Beware of Phishing, Increase the Security of your Google Account

As we use our Smithfield Google accounts for more applications (Google Drive, Google Classroom, etc.), it becomes even more important to keep that account secure. As a district, we have made Student Data Privacy a priority and we have discussed some ways that all staff can keep their accounts and student information more secure, http://staff.smithfield-ps.org/student-data-privacy

Unfortunately, there are always phishing attacks and scams that are trying to trick users into providing criminals and hackers with access to your accounts. You may have recently read about a particularly tricky and sophisticated phishing scheme that has fooled even tech savvy users. Forbes online has a good, easy to understand summary of the phishing attack, http://www.forbes.com/sites/leemathews/2017/01/16/gmail-phishing-attack-targets-your-contacts/#3cc172e51f9d.

I wanted to share some tips and strategies with you to help increase the security of your Smithfield Google account. These strategies also apply to other types of online accounts that you may have and use in your professional and personal lives.

ALWAYS check the browser address bar for any site asking you to login!

Any time a website prompts you to login, and specifically a site that appears to be Google, check the the browser address bar to make sure of the following:

1. The address of a Google login page should ALWAYS begin with https://accounts.google.com
2. A GREEN lock symbol should ALWAYS appear indicating that the identity of the Google login page has been VERIFIED and that the connection is secure
   
   
   

If either of these things is missing, DO NOT enter your username or password!

Check to see if your account has been compromised

Google has a great security feature that allows any user to check to see their account activity; i.e. where, when, and how their account has been accessed; setup alerts if Google suspects unusual activity on your account; and a button to logout on any device if you think that you forgot. If you are ever concerned that your Google account may have been compromised, this is a terrific option. Here's how to access that tool:

1. Open your Mail
2. Scroll to the bottom of your list of messages and look for "Last account activity" on the right. Click "Details" to see more information and access additional options
   
   
3. You can see a list of when, where, and how your account has been accessed. You can also choose to receive an alert if Google suspects unusual activity on your account and logout of any sessions if you forgot to logout
   
   

Consider turning on 2-Step Verification

Even if you use extremely secure passwords (and we all do, right?) and are really careful about checking the sites we use, there are additional steps that you can take to secure your Google account even further. One method is to use 2-Step Verification.

2-Step Verification essentially means that, in order to login to your account, you will need to know your password AND provide an additional way to verify your identity (e.g. a code sent to your phone, a code from an app, a physical security key). This means that, even if someone gets your password, they will not be able to login to your account if they do not have that second method to verify your identity. While 2-Step Verification adds an additional step each time you login, it makes your account MUCH more secure and I STRONGLY recommend giving it a try. I use 2-Step Verification on both my work and personal accounts to help keep them secure. While it is less convenient, once you get used to it, it just becomes part of your routine.

Here's how to enable 2-Step Verification. You will need to have a phone handy, preferably a cell phone. Google will ONLY use this phone number for account security; they will not share it or make it public.

1. Go to the Google 2-Step Verification page, https://www.google.com/landing/2step
2. Click "Get Started" at the top of the page
   
   
3. Click "Get Started" again on the next page
   
   
4. Login to your Google account (make sure to check that address bar!)
   
   
5. Enter the phone number that you would like to use. I recommend using a cell phone and choosing the "Text Message" option. Click "Try It"
   
   
6. Within a minute or so, you should receive a text message from Google that contains a verification code. The code expires in a few minutes and can only be used once. Enter the verification code on the page and click "Next"
   
   
7. If everything works as it should, click "Turn On"
   
   
8. You will see a page that displays the second step that you added for your account
   
   
9. IMMEDIATELY scroll down the page and setup AT LEAST one alternative second step. This will serve as a backup in the event that you do not have access to your phone. There are a number of options. At a minimum, I would recommend setting up Backup Codes AND a second phone (it doesn't need to be a cell phone, just a phone that you can receive a voice call). I also use an inexpensive Security Key that I purchased on my own (https://www.yubico.com/products/yubikey-hardware/fido-u2f-security-key/) and the Google Authenticator app as additional 2-Step Verification options
   
   
10. In the future, when you sign-in to your Google account, you will be prompted to enter a verification code from a new text message sent to your phone. These codes expire in a few minutes and cannot be used more than once. Also, as tempting as it may be, do NOT check the "Remember this computer for 30 days" option!
    
    

I hope that these strategies prove to be useful. While good security is not convenient, it is the responsibility of each and every Smithfield staff member to keep their accounts secure.