Gmail security Settings to Avoid Phishing and Ransomware
Human Error – Gmail’s Kryptonite
Data Backup and the Art of Dodging Bullets!
SysCloud Google Workspace Backup
Gmail Security Settings to Stop Phishing and Ransomware
28 Oct 2021
20 min read
According to Proofpoint, 74% of organizations in the U.S. experienced a successful phishing attack last year which was 30% higher than the global average. About 68% of these organizations had to pay ransom in 2020 to protect their data which was twice the global average.
When it comes to ransomware attacks, it is always best to take the time-tested method of prevention than seek cure after the damage is done!
In this article, we will review Gmail security settings to protect your data from phishing and ransomware attacks.
Gmail security Settings to Avoid Phishing and Ransomware
1. Pre-delivery message scanning to prevent phishing and spamming
To avoid phishing and spamming emails in your inbox, Google has introduced a feature that allows Gmail to scan a message before delivering it into your inbox. If Gmail identifies any suspicious content, it introduces a short delivery delay to perform additional checks. If it does find any suspicious content, it is then sent to the spam folder.
As an administrator, you can enable enhanced pre- delivery message scanning in the Google Admin Console.
Note: Enabling pre-delivery message scanning might delay the delivery of some messages for up to 4 minutes.
2.Disable Bypass Spam Filter to Scan All Internal Emails and Suspicious Links
Unethical hackers use social engineering strategies to trick users into giving out their account credentials. A careless employee is all it takes for a cybercriminal to gain access to your business data. The attacker can use the compromised account as a launching pad to corrupt other user accounts!
A simple solution that will help you stay one step ahead of attacks from compromised accounts is to let Gmail scan all internal emails as well for spam and suspicious links.
3. Configure SPF Setting to Receive Emails Only from Designated Email Servers
Cybercriminals use every trick in the book to swindle businesses. One of the most common online frauds that popular brands are especially vulnerable to is the brand impersonation phishing attack. The aim of such attacks is to either gain the confidential data of the targeted victim or to ruin the reputation of the targeted brand.
To prevent your organization from getting spoofed, you can create a Sender Policy Framework (SPF) record for your domain. An SPF record is a type of DNS record that identifies email servers permitted to send emails on behalf of your domain. Recipients can refer to the SPF record to determine whether an email claiming to be from your domain comes from an authorized email server.
4. Configure DKIM Setting to Verify Email Authenticity
Imagine your customers receiving a malicious email claiming to be from your organization. Thinking it as an important email, your customers may click on the malicious links which could compromise conﬁdential data and ruin your organization’s reputation.
Here is where DKIM (DomainKeys Identiﬁed Mail) can come to your rescue. DKIM is a form of email veriﬁcation that allows an organization to claim responsibility for a message. DKIM works by adding a digital signature (private key) to the header of an email message. This signature can be veriﬁed by a public cryptographic key in the organization’s Domain Name System (DNS) records. Email servers that receive messages from your domain use the public key to decrypt the message header and verify the message source.
While DKIM and SPF are useful tools to leverage the battle against domain impersonation attacks, there are three fundamental drawbacks with just relying on DKIM and SPF:
1. There is no way for you to know if there are issues in authenticating your emails.
2. You cannot tell the recipient what to do with your email (like send to the spam folder) in case the authentication fails.
3. The receiver has no means to give you feedback on the authenticity of the received email.
Domain-based Message Authentication, Reporting and Conformance (DMARC) addresses all these drawbacks and can be configured for Gmail.
5. Configure DMARC Setting to Verify the Email Sender’s Domain Authenticity
By configuring DMARC setting, administrators can prevent hackers from spoofing their organization and domain. DMARC provides strong sender authentication allowing systems to filter legitimate messages from spoofed ones.
Note: You can also optionally turn on Brand Indicators for Message Identification (BIMI) after you turn on DMARC. BIMI lets you add a brand logo to the authenticated messages sent from your domain. BIMI validates the ownership of the organization’s logos that are authenticated by DMARC and securely transmits them to Google.
