 disappeared from wallets and bank accounts in response to made-up stories of urgently overdue tax payments, bogus contest winnings, or a smooth-talking online suitor who suddenly needs some gift cards. A high-pressure phone call or exciting message can overcome many people’s judgment, especially if they are caught at a vulnerable moment.

As the record-high scam reports keep coming, we’re providing support to the Cybercrime Support Network to help people identify scams before they fall victim to them through a new program called Scam Spotter. It simplifies expert advice with three golden rules—remember to refer to these rules when you receive a suspicious phone call or message to figure out if it’s a scam:

Slow it down: Are they telling you it’s urgent? Take your time and ask questions to avoid being rushed into a bad situation.
Spot check: Are they claiming to be from a specific institution? Do your own research to double check the details you’re getting.
Stop! Don’t send: Are they asking you to go to the store and get gift cards? If you think a payment feels fishy, it probably is.

Just because COVID-19 has disrupted everyone’s life, it doesn’t mean the scammers have taken a break. In fact, scammers have exploited the pandemic with alarming speed, taking advantage of fear and uncertainty. More than $40 million in fraud losses have been reported to the FTC related to a myriad of COVID-19 complaints. While the stories are new—invented stimulus packages, phoney charities, romantic interests who now have an uncle in the ICU—the same three golden rules apply equally well:

While people ages 25-40 are most likely to be scammed, research shows it’s seniors who stand to lose the most, with their median losses more than double the average. As one of the architects of the Internet and an executive sponsor of the “Greyglers,” an internal group that promotes awareness of age diversity and issues related to age, I feel obligated to try to help my fellow Americans stay safe. It will take a cross-generational effort. Please consider sharing ScamSpotter.org the next time you talk to the seniors in your life. Maybe you can both take the quiz and compare your scores, too.

If we learn how to spot the bad actors, we can spend our time focusing on those moments that matter. And to the seniors out there, remember: of course the Internet is for us, we invented it!

Source: The Official Google Blog

Spot the scam, stop the scammers

Slow it down: Are they telling you it’s urgent? Take your time and ask questions to avoid being rushed into a bad situation.
Spot check: Are they claiming to be from a specific institution? Do your own research to double check the details you’re getting.
Stop! Don’t send: Are they asking you to go to the store and get gift cards? If you think a payment feels fishy, it probably is.

If we learn how to spot the bad actors, we can spend our time focusing on those moments that matter. And to the seniors out there, remember: of course the Internet is for us, we invented it!

Source: The Official Google Blog

Helping you avoid COVID-19 online security risks

As people around the world are staying at home due to COVID-19, many are turning to new apps and communications tools to work, learn, access information, and stay connected with loved ones.

While these digital platforms are helpful in our daily lives, they can also introduce new online security risks. Our Threat Analysis Group continually monitors for sophisticated, government-backed hacking activity and is seeing new COVID-19 messaging used in attacks, and our security systems have detected a range of new scams such as phishing emails posing as messages from charities and NGOs battling COVID-19, directions from “administrators” to employees working from home, and even notices spoofing healthcare providers. Our systems have also spotted malware-laden sites that pose as sign-in pages for popular social media accounts, health organizations, and even official coronavirus maps. During the past couple of weeks, our advanced, machine-learning classifiers have seen 18 million daily malware and phishing attempts related to COVID-19, in addition to more than 240 million COVID-related spam messages.

To protect you from these risks, we've built advanced security protections into Google products to automatically identify and stop threats before they ever reach you. Our machine learning models in Gmail already detect and block more than 99.9 percent of spam, phishing and malware. Our built-in security also protects you by alerting you before you enter fraudulent websites, scanning apps in Google Play before you download, and more. But we want to help you stay secure everywhere online, not just on our products, so we’re providing these simple tips, tools and resources.

Know how to spot and avoid COVID-19 scams

With many of the COVID-19 related scams coming in the form of phishing emails, it’s important to pause and evaluate any COVID-19 email before clicking any links or taking other action. Be wary of requests for personal information such as your home address or bank details. Fake links often imitate established websites by adding extra words or letters to them—check the URL’s validity by hovering over it (on desktop) or with a long press (on mobile). Keep these tips handy and learn more at g.co/covidsecuritytips.

Helping you avoid COVID-19 online security risks

Use your company’s enterprise email account for anything work-related

Working with our enterprise customers, we see how employees can put their company’s business at risk when using their personal accounts or devices. Even when working from home, it’s important to keep your work and personal email separate. Enterprise accounts offer additional security features that keep your company’s private information private. If you’re unsure about your company’s online security safeguards, check with your IT professionals to ensure the right security features are enabled, like two-factor authentication.

Secure your video calls on video conferencing apps

The security controls built into Google Meet are turned on by default, so that in most cases, organizations and users are automatically protected. But there are steps you can take on any video conferencing app to make your call more secure:

If your meetings use short, numeric codes, turn on the password or PIN feature. The extra layer of verification will help ensure only the invited attendees gain access to the meeting.
When sharing a meeting invite publicly, be sure to enable the “knocking” feature so that the meeting organizer can personally vet and accept new attendees before they enter the meeting.
If you receive a meeting invite that requires installing a new video-conferencing app, always be sure to verify the invitation—paying special attention to potential imposters—before installing.

Install security updates when notified

When working from home, your work computer may not automatically update your security technology as it would when in the office and connected to your corporate network. It’s important to take immediate action on any security update prompts. These updates solve for known security vulnerabilities, which attackers are actively seeking out and exploiting.

Use a password manager to create and store strong passwords

With all the new applications and services you might be using for work and school purposes, it can be tempting to use just one password for all. In fact, 66 percent of Americans admit to using the same password across multiple accounts. To keep your private information private, always use unique, hard-to-guess passwords. A password manager, like the one built into Android, Chrome, and your Google Account can help make this easier.

Protect your Google Account

If you use a Google Account, you can easily review any recent security issues and get personalized recommendations to help protect your data and devices with the Security Checkup. Within this tool, you can also run a Password Checkup to learn if any of your saved passwords for third party sites or accounts have been compromised and then easily change them if needed.

You should also consider adding two-step verification (also known as two-factor authentication), which you likely already have in place for online banking and other similar services to provide an extra layer of security. This helps keep out anyone who shouldn’t have access to your accounts by requiring a secondary factor on top of your username and password to sign in. To set this up for your Google Account, go to g.co/2SV. And if you’re someone who is at risk of a targeted attack—like a journalist, activist, politician or a high profile healthcare professional—enroll in the Advanced Protection Program, our strongest security offering, at g.co/advancedprotection.

Help your kids stay safe online

With schools closed around the world, kids are online more than ever before. You can help your kids learn how to spot scams with the educational material at Be Internet Awesome and within the interactive learning game, Interland. You can also use Family Link to create age-appropriate accounts, control your kids’ app downloads, and monitor their activity.

Our teams continue to monitor the evolving online security threats connected to COVID-19 so that we can keep you informed and protected. For more tips to help you improve your online security, visit our Safety Center.

Source: The Official Google Blog

Findings on COVID-19 and online security threats

Google’s Threat Analysis Group (TAG) is a specialized team of security experts that works to identify, report, and stop government-backed phishing and hacking against Google and the people who use our products. We work across Google products to identify new vulnerabilities and threats. Today we’re sharing our latest findings and the threats we’re seeing in relation to COVID-19.

COVID-19 as general bait

Hackers frequently look at crises as an opportunity, and COVID-19 is no different. Across Google products, we’re seeing bad actors use COVID-related themes to create urgency so that people respond to phishing attacks and scams. Our security systems have detected examples ranging from fake solicitations for charities and NGOs, to messages that try to mimic employer communications to employees working from home, to websites posing as official government pages and public health agencies. Recently, our systems have detected 18 million malware and phishing Gmail messages per day related to COVID-19, in addition to more than 240 million COVID-related daily spam messages. Our machine learning models have evolved to understand and filter these threats, and we continue to block more than 99.9 percent of spam, phishing and malware from reaching our users.