6. Enable Email Attachment Scan Settings to Scan Encrypted Attachments and Scripts
One of the recent phishing techniques involves sending out emails containing HTML (Hypertext Markup Language) attachments. These HTML attachments host web pages on the recipient’s device itself to avoid detection. Opening such attachments is particularly dangerous in collaboration suites like Google Workspace.
With Gmail, you have the option to double down on attachment scanning by choosing the following automated scanning features:
1. Protection against encrypted attachments from untrusted senders
2. Protection against attachment with scripts from untrusted senders
3. Protection against unusual attachment types in emails
For each of these Gmail security settings, the admin can decide to either quarantine the message, move it to spam, or send it to the user’s inbox with a warning sign.
8. Enable Security Sandbox Setting to Scan Attachments before Delivering It
You can set up a Gmail security Sandbox to automatically direct all emails irrespective of their origin (internal or external) to a secure sandbox (only for Education and Enterprise versions) for further inspection. Once the email and the attachment pass scrutiny, it is forwarded to the recipients.
Note: Scanning attachments in Security Sandbox might delay the delivery of some messages for up to 3 minutes.
9. Configure SMTP MTA-STS Protocol to Enforce End-to-End Email Encryption
The traditional Simple Mail Transfer Protocol (SMTP) protocol has two significant loopholes that can be exploited to eavesdrop on your domain’s email communication or even redirect them to an SMTP server set up by an attacker.
Wondering How is This Possible?
While SMTP promises encrypted messages, the encryption is first initiated by an unencrypted message (STARTTLS) that attackers can tamper with. Yet another nightmare scenario involves changing the recipient’s email server address (MX record) and redirecting encrypted mails to the attacker’s inbox where the emails are unencrypted.
Gmail now gives you the option to configure SMTP MTA Strict Transport Security (SMTP MTA-STS in short) protocol.
Configuring MTA-STS addresses the fundamental issue with the SMTP protocol and definitely gives your email security an upgrade.
Enabling S/MIME Encryption prevents unwanted parties from tampering or compromising with the contents of emails and helps the email recipient to confirm the identity of the sender. The sender and the recipient exchange unique identification information called keys to confirm the identity and authenticity of the message.
Note: For S/MIME Encryption to work, both the recipient and the sender must have it enabled.
11. Enable Spam Header Settings to Maximize Spam Filtering Capacity in All Routing Rules
Spam emails are the most common method used by cybercriminals to spread malware. Gmail allows you to block this vulnerability in scenarios where a spam message is automatically forwarded, especially when the inbox belongs to a group or department.
Spam characteristics appear in two parts of an email:
1. Message header
2. In the message content
Headers are important because they show the history of the message delivery path as well as some common characteristics of spam. Attackers forge the information in the headers to bypass the anti-spam filters. A simple solution that will help you to avoid attacks through spam emails is to enable the spam header settings in all default routing rules that you may have enabled. This will ensure maximized filtering capacity of email servers downstream and will make sure that the spam headers are retained properly.
13. Use a Physical Security Key to Verify User Identity
Turning on two-factor authentication (aka 2FA) is a useful countermeasure among the many layers of security settings in Gmail. However, 2FA is not bulletproof and you are still vulnerable to specialized man-in-the-middle attacks (MITM) where the user is directed to a fake login page that collects the username, password, and temporary authentication code!
Using a hardware authentication key such as YubiKey or a contextually aware 2FA application like Okta can give you a stronger layer of security to thwart sophisticated phishing attacks. Recently, Google launched the Advanced Protection Program (APP) that uses a physical security key to verify identity and strengthens the password recovery process to deter phishing attacks.
While Gmail gives you the option to dramatically improve your security stance against phishing and ransomware attacks, all security strategies have one major weakness: human error.
The key finding of a study conducted by usecure for security awareness was that human error was the major contributing cause in 95% of all breaches.
Occasionally, a phishing email may get past Gmail’s spam filters and a careless employee – oblivious to all the telltale signs – may go ahead and click on the malicious link. There is only so much that Gmail can do to protect your domain from user errors.