How government-backed attackers are using COVID-19

TAG has specifically identified over a dozen government-backed attacker groups using COVID-19 themes as lure for phishing and malware attempts—trying to get their targets to click malicious links and download files.

Location of users targeted by government-backed COVID-19 related attacks

One notable campaign attempted to target personal accounts of U.S. government employees with phishing lures using American fast food franchises and COVID-19 messaging. Some messages offered free meals and coupons in response to COVID-19, others suggested recipients visit sites disguised as online ordering and delivery options. Once people clicked on the emails, they were presented with phishing pages designed to trick them into providing their Google account credentials. The vast majority of these messages were sent to spam without any user ever seeing them, and we were able to preemptively block the domains using Safe Browsing. We’re not aware of any user having their account compromised by this campaign, but as usual, we notify all targeted users with a “government-backed attacker” warning.

We’ve also seen attackers try to trick people into downloading malware by impersonating health organizations:

attackers impersonating health organizations

International and national health organizations are becoming targets

Our team also found new, COVID-19-specific targeting of international health organizations, including activity that corroborates reporting in Reuters earlier this month and is consistent with the threat actor group often referred to as Charming Kitten. The team has seen similar activity from a South American actor, known externally as Packrat, with emails that linked to a domain spoofing the World Health Organization’s login page. These findings show that health organizations, public health agencies, and the individuals who work there are becoming new targets as a result of COVID-19. We're proactively adding extra security protections, such as higher thresholds for Google Account sign in and recovery, to more than 50,000 of such high-risk accounts.

Contact message from Charming Kitten and packrat phishing page — Left: Contact message from Charming Kitten. Right: Packrat phishing page

Generally, we’re not seeing an overall rise in phishing attacks by government-backed groups; this is just a change in tactics. In fact, we saw a slight decrease in overall volumes in March compared to January and February. While it’s not unusual to see some fluctuations in these numbers, it could be that attackers, just like many other organizations, are experiencing productivity lags and issues due to global lockdowns and quarantine efforts.

Accounts that received a “government-backed attacker” warning in 2020 — Accounts that received a “government-backed attacker” warning each month of 2020

When working to identify and prevent threats, we use a combination of internal investigative tools, information sharing with industry partners and law enforcement, as well as leads and intelligence from third-party researchers. To help support this broader security researcher community, Google is providing more than $200,000 in grants as part of a new Vulnerability Research Grant COVID-19 fund for Google VRP researchers who help identify various vulnerabilities.

As the world continues to respond to COVID-19, we expect to see new lures and schemes. Our teams continue to track these and stop them before they reach people—and we’ll continue to share new and interesting findings.

Source: The Official Google Blog

New malware protections for Advanced Protection users

Advanced Protection safeguards the personal or business Google Accounts of anyone at risk of targeted attacks—like political campaign teams, journalists, activists and business leaders. It’s Google's strongest security for those who need it most, and is available across desktops, laptops, smartphones and tablets.

One of the many benefits of Advanced Protection is that it constantly evolves to defend against emerging threats, automatically protecting your personal information from potential attackers. Today we're announcing new ways that Advanced Protection is defending you from malware on Android devices.

Play Protect app scanning is automatically turned on

Google Play Protect is Google's built-in malware protection for Android. It scans and verifies 100 billion apps each day to keep your device, data and apps safe. Backed by Google's machine learning algorithms, it’s constantly evolving to match changing threats. To ensure that people enrolled in our Advanced Protection Program benefit from the added security that Google Play Protect provides, we’re now automatically turning it on for all devices with a Google Account enrolled in Advanced Protection and will require that it remain enabled.

Limiting apps from outside the Play Store

Advanced Protection is committed to keeping harmful apps off of enrolled users’ devices. All apps on the Google Play Store undergo rigorous testing, but apps outside of Google Play can potentially pose a risk to users’ devices. As an added protection, we’re now blocking the majority of these non-Play apps from being installed on any devices with a Google Account enrolled in Advanced Protection. You can still install non-Play apps through app stores that were pre-installed by the device manufacturer and through Android Debug Bridge. Any apps that you’ve already installed from sources outside of Google Play will not be removed and can still be updated.

G Suite users enrolled in the Advanced Protection Program will not get these new Android protections for now; however, equivalent protections are available as part of endpoint management. See this help center article for a full list of Android device policies, specifically: “Verify apps,” which prevent users from turning off Google Play Protect, and “Unknown apps,” which prevent users from installing apps from outside the Play Store.

When will these changes roll out?

Starting today, these changes for Android will gradually roll out for Google Accounts that are enrolled in Advanced Protection. We’ll also be rolling out new malware protections for Chrome later this year, building upon the risky download protections we announced in 2019.

You can learn more about Advanced Protection on Android here, and to enroll in Google's Advanced Protection, visit g.co/advancedprotection.

Source: Google Chrome

New malware protections for Advanced Protection users

Play Protect app scanning is automatically turned on

Limiting apps from outside the Play Store

When will these changes roll out?

You can learn more about Advanced Protection on Android here, and to enroll in Google's Advanced Protection, visit g.co/advancedprotection.

Source: The Official Google Blog

Highlights from the first year of .dev

A year ago, our Google Registry team launched .dev—a top-level domain (TLD) for developers, designers, technical writers, and technology enthusiasts. This new TLD gave people the chance to register memorable domain names that can be hard to find on older domains, with a descriptive ending that’s especially relevant to them.

The .dev TLD is on the HSTS preload list, which means it’s secure for both website owners and their visitors. Placement on the HSTS preload list ensures HTTPS encryption for your entire website, which helps protect visitors against ad malware, tracking injection from ISPs, and potential spying when using open Wi-Fi networks. With so much built-in security, .dev has become the natural place for technology makers to share resources, showcase great work, and foster community.

In the last year, over 150,000 .dev domains have been registered, and we’ve seen many creative uses of the TLD. Here are just a few of the exciting examples we’ve seen.

A video with three .dev tips

Atlassian

Atlassian launched both software.dev and cicd.dev to share insights into today’s software development landscape and how software and IT professionals use CI/CD tools. Using .dev domains helped them market both sites, which have sparked conversations on social media among the developer community.

Cloudflare

Cloudflare launched workers.dev to help developers build serverless websites and applications that deploy directly onto subdomains of workers.dev. The TLD made it possible for Cloudflare to use a domain name that’s both descriptive and easy to remember. And over the last year, they’ve seen developers create handy apps like this “lazy invoice” tool.

Salesforce

Salesforce used lwc.dev to launch a site dedicated to Lightning Web Components (their open source project) where professional developers can find online documentation, copy source code for various recipes, and engage with the Lightning Web Components community.

Google Developer Relations

The Google Developer Relations team launched google.dev for developers to explore and learn about all the technologies Google has to offer. You can sign up for the waitlist for the beta version of google.dev, which lets developers create profiles and earn badges by passing technical challenges. The team sends out new invites regularly, so be sure to sign up.

Go Programming Language

Our Go Language team launched go.dev on the 10th anniversary of the open source programming language to provide Go developers a hub where they can find learning resources, including featured use cases and customer stories of other companies using Go.

Build your own .dev experience

From the start, we envisioned .dev as a home for developers and technology makers, and it’s been wonderful to see all the amazing work showcased in this domain. To celebrate .dev’s first birthday, we created a short video of some of our favorite .dev users sharing their tips for building great websites. We hope you’ll find it useful as you begin your next project, and we hope it inspires you to create your own .dev experience. Visit get.dev to learn more and get started.