Here are some real-world scenarios of how human errors can unfold:
Gullible executives may fall for emails like prizes, unbelievable product discounts, spoofed transactional emails, or invitations to edit a document from someone they might know.
A negligent IT team member who does not enable two-factor authentication, reuses passwords for multiple accounts, does not regularly change password, leaves the system unlocked while away, or does not adhere to Gmail’s security practices can cause grave danger to the organization’s Gmail security.
A careless employee might install unauthorized apps and extensions, mindlessly forward emails with links to co-workers, ignore Gmail’s spam warnings, or lose a mobile device with company data.
Malicious users might delete, overwrite, expose, and steal valuable data.
A privileged user can exfiltrate data by misusing his/her credentials and privileges and export data from the cloud apps with malicious intent.
What fuels any phishing or ransomware attack is the desperate need of the victim to regain access to their data. Data backup simply eliminates this vulnerability by keeping a copy of the user’s data that can be easily restored.
The only way to make sure your data is secure in the event of a successful phishing or ransomware attack is to encrypt Gmail and Drive files. When encryption is used in conjunction with data backup, phishing and ransomware attacks can be rendered meaningless.
3. Leverage backup to avoid downtime even when you are under attack
The most overlooked aspect of a successful phishing or ransomware attack is the enormous loss in productivity because your data is now encrypted and no longer accessible. Having an up-to-date Gmail backup, along with a backup of all other Google Workspace Apps, gives you the option to restore data from the backup archives directly to your user accounts. Users in your domain will be back on their feet with limited or no major disruption. Data backup in conjunction with encryption can dramatically enhance your Google Workspace security posture against phishing and ransomware.
Third-party apps like SysCloud offer fully automated backup to ironclad your Gmail security.
SysCloud Google Workspace Backup
SysCloud offers a fully automated cloud to cloud backup and restore service. We use the top trusted web services like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform to store data.
Using SysCloud, businesses can automatically backup their Google Workspace data for multiple domains. Admins can save licensing costs during employee exits by using cross-user restore to transfer data with folder structure and sharing permissions intact. SysCloud also lets administrators monitor the backup health status with ransomware and phishing alerts, and enables point-in-time restore for Google Drive.
Why Should you Back up Using SysCloud?
Backup & restore success rates: SysCloud allows users to backup and restore data with a 100% success rate.
License cost optimization: Admins can choose to automatically remove/suspend users who were removed from your Google Workspace.
Backup data protection: SysCloud constantly monitors data backup archives and notifies instances of insider threats, ransomware, phishing. SysCloud can also scan, identify, and flag the presence of sensitive data in the backup archives.
Reports and audit-logs: SysCloud provides configurable reports for the administrator for all the backup, restore and export events.
Backup features: SysCloud allows users to backup multiple domains automatically, provides a backup preview, and gives instant alerts in case of failure. Admins can also configure backup retention period at a user, group, or domain level.
Restore features: SysCloud offers a powerful keyword-based search to locate lost files from the backup archives. Users can choose to restore backed-up data in a single-click, download instantly, or export the data.
How Does SysCloud Backup for Google Workspace Work?
Watch this video to learn how SysCloud’s Google Workspace backup works.
Gmail ensures security by using 128-bit encryption for safeguarding emails at rest and TLS protocol for encryption during transit of emails. However, nothing is 100% secure. To protect against phishing and ransomware attacks, you can improve the security of your domain’s email communication with these methods.
2. Is Gmail an encrypted email?
Gmail encrypts your emails by using Transport Layer Security (TLS) protocol, but this encryption works only if the email providers of both sender and email recipient always use TLS. You can also configure S/MIME encryption to add an extra layer of security.
3. How do I send a secure email in Gmail?
To send a secure email, you can use the “confidential mode” option on Gmail. By using the confidential mode, you can:
Set expiry date for the email and attachments
Revoke access for attachments
Restrict email receivers from copying, pasting, downloading, printing, and forwarding the email text and attachments