Source: The Official Google Blog

Helping families Be Internet Awesome on Safer Internet Day

Editor’s note: This is adapted from remarks Parisa gave today at the Grow with Google NYC Learning Center.

When I was a kid, my brothers and I had to “take turns” using our family computer with slow, dial-up internet access. It wasn’t until college that I got my own computer and cell phone—which was only for making calls. Now, it’s so different for kids who are growing up with access to the web and mobile apps at home and school; most parents are buying smartphones for their kids at 9.5 years old.

With technology at their fingertips, online safety education is so important for young people. We need to put online safety in the same class, literally, as math, science, and history—it’s a fundamental skill in navigating our digital world. This is why I’m so proud of the work we’ve done with Be Internet Awesome. The idea behind Be Internet Awesome is to make sure the most important people in young people’s lives—their parents and teachers—have the resources to teach online safety and citizenship.

Since launching in 2017, Be Internet Awesome is now available in over 26 countries, 12 languages, and millions of people around the world have used the program. But we aren’t there yet. Anew Google survey found that 2 out of 3 parents believe conversations about online safety should happen both in the home and in the classroom, but only 4 in 10 parents feel confident enough to talk to their families about online safety.

Google wants to help, and we couldn't do it without enthusiastic and deeply committed partners. Today we’re announcing a partnership with the National PTA and YMCA to host more than 400 family online safety, citizenship, and digital wellbeing workshops this week across the country to help parents have the tech talk with their kids. The workshops will also help people learn about our Family Link parental controls, YouTube Kids and Digital Wellbeing tools. We’re hosting many of these free workshops right here at the Grow with Google NYC Learning Center alongside a pop-up online safety experience open to the public, and we’re empowering parents and volunteers via YMCA and PTA to help their fellow parents by hosting them across the US.

Along with these partnerships, we’re expanding Be Internet Awesome to the Netherlands, Indonesia, Nigeria, Kenya, and South Africa. We’re also teaming up with DonorsChoose.org to encourage teachers in over 3,500 classrooms to teach kids about online safety with the Be Internet Awesome Classrooms Rewards Program. And we’re partnering with Scholastic to provide 2 million families with Be Internet Awesome tips and resources for teachers and parents.

Most kids won't know what it's like to wait until college to get a cell phone. So it's even more important that they learn how to make smart choices online at an early age, and Be Internet Awesome can help them get there. We’re excited to kick off these workshops on Safer Internet Day, and continue our work to share these insights for years to come.

Source: The Official Google Blog

Teaming up with Defending Digital Campaigns on election security

Last week, we shared an overview of how we’re equipping campaigns with security tools like Project Shield and supporting programs like the new Election Security and Information Project. We also just announced a major update of our Advanced Protection Program which will make it easier for members of campaigns to get our strongest level of Google Account security, in an instant.

Today is Safer Internet Day and we’re announcing a new partnership with Defending Digital Campaigns to provide federal campaigns access to free Titan Security Keys, the strongest form of two-factor authentication. Last year, the Federal Elections Commission granted special approval for DDC to offer cybersecurity services to presidential and congressional campaigns. We’re working with this bipartisan organization to help make all qualifying campaigns safer and make it easier for people to enroll in our Advanced Protection program.

Security keys aren’t the only thing campaigns can do to stay safer. Here are three things that any campaign can do to make their members, and their entire organizations, more secure right now.

Enroll in the strongest security offering

From candidates to canvassers, every member of a campaign should understand how to add extra layers of security and protect their information. We recommend everyone associated with political campaigns enroll in our Advanced Protection Program, which bundles all our strongest Google Account security options together. Advanced Protection is available for both personal and G Suite accounts and we recommend campaign members enroll both types of accounts in the program, which they can now enroll instantly with their Android or iPhone. Qualifying campaigns can also request a free physical security key as a backup via Defending Digital Campaigns.

Protect everyone, not just the name at the top of the ticket

Every member of a campaign needs to understand the basics of keeping their information safe. Of course that applies to candidates themselves, but it’s equally important for everyone else with access to campaign information. In fact, it might be more important to educate the vendors, consultants, and support staff because they may not think of themselves as at risk.

If you’re working on a political campaign we recommend that you enroll in the Advanced Protection Program. But, if you decide that’s not for you, these five security tips can strengthen your security in just a few minutes. For example, our research found that simply adding a recovery phone number to your Google Account can block up to 100 percent of automated bots, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks. Campaigns can check out The Belfer Center’s Cybersecurity Campaign Playbook and their overview video for more extensive information.

Make sure someone is accountable for your campaign’s security

Campaigns and political committees should make sure someone at a senior level is responsible for implementing security best practices. You wouldn’t expect the employees of a bank to tolerate consultants with personal email accounts, staffers checking sensitive data on the family iPad, or vendors emailing documents back and forth. Political campaigns, despite often having more of a startup feel, shouldn’t tolerate these lax practices either.

It’s never too late for campaigns to take these simple steps, and much easier to dial up the defense than many people think.

Source: The Official Google Blog

A safer internet for Europe, the Middle East and Africa

Chances are you’re reading this in a country that formally recognizes Safer Internet Day—an initiative that originated in the European Union two decades ago and is now observed in as many as 150 countries around the world.

Whether you’re spurred into doing a Security Checkup, trying our Phishing Quiz, or setting digital ground rules through Family Link, you’ll know the importance of safety in your online life. We take your safety online seriously, and are investing heavily in building, developing and sharing tools and projects to help you and your family stay safer.

Last year, we opened the Google Safety Engineering Center (GSEC) in Germany as the center of that ongoing investment. At this hub of global privacy engineering, we’ve built products such as Password Manager, which scans hundreds of millions of passwords every day and warns you if any of your credentials have been compromised. More than 100 million users have run a Password Checkup since we launched the feature last year.

More than 1,000 employees now work at GSEC, combining the best in privacy and safety engineering, product development and user experience design to help make the digital world work for everyone more safely.

Helping children learn how to be safer online

Because you want your children to be able to make the most of the web safely, we developed Be Internet Awesome in 2017 to help make digital safety knowledge as accessible as possible. Since then, we have trained millions of children through the program in Europe, the Middle East, and Africa. And today, we’re launching in four more countries: Nigeria, Kenya, South Africa, and the Netherlands.

With Be Internet Awesome (InternetHelden in the Netherlands) Google works with non-governmental organizations to teach children how to be safer, more confident explorers of the online world. For example, we help children practice smart tactics for analyzing and evaluating information, sharing media with care, creating strong passwords, and handling bullying.

We’re proud that the program has been awarded the Seal of Alignment by the International Society for Technology in Education, and pleased to make it available to many more children.

Helping experts make the online world safer

We know Google can’t tackle online safety alone, so we’re partnering with cross-sector experts and developers to address evolving challenges on the web. Just this month, we announced the 29 grant recipients of the Google.org Impact Challenge on Safety, a €10 million fund to support organizations across Europe who are working to address hate, extremism and child safety.

One of them—Mama Chat, from its headquarters in Italy—has built a chat service that gives free and anonymous support for women and girls in need. Another, the Fare Network, is working to fight racism in football. You can learn more about all the grantees on our Google.org Impact Challenge website.

Helping protect your devices from attack

And of course we’re continuing to build improvements into the core of our products and services that help protect people from harm.

For example, over the last year, we made our strongest security program more accessible than ever before, by enabling you to use your Android or iOS phone as a security key instead of a standard physical security key that you need to carry around. You shouldn’t need to be an expert in computer security to stay safe, which is why this year we’ll continue to build best-in-class security features to help keep you protected against evolving online threats wherever you are on the internet.

To learn more about our resources to help keep you and your family safer, please visit the Google Safety Center.